feat(api): only load tenant required for each table

Assisted-By: Codex:GPT-5.4

.github/dependabot.yml

@@ -110,114 +110,3 @@ updates:
       github-actions-dependencies:
         patterns:
           - "*"
-  - package-ecosystem: "uv"
-    directory: "/api"
-    target-branch: "lts/1.13.x"
-    open-pull-requests-limit: 10
-    schedule:
-      interval: "weekly"
-    groups:
-      flask:
-        patterns:
-          - "flask"
-          - "flask-*"
-          - "werkzeug"
-          - "gunicorn"
-      google:
-        patterns:
-          - "google-*"
-          - "googleapis-*"
-      opentelemetry:
-        patterns:
-          - "opentelemetry-*"
-      pydantic:
-        patterns:
-          - "pydantic"
-          - "pydantic-*"
-      llm:
-        patterns:
-          - "langfuse"
-          - "langsmith"
-          - "litellm"
-          - "mlflow*"
-          - "opik"
-          - "weave*"
-          - "arize*"
-          - "tiktoken"
-          - "transformers"
-      database:
-        patterns:
-          - "sqlalchemy"
-          - "psycopg2*"
-          - "psycogreen"
-          - "redis*"
-          - "alembic*"
-      storage:
-        patterns:
-          - "boto3*"
-          - "botocore*"
-          - "azure-*"
-          - "bce-*"
-          - "cos-python-*"
-          - "esdk-obs-*"
-          - "google-cloud-storage"
-          - "opendal"
-          - "oss2"
-          - "supabase*"
-          - "tos*"
-      vdb:
-        patterns:
-          - "alibabacloud*"
-          - "chromadb"
-          - "clickhouse-*"
-          - "clickzetta-*"
-          - "couchbase"
-          - "elasticsearch"
-          - "opensearch-py"
-          - "oracledb"
-          - "pgvect*"
-          - "pymilvus"
-          - "pymochow"
-          - "pyobvector"
-          - "qdrant-client"
-          - "intersystems-*"
-          - "tablestore"
-          - "tcvectordb"
-          - "tidb-vector"
-          - "upstash-*"
-          - "volcengine-*"
-          - "weaviate-*"
-          - "xinference-*"
-          - "mo-vector"
-          - "mysql-connector-*"
-      dev:
-        patterns:
-          - "coverage"
-          - "dotenv-linter"
-          - "faker"
-          - "lxml-stubs"
-          - "basedpyright"
-          - "ruff"
-          - "pytest*"
-          - "types-*"
-          - "boto3-stubs"
-          - "hypothesis"
-          - "pandas-stubs"
-          - "scipy-stubs"
-          - "import-linter"
-          - "celery-types"
-          - "mypy*"
-          - "pyrefly"
-      python-packages:
-        patterns:
-          - "*"
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    target-branch: "lts/1.13.x"
-    open-pull-requests-limit: 5
-    schedule:
-      interval: "weekly"
-    groups:
-      github-actions-dependencies:
-        patterns:
-          - "*"

.github/workflows/cli-tests.yml

@@ -15,12 +15,8 @@ concurrency:
 
 jobs:
   test:
-    name: CLI Tests (${{ matrix.os }})
-    runs-on: ${{ matrix.os }}
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [depot-ubuntu-24.04, windows-latest, macos-latest]
+    name: CLI Tests
+    runs-on: depot-ubuntu-24.04
     env:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
     defaults:
@@ -41,7 +37,7 @@ jobs:
         run: pnpm ci
 
       - name: Report coverage
-        if: ${{ env.CODECOV_TOKEN != '' && matrix.os == 'depot-ubuntu-24.04' }}
+        if: ${{ env.CODECOV_TOKEN != '' }}
         uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
         with:
           directory: cli/coverage

.gitignore

@@ -257,5 +257,5 @@ scripts/stress-test/reports/
 
 # Code Agent Folder
 .qoder/*
-.context/
+.context/*
 .eslintcache

api/clients/agent_backend/__init__.py

@@ -30,23 +30,19 @@ from clients.agent_backend.factory import create_agent_backend_run_client
 from clients.agent_backend.fake_client import FakeAgentBackendRunClient, FakeAgentBackendScenario
 from clients.agent_backend.request_builder import (
     AGENT_SOUL_PROMPT_LAYER_ID,
-    DIFY_EXECUTION_CONTEXT_LAYER_ID,
-    DIFY_PLUGIN_TOOLS_LAYER_ID,
+    DIFY_PLUGIN_CONTEXT_LAYER_ID,
     WORKFLOW_NODE_JOB_PROMPT_LAYER_ID,
     WORKFLOW_USER_PROMPT_LAYER_ID,
     AgentBackendModelConfig,
     AgentBackendOutputConfig,
     AgentBackendRunRequestBuilder,
     AgentBackendWorkflowNodeRunInput,
-    CleanupLayerSpec,
-    extract_cleanup_layer_specs,
     redact_for_agent_backend_log,
 )
 
 __all__ = [
     "AGENT_SOUL_PROMPT_LAYER_ID",
-    "DIFY_EXECUTION_CONTEXT_LAYER_ID",
-    "DIFY_PLUGIN_TOOLS_LAYER_ID",
+    "DIFY_PLUGIN_CONTEXT_LAYER_ID",
     "WORKFLOW_NODE_JOB_PROMPT_LAYER_ID",
     "WORKFLOW_USER_PROMPT_LAYER_ID",
     "AgentBackendError",
@@ -70,11 +66,9 @@ __all__ = [
     "AgentBackendTransportError",
     "AgentBackendValidationError",
     "AgentBackendWorkflowNodeRunInput",
-    "CleanupLayerSpec",
     "DifyAgentBackendRunClient",
     "FakeAgentBackendRunClient",
     "FakeAgentBackendScenario",
     "create_agent_backend_run_client",
-    "extract_cleanup_layer_specs",
     "redact_for_agent_backend_log",
 ]

api/clients/agent_backend/fake_client.py

@@ -20,8 +20,6 @@ from dify_agent.protocol import (
     RunEvent,
     RunFailedEvent,
     RunFailedEventData,
-    RunPausedEvent,
-    RunPausedEventData,
     RunStartedEvent,
     RunStatusResponse,
     RunSucceededEvent,
@@ -36,7 +34,6 @@ class FakeAgentBackendScenario(StrEnum):
 
     SUCCESS = "success"
     FAILED = "failed"
-    PAUSED = "paused"
 
 
 class FakeAgentBackendRunClient:
@@ -92,13 +89,6 @@ class FakeAgentBackendRunClient:
                     updated_at=_FIXED_TIME,
                     error="fake failure",
                 )
-            case FakeAgentBackendScenario.PAUSED:
-                return RunStatusResponse(
-                    run_id=run_id,
-                    status="paused",
-                    created_at=_FIXED_TIME,
-                    updated_at=_FIXED_TIME,
-                )
 
     def _events(self, run_id: str) -> tuple[RunEvent, ...]:
         match self.scenario:
@@ -125,17 +115,3 @@ class FakeAgentBackendRunClient:
                         data=RunFailedEventData(error="fake failure", reason="unit_test"),
                     ),
                 )
-            case FakeAgentBackendScenario.PAUSED:
-                return (
-                    RunStartedEvent(id="1-0", run_id=run_id, created_at=_FIXED_TIME),
-                    RunPausedEvent(
-                        id="2-0",
-                        run_id=run_id,
-                        created_at=_FIXED_TIME,
-                        data=RunPausedEventData(
-                            reason="human_input_required",
-                            message="Agent requested human input.",
-                            session_snapshot=CompositorSessionSnapshot(layers=[]),
-                        ),
-                    ),
-                )

api/clients/agent_backend/request_builder.py

@@ -4,37 +4,29 @@ This module is intentionally an adapter, not a wire DTO package. The emitted
 object is always ``dify_agent.protocol.CreateRunRequest`` so the Agent backend
 protocol has a single owner. API-only context such as Agent Soul vs workflow job
 prompt is preserved in layer names and metadata until the dedicated product
-schemas land in later phases. Dify-owned execution identifiers are emitted as an
-explicit ``dify.execution_context`` layer so the run request stays fully
-composition-driven.
+schemas land in later phases.
 """
 
 from __future__ import annotations
 
-from typing import ClassVar, cast
+from typing import ClassVar
 
 from agenton.compositor import CompositorSessionSnapshot
-from agenton.compositor.schemas import LayerSessionSnapshot
 from agenton.layers import ExitIntent
 from agenton_collections.layers.plain import PLAIN_PROMPT_LAYER_TYPE_ID, PromptLayerConfig
-from agenton_collections.layers.pydantic_ai import PYDANTIC_AI_HISTORY_LAYER_TYPE_ID
 from dify_agent.layers.dify_plugin import (
+    DIFY_PLUGIN_LAYER_TYPE_ID,
     DIFY_PLUGIN_LLM_LAYER_TYPE_ID,
-    DIFY_PLUGIN_TOOLS_LAYER_TYPE_ID,
     DifyPluginCredentialValue,
+    DifyPluginLayerConfig,
     DifyPluginLLMLayerConfig,
-    DifyPluginToolsLayerConfig,
-)
-from dify_agent.layers.execution_context import (
-    DIFY_EXECUTION_CONTEXT_LAYER_TYPE_ID,
-    DifyExecutionContextLayerConfig,
 )
 from dify_agent.layers.output import DIFY_OUTPUT_LAYER_TYPE_ID, DifyOutputLayerConfig
 from dify_agent.protocol import (
-    DIFY_AGENT_HISTORY_LAYER_ID,
     DIFY_AGENT_MODEL_LAYER_ID,
     DIFY_AGENT_OUTPUT_LAYER_ID,
     CreateRunRequest,
+    ExecutionContext,
     LayerExitSignals,
     RunComposition,
     RunLayerSpec,
@@ -45,94 +37,17 @@ from pydantic import BaseModel, ConfigDict, Field, JsonValue, field_validator
 AGENT_SOUL_PROMPT_LAYER_ID = "agent_soul_prompt"
 WORKFLOW_NODE_JOB_PROMPT_LAYER_ID = "workflow_node_job_prompt"
 WORKFLOW_USER_PROMPT_LAYER_ID = "workflow_user_prompt"
-DIFY_EXECUTION_CONTEXT_LAYER_ID = "execution_context"
-DIFY_PLUGIN_TOOLS_LAYER_ID = "tools"
-
-# Layer types that hold credentials in their per-run config. These are excluded
-# from the cleanup-replay composition (and from the snapshot that is sent with
-# the cleanup request) because we deliberately do not persist plaintext
-# credentials between runs.
-_CLEANUP_EXCLUDED_LAYER_TYPES: tuple[str, ...] = (
-    DIFY_PLUGIN_LLM_LAYER_TYPE_ID,
-    DIFY_PLUGIN_TOOLS_LAYER_TYPE_ID,
-)
-
-
-class CleanupLayerSpec(BaseModel):
-    """One layer node replayed by an Agent backend cleanup-only run.
-
-    Cleanup composition cannot include credential-bearing plugin layers, so we
-    persist only the non-plugin layer specs together with the original config.
-    Storing the config (rather than just ``name``/``type``) means cleanup does
-    not depend on the original build-time inputs being re-derivable.
-    """
-
-    name: str
-    type: str
-    deps: dict[str, str] = Field(default_factory=dict)
-    metadata: dict[str, JsonValue] = Field(default_factory=dict)
-    config: JsonValue = None
-
-    model_config: ClassVar[ConfigDict] = ConfigDict(extra="forbid")
-
-
-def extract_cleanup_layer_specs(composition: RunComposition) -> list[CleanupLayerSpec]:
-    """Project the in-flight composition into the persistable cleanup spec list.
-
-    Plugin layers are intentionally dropped (their configs hold credentials and
-    the lifecycle contract says "do not include an LLM layer" during cleanup).
-    The filtered names must later drive snapshot filtering so the agenton
-    compositor's name-order check still passes for the cleanup run.
-    """
-    excluded = set(_CLEANUP_EXCLUDED_LAYER_TYPES)
-    specs: list[CleanupLayerSpec] = []
-    for layer in composition.layers:
-        if layer.type in excluded:
-            continue
-        config_value: JsonValue = None
-        if isinstance(layer.config, BaseModel):
-            config_value = layer.config.model_dump(mode="json", warnings=False)
-        else:
-            # ``RunLayerSpec.config`` is typed as ``LayerConfigInput`` which
-            # includes ``Mapping[str, object] | bytes``. In the cleanup-replay
-            # pipeline our builder only emits BaseModel-derived configs or
-            # ``None``, so the wider input alias narrows safely here.
-            config_value = cast(JsonValue, layer.config)
-        specs.append(
-            CleanupLayerSpec(
-                name=layer.name,
-                type=layer.type,
-                deps=dict(layer.deps),
-                metadata=dict(layer.metadata),
-                config=config_value,
-            )
-        )
-    return specs
-
-
-def _filter_snapshot_to_specs(
-    snapshot: CompositorSessionSnapshot,
-    specs: list[CleanupLayerSpec],
-) -> CompositorSessionSnapshot:
-    """Keep only snapshot layers whose names appear in the cleanup spec list.
-
-    The agenton compositor rejects a snapshot whose layer-name sequence does
-    not match the active composition exactly. Cleanup-replay drops plugin
-    layers, so we must drop the matching snapshot entries here.
-    """
-    kept_names = {spec.name for spec in specs}
-    filtered_layers: list[LayerSessionSnapshot] = [layer for layer in snapshot.layers if layer.name in kept_names]
-    if len(filtered_layers) == len(snapshot.layers):
-        return snapshot
-    return CompositorSessionSnapshot(schema_version=snapshot.schema_version, layers=filtered_layers)
+DIFY_PLUGIN_CONTEXT_LAYER_ID = "plugin"
 
 
 class AgentBackendModelConfig(BaseModel):
     """API-side model/plugin selection before it is converted to Dify Agent layers."""
 
+    tenant_id: str
     plugin_id: str
     model_provider: str
     model: str
+    user_id: str | None = None
     credentials: dict[str, DifyPluginCredentialValue] = Field(default_factory=dict)
     model_settings: dict[str, JsonValue] = Field(default_factory=dict)
 
@@ -158,17 +73,15 @@ class AgentBackendWorkflowNodeRunInput(BaseModel):
     """Inputs needed to build the first workflow-node-oriented Agent backend run request."""
 
     model: AgentBackendModelConfig
-    execution_context: DifyExecutionContextLayerConfig
+    execution_context: ExecutionContext
     workflow_node_job_prompt: str
     user_prompt: str
     agent_soul_prompt: str | None = None
     purpose: RunPurpose = "workflow_node"
     idempotency_key: str | None = None
     output: AgentBackendOutputConfig | None = None
-    tools: DifyPluginToolsLayerConfig | None = None
     session_snapshot: CompositorSessionSnapshot | None = None
-    include_history: bool = True
-    suspend_on_exit: bool = True
+    suspend_on_exit: bool = False
     metadata: dict[str, JsonValue] = Field(default_factory=dict)
 
     model_config: ClassVar[ConfigDict] = ConfigDict(extra="forbid", arbitrary_types_allowed=True)
@@ -184,50 +97,6 @@ class AgentBackendWorkflowNodeRunInput(BaseModel):
 class AgentBackendRunRequestBuilder:
     """Converts API product state into the public ``dify-agent`` run protocol."""
 
-    def build_cleanup_request(
-        self,
-        *,
-        session_snapshot: CompositorSessionSnapshot,
-        composition_layer_specs: list[CleanupLayerSpec],
-        idempotency_key: str | None = None,
-        metadata: dict[str, JsonValue] | None = None,
-    ) -> CreateRunRequest:
-        """Build a lifecycle-only cleanup request that replays the prior layers.
-
-        The agenton compositor enforces that the session snapshot's layer names
-        match the active composition in order, so cleanup must replay the same
-        non-plugin layer graph that produced the snapshot. Plugin layers
-        (``dify.plugin.llm``, ``dify.plugin.tools``) are excluded from both the
-        composition and the snapshot before submission because their configs
-        require credentials that are not persisted between runs.
-        """
-        if not composition_layer_specs:
-            raise ValueError(
-                "build_cleanup_request requires composition_layer_specs; an empty "
-                "composition would fail the agent backend's snapshot validation."
-            )
-        request_metadata = dict(metadata or {})
-        request_metadata["agent_backend_lifecycle"] = "session_cleanup"
-        layers = [
-            RunLayerSpec(
-                name=spec.name,
-                type=spec.type,
-                deps=dict(spec.deps),
-                metadata=dict(spec.metadata),
-                config=spec.config,
-            )
-            for spec in composition_layer_specs
-        ]
-        filtered_snapshot = _filter_snapshot_to_specs(session_snapshot, composition_layer_specs)
-        return CreateRunRequest(
-            composition=RunComposition(layers=layers),
-            purpose="workflow_node",
-            idempotency_key=idempotency_key,
-            metadata=request_metadata,
-            session_snapshot=filtered_snapshot,
-            on_exit=LayerExitSignals(default=ExitIntent.DELETE),
-        )
-
     def build_for_workflow_node(self, run_input: AgentBackendWorkflowNodeRunInput) -> CreateRunRequest:
         """Build a workflow Agent Node run request without defining another wire schema."""
         layers: list[RunLayerSpec] = []
@@ -256,32 +125,21 @@ class AgentBackendRunRequestBuilder:
                     config=PromptLayerConfig(user=run_input.user_prompt),
                 ),
                 RunLayerSpec(
-                    name=DIFY_EXECUTION_CONTEXT_LAYER_ID,
-                    type=DIFY_EXECUTION_CONTEXT_LAYER_TYPE_ID,
+                    name=DIFY_PLUGIN_CONTEXT_LAYER_ID,
+                    type=DIFY_PLUGIN_LAYER_TYPE_ID,
                     metadata=run_input.metadata,
-                    config=run_input.execution_context,
+                    config=DifyPluginLayerConfig(
+                        tenant_id=run_input.model.tenant_id,
+                        plugin_id=run_input.model.plugin_id,
+                        user_id=run_input.model.user_id,
+                    ),
                 ),
-            ]
-        )
-
-        if run_input.include_history:
-            layers.append(
-                RunLayerSpec(
-                    name=DIFY_AGENT_HISTORY_LAYER_ID,
-                    type=PYDANTIC_AI_HISTORY_LAYER_TYPE_ID,
-                    metadata={**run_input.metadata, "origin": "agent_session_history"},
-                )
-            )
-
-        layers.extend(
-            [
                 RunLayerSpec(
                     name=DIFY_AGENT_MODEL_LAYER_ID,
                     type=DIFY_PLUGIN_LLM_LAYER_TYPE_ID,
-                    deps={"execution_context": DIFY_EXECUTION_CONTEXT_LAYER_ID},
+                    deps={"plugin": DIFY_PLUGIN_CONTEXT_LAYER_ID},
                     metadata=run_input.metadata,
                     config=DifyPluginLLMLayerConfig(
-                        plugin_id=run_input.model.plugin_id,
                         model_provider=run_input.model.model_provider,
                         model=run_input.model.model,
                         credentials=run_input.model.credentials,
@@ -291,17 +149,6 @@ class AgentBackendRunRequestBuilder:
             ]
         )
 
-        if run_input.tools is not None and run_input.tools.tools:
-            layers.append(
-                RunLayerSpec(
-                    name=DIFY_PLUGIN_TOOLS_LAYER_ID,
-                    type=DIFY_PLUGIN_TOOLS_LAYER_TYPE_ID,
-                    deps={"execution_context": DIFY_EXECUTION_CONTEXT_LAYER_ID},
-                    metadata=run_input.metadata,
-                    config=run_input.tools,
-                )
-            )
-
         if run_input.output is not None:
             layers.append(
                 RunLayerSpec(
@@ -318,6 +165,7 @@ class AgentBackendRunRequestBuilder:
 
         return CreateRunRequest(
             composition=RunComposition(layers=layers),
+            execution_context=run_input.execution_context,
             purpose=run_input.purpose,
             idempotency_key=run_input.idempotency_key,
             metadata=run_input.metadata,

api/commands/data_migrate.py

@@ -79,14 +79,10 @@ def data_migrate() -> None:
     multiple=True,
     type=str,
     help=(
-        "Limit migration to specific tables. Accepts comma-separated values or repeated flags.\n"
-        "\n"
-        "Options: load_balancing_model_configs, provider_model_credentials, "
-        "provider_model_settings, provider_models, tenant_default_models.\n\n"
+        "Limit model_type migration to specific tables. Accepts comma-separated values or repeated flags. "
         "When provider_model_credentials is selected, provider_models and "
-        "load_balancing_model_configs may also be updated for credential reference rewrites.\n"
-        "\n"
-        "If unspecified, all relevant tables are migrated."
+        "load_balancing_model_configs may also be updated for credential reference rewrites."
+        "Default to: "
     ),
 )
 @click.option(
@@ -95,11 +91,8 @@ def data_migrate() -> None:
     multiple=True,
     type=str,
     help=(
-        "Canonical model types to migrate. Accepts comma-separated values or repeated flags.\n"
-        "\n"
-        "Options: llm,text-embedding,rerank\n"
-        "\n"
-        "If unspecified, all relevant legacy model types are migrated."
+        "Canonical model types to migrate. Accepts comma-separated values or repeated flags. "
+        "Defaults to: `llm,text-embedding,rerank`"
     ),
 )
 @click.option(
@@ -110,10 +103,7 @@ def data_migrate() -> None:
 @click.option(
     "--output",
     type=click.Path(dir_okay=False, resolve_path=True, path_type=Path),
-    help=(
-        "Optional file path for JSON lines event logs. Defaults to stdout.\n"
-        "It's highly recommended to save the event logs to a file and preserve it for a period of time."
-    ),
+    help="Optional file path for JSON lines event logs. Defaults to stdout.",
 )
 @click.option(
     "--concurrency",

api/configs/middleware/vdb/milvus_config.py

@@ -41,21 +41,3 @@ class MilvusConfig(BaseSettings):
         description='Milvus text analyzer parameters, e.g., {"type": "chinese"} for Chinese segmentation support.',
         default=None,
     )
-
-    MILVUS_SECURE: bool = Field(
-        description="Enable TLS for the Milvus connection (one-way TLS). When True, the client uses gRPC over TLS "
-        "and verifies the server certificate. Equivalent to passing secure=True to pymilvus.",
-        default=False,
-    )
-
-    MILVUS_SERVER_PEM_PATH: str | None = Field(
-        description="Filesystem path inside the container to the Milvus server certificate (PEM). Mount this via "
-        "a Kubernetes secret. Used as pymilvus's server_pem_path when MILVUS_SECURE is True.",
-        default=None,
-    )
-
-    MILVUS_SERVER_NAME: str | None = Field(
-        description="Server name (TLS SNI / certificate CN or SAN) to verify against the Milvus server certificate. "
-        "Required when MILVUS_SERVER_PEM_PATH is set.",
-        default=None,
-    )

api/controllers/console/__init__.py

@@ -68,7 +68,6 @@ from .app import (
     workflow_app_log,
     workflow_comment,
     workflow_draft_variable,
-    workflow_node_output_inspector,
     workflow_run,
     workflow_statistic,
     workflow_trigger,
@@ -219,7 +218,6 @@ __all__ = [
     "workflow_app_log",
     "workflow_comment",
     "workflow_draft_variable",
-    "workflow_node_output_inspector",
     "workflow_run",
     "workflow_statistic",
     "workflow_trigger",

api/controllers/console/agent/composer.py

@@ -5,7 +5,7 @@ from controllers.console import console_ns
 from controllers.console.app.wraps import get_app_model
 from controllers.console.wraps import account_initialization_required, edit_permission_required, setup_required
 from libs.login import current_account_with_tenant, login_required
-from models.model import App, AppMode
+from models.model import AppMode
 from services.agent.composer_service import AgentComposerService
 from services.agent.composer_validator import ComposerConfigValidator
 from services.entities.agent_entities import ComposerSavePayload
@@ -19,7 +19,7 @@ class WorkflowAgentComposerApi(Resource):
     @login_required
     @account_initialization_required
     @get_app_model(mode=[AppMode.WORKFLOW, AppMode.ADVANCED_CHAT])
-    def get(self, app_model: App, node_id: str):
+    def get(self, app_model, node_id: str):
         _, tenant_id = current_account_with_tenant()
         return AgentComposerService.load_workflow_composer(
             tenant_id=tenant_id,
@@ -33,7 +33,7 @@ class WorkflowAgentComposerApi(Resource):
     @account_initialization_required
     @edit_permission_required
     @get_app_model(mode=[AppMode.WORKFLOW, AppMode.ADVANCED_CHAT])
-    def put(self, app_model: App, node_id: str):
+    def put(self, app_model, node_id: str):
         account, tenant_id = current_account_with_tenant()
         payload = ComposerSavePayload.model_validate(console_ns.payload or {})
         return AgentComposerService.save_workflow_composer(
@@ -52,7 +52,7 @@ class WorkflowAgentComposerValidateApi(Resource):
     @login_required
     @account_initialization_required
     @get_app_model(mode=[AppMode.WORKFLOW, AppMode.ADVANCED_CHAT])
-    def post(self, app_model: App, node_id: str):
+    def post(self, app_model, node_id: str):
         payload = ComposerSavePayload.model_validate(console_ns.payload or {})
         ComposerConfigValidator.validate_save_payload(payload)
         return {"result": "success", "errors": []}
@@ -64,7 +64,7 @@ class WorkflowAgentComposerCandidatesApi(Resource):
     @login_required
     @account_initialization_required
     @get_app_model(mode=[AppMode.WORKFLOW, AppMode.ADVANCED_CHAT])
-    def get(self, app_model: App, node_id: str):
+    def get(self, app_model, node_id: str):
         return AgentComposerService.get_workflow_candidates(app_id=app_model.id)
 
 
@@ -74,7 +74,7 @@ class WorkflowAgentComposerImpactApi(Resource):
     @login_required
     @account_initialization_required
     @get_app_model(mode=[AppMode.WORKFLOW, AppMode.ADVANCED_CHAT])
-    def post(self, app_model: App, node_id: str):
+    def post(self, app_model, node_id: str):
         _, tenant_id = current_account_with_tenant()
         payload = ComposerSavePayload.model_validate(console_ns.payload or {})
         current_snapshot_id = payload.binding.current_snapshot_id if payload.binding else None
@@ -91,7 +91,7 @@ class WorkflowAgentComposerSaveToRosterApi(Resource):
     @account_initialization_required
     @edit_permission_required
     @get_app_model(mode=[AppMode.WORKFLOW, AppMode.ADVANCED_CHAT])
-    def post(self, app_model: App, node_id: str):
+    def post(self, app_model, node_id: str):
         account, tenant_id = current_account_with_tenant()
         payload = ComposerSavePayload.model_validate(console_ns.payload or {})
         return AgentComposerService.save_workflow_composer(
@@ -109,7 +109,7 @@ class AgentAppComposerApi(Resource):
     @login_required
     @account_initialization_required
     @get_app_model()
-    def get(self, app_model: App):
+    def get(self, app_model):
         _, tenant_id = current_account_with_tenant()
         return AgentComposerService.load_agent_app_composer(tenant_id=tenant_id, app_id=app_model.id)
 
@@ -119,7 +119,7 @@ class AgentAppComposerApi(Resource):
     @account_initialization_required
     @edit_permission_required
     @get_app_model()
-    def put(self, app_model: App):
+    def put(self, app_model):
         account, tenant_id = current_account_with_tenant()
         payload = ComposerSavePayload.model_validate(console_ns.payload or {})
         return AgentComposerService.save_agent_app_composer(
@@ -137,7 +137,7 @@ class AgentAppComposerValidateApi(Resource):
     @login_required
     @account_initialization_required
     @get_app_model()
-    def post(self, app_model: App):
+    def post(self, app_model):
         payload = ComposerSavePayload.model_validate(console_ns.payload or {})
         ComposerConfigValidator.validate_save_payload(payload)
         return {"result": "success", "errors": []}
@@ -149,5 +149,5 @@ class AgentAppComposerCandidatesApi(Resource):
     @login_required
     @account_initialization_required
     @get_app_model()
-    def get(self, app_model: App):
+    def get(self, app_model):
         return AgentComposerService.get_agent_app_candidates(app_id=app_model.id)

api/controllers/console/apikey.py

@@ -9,25 +9,18 @@ from sqlalchemy import delete, func, select
 from sqlalchemy.orm import sessionmaker
 from werkzeug.exceptions import Forbidden
 
-from controllers.common.schema import register_response_schema_models
+from controllers.common.schema import register_schema_models
 from extensions.ext_database import db
 from fields.base import ResponseModel
-from libs.helper import dump_response, to_timestamp
-from libs.login import login_required
-from models import Account
+from libs.helper import to_timestamp
+from libs.login import current_account_with_tenant, login_required
 from models.dataset import Dataset
 from models.enums import ApiTokenType
 from models.model import ApiToken, App
 from services.api_token_service import ApiTokenCache
 
 from . import console_ns
-from .wraps import (
-    account_initialization_required,
-    edit_permission_required,
-    setup_required,
-    with_current_tenant_id,
-    with_current_user,
-)
+from .wraps import account_initialization_required, edit_permission_required, setup_required
 
 
 class ApiKeyItem(ResponseModel):
@@ -47,7 +40,7 @@ class ApiKeyList(ResponseModel):
     data: list[ApiKeyItem]
 
 
-register_response_schema_models(console_ns, ApiKeyItem, ApiKeyList)
+register_schema_models(console_ns, ApiKeyItem, ApiKeyList)
 
 
 def _get_resource(resource_id, tenant_id, resource_model):
@@ -71,11 +64,10 @@ class BaseApiKeyListResource(Resource):
     token_prefix: str | None = None
     max_keys = 10
 
-    def get(self, resource_id: str, current_tenant_id: str) -> dict[str, object]:
-        return dump_response(ApiKeyList, self._get_api_key_list(resource_id, current_tenant_id))
-
-    def _get_api_key_list(self, resource_id: str, current_tenant_id: str) -> ApiKeyList:
+    def get(self, resource_id):
         assert self.resource_id_field is not None, "resource_id_field must be set"
+        resource_id = str(resource_id)
+        _, current_tenant_id = current_account_with_tenant()
 
         _get_resource(resource_id, current_tenant_id, self.resource_model)
         keys = db.session.scalars(
@@ -83,14 +75,13 @@ class BaseApiKeyListResource(Resource):
                 ApiToken.type == self.resource_type, getattr(ApiToken, self.resource_id_field) == resource_id
             )
         ).all()
-        return ApiKeyList.model_validate({"data": keys}, from_attributes=True)
+        return ApiKeyList.model_validate({"data": keys}, from_attributes=True).model_dump(mode="json")
 
     @edit_permission_required
-    def post(self, resource_id: str, current_tenant_id: str) -> tuple[dict[str, object], int]:
-        return dump_response(ApiKeyItem, self._create_api_key(resource_id, current_tenant_id)), 201
-
-    def _create_api_key(self, resource_id: str, current_tenant_id: str) -> ApiToken:
+    def post(self, resource_id):
         assert self.resource_id_field is not None, "resource_id_field must be set"
+        resource_id = str(resource_id)
+        _, current_tenant_id = current_account_with_tenant()
         _get_resource(resource_id, current_tenant_id, self.resource_model)
         current_key_count: int = (
             db.session.scalar(
@@ -117,7 +108,7 @@ class BaseApiKeyListResource(Resource):
         api_token.type = self.resource_type
         db.session.add(api_token)
         db.session.commit()
-        return api_token
+        return ApiKeyItem.model_validate(api_token, from_attributes=True).model_dump(mode="json"), 201
 
 
 class BaseApiKeyResource(Resource):
@@ -127,20 +118,9 @@ class BaseApiKeyResource(Resource):
     resource_model: type | None = None
     resource_id_field: str | None = None
 
-    def delete(
-        self, resource_id: str, api_key_id: str, current_tenant_id: str, current_user: Account
-    ) -> tuple[str, int]:
-        self._delete_api_key(resource_id, api_key_id, current_tenant_id, current_user)
-        return "", 204
-
-    def _delete_api_key(
-        self,
-        resource_id: str,
-        api_key_id: str,
-        current_tenant_id: str,
-        current_user: Account,
-    ) -> None:
+    def delete(self, resource_id: str, api_key_id: str):
         assert self.resource_id_field is not None, "resource_id_field must be set"
+        current_user, current_tenant_id = current_account_with_tenant()
         _get_resource(resource_id, current_tenant_id, self.resource_model)
 
         if not current_user.is_admin_or_owner:
@@ -167,6 +147,8 @@ class BaseApiKeyResource(Resource):
         db.session.execute(delete(ApiToken).where(ApiToken.id == api_key_id))
         db.session.commit()
 
+        return "", 204
+
 
 @console_ns.route("/apps/<uuid:resource_id>/api-keys")
 class AppApiKeyListResource(BaseApiKeyListResource):
@@ -174,21 +156,18 @@ class AppApiKeyListResource(BaseApiKeyListResource):
     @console_ns.doc(description="Get all API keys for an app")
     @console_ns.doc(params={"resource_id": "App ID"})
     @console_ns.response(200, "API keys retrieved successfully", console_ns.models[ApiKeyList.__name__])
-    @with_current_tenant_id
-    def get(self, current_tenant_id: str, resource_id: UUID) -> dict[str, object]:
+    def get(self, resource_id: UUID):
         """Get all API keys for an app"""
-        return dump_response(ApiKeyList, self._get_api_key_list(str(resource_id), current_tenant_id))
+        return super().get(resource_id)
 
     @console_ns.doc("create_app_api_key")
     @console_ns.doc(description="Create a new API key for an app")
     @console_ns.doc(params={"resource_id": "App ID"})
     @console_ns.response(201, "API key created successfully", console_ns.models[ApiKeyItem.__name__])
     @console_ns.response(400, "Maximum keys exceeded")
-    @with_current_tenant_id
-    @edit_permission_required
-    def post(self, current_tenant_id: str, resource_id: UUID) -> tuple[dict[str, object], int]:
+    def post(self, resource_id: UUID):
         """Create a new API key for an app"""
-        return dump_response(ApiKeyItem, self._create_api_key(str(resource_id), current_tenant_id)), 201
+        return super().post(resource_id)
 
     resource_type = ApiTokenType.APP
     resource_model = App
@@ -202,14 +181,9 @@ class AppApiKeyResource(BaseApiKeyResource):
     @console_ns.doc(description="Delete an API key for an app")
     @console_ns.doc(params={"resource_id": "App ID", "api_key_id": "API key ID"})
     @console_ns.response(204, "API key deleted successfully")
-    @with_current_user
-    @with_current_tenant_id
-    def delete(
-        self, current_tenant_id: str, current_user: Account, resource_id: UUID, api_key_id: UUID
-    ) -> tuple[str, int]:
+    def delete(self, resource_id: UUID, api_key_id: UUID):
         """Delete an API key for an app"""
-        self._delete_api_key(str(resource_id), str(api_key_id), current_tenant_id, current_user)
-        return "", 204
+        return super().delete(str(resource_id), str(api_key_id))
 
     resource_type = ApiTokenType.APP
     resource_model = App
@@ -222,21 +196,18 @@ class DatasetApiKeyListResource(BaseApiKeyListResource):
     @console_ns.doc(description="Get all API keys for a dataset")
     @console_ns.doc(params={"resource_id": "Dataset ID"})
     @console_ns.response(200, "API keys retrieved successfully", console_ns.models[ApiKeyList.__name__])
-    @with_current_tenant_id
-    def get(self, current_tenant_id: str, resource_id: UUID) -> dict[str, object]:
+    def get(self, resource_id: UUID):
         """Get all API keys for a dataset"""
-        return dump_response(ApiKeyList, self._get_api_key_list(str(resource_id), current_tenant_id))
+        return super().get(resource_id)
 
     @console_ns.doc("create_dataset_api_key")
     @console_ns.doc(description="Create a new API key for a dataset")
     @console_ns.doc(params={"resource_id": "Dataset ID"})
     @console_ns.response(201, "API key created successfully", console_ns.models[ApiKeyItem.__name__])
     @console_ns.response(400, "Maximum keys exceeded")
-    @with_current_tenant_id
-    @edit_permission_required
-    def post(self, current_tenant_id: str, resource_id: UUID) -> tuple[dict[str, object], int]:
+    def post(self, resource_id: UUID):
         """Create a new API key for a dataset"""
-        return dump_response(ApiKeyItem, self._create_api_key(str(resource_id), current_tenant_id)), 201
+        return super().post(resource_id)
 
     resource_type = ApiTokenType.DATASET
     resource_model = Dataset
@@ -250,14 +221,9 @@ class DatasetApiKeyResource(BaseApiKeyResource):
     @console_ns.doc(description="Delete an API key for a dataset")
     @console_ns.doc(params={"resource_id": "Dataset ID", "api_key_id": "API key ID"})
     @console_ns.response(204, "API key deleted successfully")
-    @with_current_user
-    @with_current_tenant_id
-    def delete(
-        self, current_tenant_id: str, current_user: Account, resource_id: UUID, api_key_id: UUID
-    ) -> tuple[str, int]:
+    def delete(self, resource_id: UUID, api_key_id: UUID):
         """Delete an API key for a dataset"""
-        self._delete_api_key(str(resource_id), str(api_key_id), current_tenant_id, current_user)
-        return "", 204
+        return super().delete(str(resource_id), str(api_key_id))
 
     resource_type = ApiTokenType.DATASET
     resource_model = Dataset

api/controllers/console/app/agent.py

@@ -8,7 +8,7 @@ from controllers.console.app.wraps import get_app_model
 from controllers.console.wraps import account_initialization_required, setup_required
 from libs.helper import uuid_value
 from libs.login import login_required
-from models.model import App, AppMode
+from models.model import AppMode
 from services.agent_service import AgentService
 
 
@@ -39,7 +39,7 @@ class AgentLogApi(Resource):
     @login_required
     @account_initialization_required
     @get_app_model(mode=[AppMode.AGENT_CHAT])
-    def get(self, app_model: App):
+    def get(self, app_model):
         """Get agent logs"""
         args = AgentLogQuery.model_validate(request.args.to_dict(flat=True))
 

api/controllers/console/app/app.py

@@ -573,7 +573,7 @@ class AppApi(Resource):
     @account_initialization_required
     @enterprise_license_required
     @get_app_model(mode=None)
-    def get(self, app_model: App):
+    def get(self, app_model):
         """Get app detail"""
         app_service = AppService()
 
@@ -581,7 +581,7 @@ class AppApi(Resource):
 
         if FeatureService.get_system_features().webapp_auth.enabled:
             app_setting = EnterpriseService.WebAppAuth.get_app_access_mode_by_id(app_id=str(app_model.id))
-            app_model.access_mode = app_setting.access_mode  # type: ignore[attr-defined]
+            app_model.access_mode = app_setting.access_mode
 
         response_model = AppDetailWithSite.model_validate(app_model, from_attributes=True)
         return response_model.model_dump(mode="json")
@@ -598,7 +598,7 @@ class AppApi(Resource):
     @account_initialization_required
     @get_app_model(mode=None)
     @edit_permission_required
-    def put(self, app_model: App):
+    def put(self, app_model):
         """Update app"""
         args = UpdateAppPayload.model_validate(console_ns.payload)
 
@@ -627,7 +627,7 @@ class AppApi(Resource):
     @login_required
     @account_initialization_required
     @edit_permission_required
-    def delete(self, app_model: App):
+    def delete(self, app_model):
         """Delete app"""
         app_service = AppService()
         app_service.delete_app(app_model)
@@ -648,7 +648,7 @@ class AppCopyApi(Resource):
     @account_initialization_required
     @get_app_model(mode=None)
     @edit_permission_required
-    def post(self, app_model: App):
+    def post(self, app_model):
         """Copy app"""
         # The role of the current user in the ta table must be admin, owner, or editor
         current_user, _ = current_account_with_tenant()
@@ -709,7 +709,7 @@ class AppExportApi(Resource):
     @login_required
     @account_initialization_required
     @edit_permission_required
-    def get(self, app_model: App):
+    def get(self, app_model):
         """Export app"""
         args = AppExportQuery.model_validate(request.args.to_dict(flat=True))
 
@@ -731,7 +731,7 @@ class AppPublishToCreatorsPlatformApi(Resource):
     @account_initialization_required
     @get_app_model(mode=None)
     @edit_permission_required
-    def post(self, app_model: App):
+    def post(self, app_model):
         """Publish app to Creators Platform"""
         from configs import dify_config
         from core.helper.creators import get_redirect_url, upload_dsl
@@ -762,7 +762,7 @@ class AppNameApi(Resource):
     @account_initialization_required
     @get_app_model(mode=None)
     @edit_permission_required
-    def post(self, app_model: App):
+    def post(self, app_model):
         args = AppNamePayload.model_validate(console_ns.payload)
 
         app_service = AppService()
@@ -784,7 +784,7 @@ class AppIconApi(Resource):
     @account_initialization_required
     @get_app_model(mode=None)
     @edit_permission_required
-    def post(self, app_model: App):
+    def post(self, app_model):
         args = AppIconPayload.model_validate(console_ns.payload or {})
 
         app_service = AppService()
@@ -811,7 +811,7 @@ class AppSiteStatus(Resource):
     @account_initialization_required
     @get_app_model(mode=None)
     @edit_permission_required
-    def post(self, app_model: App):
+    def post(self, app_model):
         args = AppSiteStatusPayload.model_validate(console_ns.payload)
 
         app_service = AppService()
@@ -833,7 +833,7 @@ class AppApiStatus(Resource):
     @is_admin_or_owner_required
     @account_initialization_required
     @get_app_model(mode=None)
-    def post(self, app_model: App):
+    def post(self, app_model):
         args = AppApiStatusPayload.model_validate(console_ns.payload)
 
         app_service = AppService()
@@ -874,7 +874,7 @@ class AppTraceApi(Resource):
     @account_initialization_required
     @edit_permission_required
     @get_app_model
-    def post(self, app_model: App):
+    def post(self, app_model):
         # add app trace
         args = AppTracePayload.model_validate(console_ns.payload)
 

api/controllers/console/app/audio.py

@@ -70,7 +70,7 @@ class ChatMessageAudioApi(Resource):
     @login_required
     @account_initialization_required
     @get_app_model(mode=[AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT])
-    def post(self, app_model: App):
+    def post(self, app_model):
         file = request.files["file"]
 
         try:
@@ -171,7 +171,7 @@ class TextModesApi(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    def get(self, app_model: App):
+    def get(self, app_model):
         try:
             args = TextToSpeechVoiceQuery.model_validate(request.args.to_dict(flat=True))
 

api/controllers/console/app/completion.py

@@ -33,7 +33,7 @@ from libs import helper
 from libs.helper import uuid_value
 from libs.login import current_user, login_required
 from models import Account
-from models.model import App, AppMode
+from models.model import AppMode
 from services.app_generate_service import AppGenerateService
 from services.app_task_service import AppTaskService
 from services.errors.llm import InvokeRateLimitError
@@ -84,7 +84,7 @@ class CompletionMessageApi(Resource):
     @login_required
     @account_initialization_required
     @get_app_model(mode=AppMode.COMPLETION)
-    def post(self, app_model: App):
+    def post(self, app_model):
         args_model = CompletionMessagePayload.model_validate(console_ns.payload)
         args = args_model.model_dump(exclude_none=True, by_alias=True)
 
@@ -131,7 +131,7 @@ class CompletionMessageStopApi(Resource):
     @login_required
     @account_initialization_required
     @get_app_model(mode=AppMode.COMPLETION)
-    def post(self, app_model: App, task_id: str):
+    def post(self, app_model, task_id: str):
         if not isinstance(current_user, Account):
             raise ValueError("current_user must be an Account instance")
 
@@ -159,7 +159,7 @@ class ChatMessageApi(Resource):
     @account_initialization_required
     @get_app_model(mode=[AppMode.CHAT, AppMode.AGENT_CHAT])
     @edit_permission_required
-    def post(self, app_model: App):
+    def post(self, app_model):
         args_model = ChatMessagePayload.model_validate(console_ns.payload)
         args = args_model.model_dump(exclude_none=True, by_alias=True)
 
@@ -212,7 +212,7 @@ class ChatMessageStopApi(Resource):
     @login_required
     @account_initialization_required
     @get_app_model(mode=[AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT])
-    def post(self, app_model: App, task_id: str):
+    def post(self, app_model, task_id: str):
         if not isinstance(current_user, Account):
             raise ValueError("current_user must be an Account instance")
 

api/controllers/console/app/conversation.py

@@ -33,7 +33,7 @@ from fields.conversation_fields import (
 from libs.datetime_utils import naive_utc_now, parse_time_range
 from libs.login import current_account_with_tenant, login_required
 from models import Conversation, EndUser, Message, MessageAnnotation
-from models.model import App, AppMode
+from models.model import AppMode
 from services.conversation_service import ConversationService
 from services.errors.conversation import ConversationNotExistsError
 
@@ -93,7 +93,7 @@ class CompletionConversationApi(Resource):
     @account_initialization_required
     @get_app_model(mode=AppMode.COMPLETION)
     @edit_permission_required
-    def get(self, app_model: App):
+    def get(self, app_model):
         current_user, _ = current_account_with_tenant()
         args = CompletionConversationQuery.model_validate(request.args.to_dict(flat=True))
 
@@ -165,7 +165,7 @@ class CompletionConversationDetailApi(Resource):
     @account_initialization_required
     @get_app_model(mode=AppMode.COMPLETION)
     @edit_permission_required
-    def get(self, app_model: App, conversation_id: UUID):
+    def get(self, app_model, conversation_id: UUID):
         conversation_id_str = str(conversation_id)
         return ConversationMessageDetailResponse.model_validate(
             _get_conversation(app_model, conversation_id_str), from_attributes=True
@@ -182,7 +182,7 @@ class CompletionConversationDetailApi(Resource):
     @account_initialization_required
     @get_app_model(mode=AppMode.COMPLETION)
     @edit_permission_required
-    def delete(self, app_model: App, conversation_id: UUID):
+    def delete(self, app_model, conversation_id: UUID):
         current_user, _ = current_account_with_tenant()
         conversation_id_str = str(conversation_id)
 
@@ -207,7 +207,7 @@ class ChatConversationApi(Resource):
     @account_initialization_required
     @get_app_model(mode=[AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT])
     @edit_permission_required
-    def get(self, app_model: App):
+    def get(self, app_model):
         current_user, _ = current_account_with_tenant()
         args = ChatConversationQuery.model_validate(request.args.to_dict(flat=True))
 
@@ -318,7 +318,7 @@ class ChatConversationDetailApi(Resource):
     @account_initialization_required
     @get_app_model(mode=[AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT])
     @edit_permission_required
-    def get(self, app_model: App, conversation_id: UUID):
+    def get(self, app_model, conversation_id: UUID):
         conversation_id_str = str(conversation_id)
         return ConversationDetailResponse.model_validate(
             _get_conversation(app_model, conversation_id_str), from_attributes=True
@@ -335,7 +335,7 @@ class ChatConversationDetailApi(Resource):
     @get_app_model(mode=[AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT])
     @account_initialization_required
     @edit_permission_required
-    def delete(self, app_model: App, conversation_id: UUID):
+    def delete(self, app_model, conversation_id: UUID):
         current_user, _ = current_account_with_tenant()
         conversation_id_str = str(conversation_id)
 

api/controllers/console/app/conversation_variables.py

@@ -19,7 +19,7 @@ from fields.base import ResponseModel
 from libs.helper import to_timestamp
 from libs.login import login_required
 from models import ConversationVariable
-from models.model import App, AppMode
+from models.model import AppMode
 
 
 class ConversationVariablesQuery(BaseModel):
@@ -94,7 +94,7 @@ class ConversationVariablesApi(Resource):
     @login_required
     @account_initialization_required
     @get_app_model(mode=AppMode.ADVANCED_CHAT)
-    def get(self, app_model: App):
+    def get(self, app_model):
         args = ConversationVariablesQuery.model_validate(request.args.to_dict(flat=True))
 
         stmt = (

api/controllers/console/app/generator.py

@@ -11,7 +11,7 @@ from controllers.console.app.error import (
     ProviderNotInitializeError,
     ProviderQuotaExceededError,
 )
-from controllers.console.wraps import account_initialization_required, setup_required, with_current_tenant_id
+from controllers.console.wraps import account_initialization_required, setup_required
 from core.app.app_config.entities import ModelConfig
 from core.errors.error import ModelCurrentlyNotSupportError, ProviderTokenNotInitError, QuotaExceededError
 from core.helper.code_executor.code_node_provider import CodeNodeProvider
@@ -22,7 +22,7 @@ from core.llm_generator.llm_generator import LLMGenerator
 from extensions.ext_database import db
 from graphon.model_runtime.entities.llm_entities import LLMMode
 from graphon.model_runtime.errors.invoke import InvokeError
-from libs.login import login_required
+from libs.login import current_account_with_tenant, login_required
 from models import App
 from services.workflow_service import WorkflowService
 
@@ -64,9 +64,9 @@ class RuleGenerateApi(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    @with_current_tenant_id
-    def post(self, current_tenant_id: str):
+    def post(self):
         args = RuleGeneratePayload.model_validate(console_ns.payload)
+        _, current_tenant_id = current_account_with_tenant()
 
         try:
             rules = LLMGenerator.generate_rule_config(tenant_id=current_tenant_id, args=args)
@@ -93,9 +93,9 @@ class RuleCodeGenerateApi(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    @with_current_tenant_id
-    def post(self, current_tenant_id: str):
+    def post(self):
         args = RuleCodeGeneratePayload.model_validate(console_ns.payload)
+        _, current_tenant_id = current_account_with_tenant()
 
         try:
             code_result = LLMGenerator.generate_code(
@@ -125,9 +125,9 @@ class RuleStructuredOutputGenerateApi(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    @with_current_tenant_id
-    def post(self, current_tenant_id: str):
+    def post(self):
         args = RuleStructuredOutputPayload.model_validate(console_ns.payload)
+        _, current_tenant_id = current_account_with_tenant()
 
         try:
             structured_output = LLMGenerator.generate_structured_output(
@@ -157,9 +157,9 @@ class InstructionGenerateApi(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    @with_current_tenant_id
-    def post(self, current_tenant_id: str):
+    def post(self):
         args = InstructionGeneratePayload.model_validate(console_ns.payload)
+        _, current_tenant_id = current_account_with_tenant()
         providers: list[type[CodeNodeProvider]] = [Python3CodeProvider, JavascriptCodeProvider]
         code_provider: type[CodeNodeProvider] | None = next(
             (p for p in providers if p.is_accept_language(args.language)), None

api/controllers/console/app/mcp_server.py

@@ -11,18 +11,13 @@ from werkzeug.exceptions import NotFound
 from controllers.common.schema import register_schema_models
 from controllers.console import console_ns
 from controllers.console.app.wraps import get_app_model
-from controllers.console.wraps import (
-    account_initialization_required,
-    edit_permission_required,
-    setup_required,
-    with_current_tenant_id,
-)
+from controllers.console.wraps import account_initialization_required, edit_permission_required, setup_required
 from extensions.ext_database import db
 from fields.base import ResponseModel
 from libs.helper import to_timestamp
-from libs.login import login_required
+from libs.login import current_account_with_tenant, login_required
 from models.enums import AppMCPServerStatus
-from models.model import App, AppMCPServer
+from models.model import AppMCPServer
 
 
 class MCPServerCreatePayload(BaseModel):
@@ -78,7 +73,7 @@ class AppMCPServerController(Resource):
     @account_initialization_required
     @setup_required
     @get_app_model
-    def get(self, app_model: App):
+    def get(self, app_model):
         server = db.session.scalar(select(AppMCPServer).where(AppMCPServer.app_id == app_model.id).limit(1))
         if server is None:
             return {}
@@ -97,8 +92,8 @@ class AppMCPServerController(Resource):
     @login_required
     @setup_required
     @edit_permission_required
-    @with_current_tenant_id
-    def post(self, current_tenant_id: str, app_model: App):
+    def post(self, app_model):
+        _, current_tenant_id = current_account_with_tenant()
         payload = MCPServerCreatePayload.model_validate(console_ns.payload or {})
 
         description = payload.description
@@ -132,7 +127,7 @@ class AppMCPServerController(Resource):
     @setup_required
     @account_initialization_required
     @edit_permission_required
-    def put(self, app_model: App):
+    def put(self, app_model):
         payload = MCPServerUpdatePayload.model_validate(console_ns.payload or {})
         server = db.session.get(AppMCPServer, payload.id)
         if not server:
@@ -168,8 +163,8 @@ class AppMCPServerRefreshController(Resource):
     @login_required
     @account_initialization_required
     @edit_permission_required
-    @with_current_tenant_id
-    def get(self, current_tenant_id: str, server_id: UUID):
+    def get(self, server_id: UUID):
+        _, current_tenant_id = current_account_with_tenant()
         server = db.session.scalar(
             select(AppMCPServer)
             .where(AppMCPServer.id == server_id, AppMCPServer.tenant_id == current_tenant_id)

api/controllers/console/app/message.py

@@ -45,7 +45,7 @@ from libs.helper import to_timestamp, uuid_value
 from libs.infinite_scroll_pagination import InfiniteScrollPagination
 from libs.login import current_account_with_tenant, login_required
 from models.enums import FeedbackFromSource, FeedbackRating
-from models.model import App, AppMode, Conversation, Message, MessageAnnotation, MessageFeedback
+from models.model import AppMode, Conversation, Message, MessageAnnotation, MessageFeedback
 from services.errors.conversation import ConversationNotExistsError
 from services.errors.message import MessageNotExistsError, SuggestedQuestionsAfterAnswerDisabledError
 from services.message_service import MessageService, attach_message_extra_contents
@@ -180,7 +180,7 @@ class ChatMessageListApi(Resource):
     @setup_required
     @get_app_model(mode=[AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT])
     @edit_permission_required
-    def get(self, app_model: App):
+    def get(self, app_model):
         args = ChatMessagesQuery.model_validate(request.args.to_dict())
 
         conversation = db.session.scalar(
@@ -257,7 +257,7 @@ class MessageFeedbackApi(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    def post(self, app_model: App):
+    def post(self, app_model):
         current_user, _ = current_account_with_tenant()
 
         args = MessageFeedbackPayload.model_validate(console_ns.payload)
@@ -314,7 +314,7 @@ class MessageAnnotationCountApi(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    def get(self, app_model: App):
+    def get(self, app_model):
         count = db.session.scalar(
             select(func.count(MessageAnnotation.id)).where(MessageAnnotation.app_id == app_model.id)
         )
@@ -337,7 +337,7 @@ class MessageSuggestedQuestionApi(Resource):
     @login_required
     @account_initialization_required
     @get_app_model(mode=[AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT])
-    def get(self, app_model: App, message_id: UUID):
+    def get(self, app_model, message_id: UUID):
         current_user, _ = current_account_with_tenant()
         message_id_str = str(message_id)
 
@@ -379,7 +379,7 @@ class MessageFeedbackExportApi(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    def get(self, app_model: App):
+    def get(self, app_model):
         args = FeedbackExportQuery.model_validate(request.args.to_dict())
 
         # Import the service function
@@ -417,7 +417,7 @@ class MessageApi(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    def get(self, app_model: App, message_id: UUID):
+    def get(self, app_model, message_id: UUID):
         message_id_str = str(message_id)
 
         message = db.session.scalar(

api/controllers/console/app/model_config.py

@@ -16,7 +16,7 @@ from events.app_event import app_model_config_was_updated
 from extensions.ext_database import db
 from libs.datetime_utils import naive_utc_now
 from libs.login import current_account_with_tenant, login_required
-from models.model import App, AppMode, AppModelConfig
+from models.model import AppMode, AppModelConfig
 from services.app_model_config_service import AppModelConfigService
 
 
@@ -52,7 +52,7 @@ class ModelConfigResource(Resource):
     @edit_permission_required
     @account_initialization_required
     @get_app_model(mode=[AppMode.AGENT_CHAT, AppMode.CHAT, AppMode.COMPLETION])
-    def post(self, app_model: App):
+    def post(self, app_model):
         """Modify app model config"""
         current_user, current_tenant_id = current_account_with_tenant()
         # validate config

api/controllers/console/app/site.py

@@ -20,7 +20,6 @@ from fields.base import ResponseModel
 from libs.datetime_utils import naive_utc_now
 from libs.login import current_account_with_tenant, login_required
 from models import Site
-from models.model import App
 
 
 class AppSiteUpdatePayload(BaseModel):
@@ -85,7 +84,7 @@ class AppSite(Resource):
     @edit_permission_required
     @account_initialization_required
     @get_app_model
-    def post(self, app_model: App):
+    def post(self, app_model):
         args = AppSiteUpdatePayload.model_validate(console_ns.payload or {})
         current_user, _ = current_account_with_tenant()
         site = db.session.scalar(select(Site).where(Site.app_id == app_model.id).limit(1))
@@ -134,7 +133,7 @@ class AppSiteAccessTokenReset(Resource):
     @is_admin_or_owner_required
     @account_initialization_required
     @get_app_model
-    def post(self, app_model: App):
+    def post(self, app_model):
         current_user, _ = current_account_with_tenant()
         site = db.session.scalar(select(Site).where(Site.app_id == app_model.id).limit(1))
 

api/controllers/console/app/statistic.py

@@ -15,7 +15,6 @@ from libs.datetime_utils import parse_time_range
 from libs.helper import convert_datetime_to_date
 from libs.login import current_account_with_tenant, login_required
 from models import AppMode
-from models.model import App
 
 
 class StatisticTimeRangeQuery(BaseModel):
@@ -48,7 +47,7 @@ class DailyMessageStatistic(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    def get(self, app_model: App):
+    def get(self, app_model):
         account, _ = current_account_with_tenant()
 
         args = StatisticTimeRangeQuery.model_validate(request.args.to_dict(flat=True))
@@ -62,12 +61,8 @@ FROM
 WHERE
     app_id = :app_id
     AND invoke_from != :invoke_from"""
+        arg_dict = {"tz": account.timezone, "app_id": app_model.id, "invoke_from": InvokeFrom.DEBUGGER}
         assert account.timezone is not None
-        arg_dict: dict[str, object] = {
-            "tz": account.timezone,
-            "app_id": app_model.id,
-            "invoke_from": InvokeFrom.DEBUGGER,
-        }
 
         try:
             start_datetime_utc, end_datetime_utc = parse_time_range(args.start, args.end, account.timezone)
@@ -109,7 +104,7 @@ class DailyConversationStatistic(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    def get(self, app_model: App):
+    def get(self, app_model):
         account, _ = current_account_with_tenant()
 
         args = StatisticTimeRangeQuery.model_validate(request.args.to_dict(flat=True))
@@ -123,12 +118,8 @@ FROM
 WHERE
     app_id = :app_id
     AND invoke_from != :invoke_from"""
+        arg_dict = {"tz": account.timezone, "app_id": app_model.id, "invoke_from": InvokeFrom.DEBUGGER}
         assert account.timezone is not None
-        arg_dict: dict[str, object] = {
-            "tz": account.timezone,
-            "app_id": app_model.id,
-            "invoke_from": InvokeFrom.DEBUGGER,
-        }
 
         try:
             start_datetime_utc, end_datetime_utc = parse_time_range(args.start, args.end, account.timezone)
@@ -169,7 +160,7 @@ class DailyTerminalsStatistic(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    def get(self, app_model: App):
+    def get(self, app_model):
         account, _ = current_account_with_tenant()
 
         args = StatisticTimeRangeQuery.model_validate(request.args.to_dict(flat=True))
@@ -183,12 +174,8 @@ FROM
 WHERE
     app_id = :app_id
     AND invoke_from != :invoke_from"""
+        arg_dict = {"tz": account.timezone, "app_id": app_model.id, "invoke_from": InvokeFrom.DEBUGGER}
         assert account.timezone is not None
-        arg_dict: dict[str, object] = {
-            "tz": account.timezone,
-            "app_id": app_model.id,
-            "invoke_from": InvokeFrom.DEBUGGER,
-        }
 
         try:
             start_datetime_utc, end_datetime_utc = parse_time_range(args.start, args.end, account.timezone)
@@ -230,7 +217,7 @@ class DailyTokenCostStatistic(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    def get(self, app_model: App):
+    def get(self, app_model):
         account, _ = current_account_with_tenant()
 
         args = StatisticTimeRangeQuery.model_validate(request.args.to_dict(flat=True))
@@ -245,12 +232,8 @@ FROM
 WHERE
     app_id = :app_id
     AND invoke_from != :invoke_from"""
+        arg_dict = {"tz": account.timezone, "app_id": app_model.id, "invoke_from": InvokeFrom.DEBUGGER}
         assert account.timezone is not None
-        arg_dict: dict[str, object] = {
-            "tz": account.timezone,
-            "app_id": app_model.id,
-            "invoke_from": InvokeFrom.DEBUGGER,
-        }
 
         try:
             start_datetime_utc, end_datetime_utc = parse_time_range(args.start, args.end, account.timezone)
@@ -294,7 +277,7 @@ class AverageSessionInteractionStatistic(Resource):
     @login_required
     @account_initialization_required
     @get_app_model(mode=[AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT])
-    def get(self, app_model: App):
+    def get(self, app_model):
         account, _ = current_account_with_tenant()
 
         args = StatisticTimeRangeQuery.model_validate(request.args.to_dict(flat=True))
@@ -316,12 +299,8 @@ FROM
         WHERE
             c.app_id = :app_id
             AND m.invoke_from != :invoke_from"""
+        arg_dict = {"tz": account.timezone, "app_id": app_model.id, "invoke_from": InvokeFrom.DEBUGGER}
         assert account.timezone is not None
-        arg_dict: dict[str, object] = {
-            "tz": account.timezone,
-            "app_id": app_model.id,
-            "invoke_from": InvokeFrom.DEBUGGER,
-        }
 
         try:
             start_datetime_utc, end_datetime_utc = parse_time_range(args.start, args.end, account.timezone)
@@ -374,7 +353,7 @@ class UserSatisfactionRateStatistic(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    def get(self, app_model: App):
+    def get(self, app_model):
         account, _ = current_account_with_tenant()
 
         args = StatisticTimeRangeQuery.model_validate(request.args.to_dict(flat=True))
@@ -392,12 +371,8 @@ LEFT JOIN
 WHERE
     m.app_id = :app_id
     AND m.invoke_from != :invoke_from"""
+        arg_dict = {"tz": account.timezone, "app_id": app_model.id, "invoke_from": InvokeFrom.DEBUGGER}
         assert account.timezone is not None
-        arg_dict: dict[str, object] = {
-            "tz": account.timezone,
-            "app_id": app_model.id,
-            "invoke_from": InvokeFrom.DEBUGGER,
-        }
 
         try:
             start_datetime_utc, end_datetime_utc = parse_time_range(args.start, args.end, account.timezone)
@@ -444,7 +419,7 @@ class AverageResponseTimeStatistic(Resource):
     @login_required
     @account_initialization_required
     @get_app_model(mode=AppMode.COMPLETION)
-    def get(self, app_model: App):
+    def get(self, app_model):
         account, _ = current_account_with_tenant()
 
         args = StatisticTimeRangeQuery.model_validate(request.args.to_dict(flat=True))
@@ -458,12 +433,8 @@ FROM
 WHERE
     app_id = :app_id
     AND invoke_from != :invoke_from"""
+        arg_dict = {"tz": account.timezone, "app_id": app_model.id, "invoke_from": InvokeFrom.DEBUGGER}
         assert account.timezone is not None
-        arg_dict: dict[str, object] = {
-            "tz": account.timezone,
-            "app_id": app_model.id,
-            "invoke_from": InvokeFrom.DEBUGGER,
-        }
 
         try:
             start_datetime_utc, end_datetime_utc = parse_time_range(args.start, args.end, account.timezone)
@@ -505,7 +476,7 @@ class TokensPerSecondStatistic(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    def get(self, app_model: App):
+    def get(self, app_model):
         account, _ = current_account_with_tenant()
         args = StatisticTimeRangeQuery.model_validate(request.args.to_dict(flat=True))
 
@@ -521,12 +492,8 @@ FROM
 WHERE
     app_id = :app_id
     AND invoke_from != :invoke_from"""
+        arg_dict = {"tz": account.timezone, "app_id": app_model.id, "invoke_from": InvokeFrom.DEBUGGER}
         assert account.timezone is not None
-        arg_dict: dict[str, object] = {
-            "tz": account.timezone,
-            "app_id": app_model.id,
-            "invoke_from": InvokeFrom.DEBUGGER,
-        }
 
         try:
             start_datetime_utc, end_datetime_utc = parse_time_range(args.start, args.end, account.timezone)

api/controllers/console/app/workflow_draft_variable.py

@@ -83,14 +83,13 @@ def _serialize_var_value(variable: WorkflowDraftVariable):
     # create a copy of the value to avoid affecting the model cache.
     value = value.model_copy(deep=True)
     # Refresh the url signature before returning it to client.
-    match value:
-        case FileSegment():
-            file = value.value
+    if isinstance(value, FileSegment):
+        file = value.value
+        file.remote_url = file.generate_url()
+    elif isinstance(value, ArrayFileSegment):
+        files = value.value
+        for file in files:
             file.remote_url = file.generate_url()
-        case ArrayFileSegment():
-            files = value.value
-            for file in files:
-                file.remote_url = file.generate_url()
     return _convert_values_to_json_serializable_object(value)
 
 

api/controllers/console/app/workflow_node_output_inspector.py

@@ -1,415 +0,0 @@
-"""Console REST endpoints for the Node Output Inspector (Stage 4 §8 / §10.3).
-
-PRD §Node Output Inspector replaces the consumer-organized Variable Inspector
-with a producer-organized view of each node's declared outputs and their
-per-run status. This module exposes two parallel sets of three read-only
-endpoints — one for ``/workflows/draft/runs/...`` (Composer test runs) and one
-for ``/workflows/published/runs/...`` (real App API / webapp / webhook /
-schedule / plugin triggers). Both sets share the same service code, the same
-response shapes, and the same error codes; the URL is the *only* difference,
-so the frontend can pick the right prefix based on which run-detail page the
-user is on.
-
-Decision D-1 (published Inspector deferred) was lifted 2026-05-26 — the
-``published_run_inspector_not_implemented`` 404 code is therefore no longer
-produced.
-
-URLs follow the design doc and reuse the existing
-``/apps/<uuid:app_id>/workflows/draft/...`` prefix from
-:mod:`controllers.console.app.workflow_draft_variable`. The
-``published`` prefix mirrors it shape-for-shape.
-"""
-
-from __future__ import annotations
-
-import json
-import logging
-from collections.abc import Iterator
-from uuid import UUID
-
-from flask import Response
-from flask_restx import Resource
-
-from controllers.console import console_ns
-from controllers.console.app.wraps import get_app_model
-from controllers.console.wraps import account_initialization_required, setup_required
-from libs.exception import BaseHTTPException
-from libs.login import login_required
-from models import App, AppMode
-from services.workflow import inspector_events
-from services.workflow.node_output_inspector_service import (
-    NodeOutputInspectorError,
-    NodeOutputInspectorService,
-)
-
-logger = logging.getLogger(__name__)
-
-
-# Heartbeat cadence — every N empty subscribe ticks emit a SSE comment so
-# intervening proxies (nginx, ingress) don't reap the idle connection.
-# ``inspector_events.subscribe`` ticks at 1s, so 15 → 15s heartbeat.
-_HEARTBEAT_EVERY_TICKS = 15
-# Hard ceiling on a single stream — if we never see a terminal workflow
-# event (engine crashed, redis dropped the message), force-close after this
-# many ticks (= seconds).
-_STREAM_HARD_TIMEOUT_TICKS = 1800  # 30 min
-
-
-def _service() -> NodeOutputInspectorService:
-    """One-line factory so tests can monkeypatch a stub if needed."""
-    return NodeOutputInspectorService()
-
-
-def _serve_snapshot(app_model: App, run_id: UUID) -> dict:
-    """Resource-body shared by draft + published snapshot endpoints.
-
-    Pulled out so the 6 REST routes don't duplicate the same 6-line try/except
-    + ``model_dump`` ritual — the routes shrink to one-liners and the actual
-    behaviour lives here, where unit tests can hit it without spinning up
-    Flask request context.
-    """
-    try:
-        snapshot = _service().snapshot_workflow_run(app_model=app_model, workflow_run_id=str(run_id))
-    except NodeOutputInspectorError as error:
-        raise _InspectorNotFound(error) from error
-    return snapshot.model_dump(mode="json")
-
-
-def _serve_node_detail(app_model: App, run_id: UUID, node_id: str) -> dict:
-    """Resource-body shared by draft + published node-detail endpoints."""
-    try:
-        view = _service().node_detail(
-            app_model=app_model,
-            workflow_run_id=str(run_id),
-            node_id=node_id,
-        )
-    except NodeOutputInspectorError as error:
-        raise _InspectorNotFound(error) from error
-    return view.model_dump(mode="json")
-
-
-def _serve_output_preview(app_model: App, run_id: UUID, node_id: str, output_name: str) -> dict:
-    """Resource-body shared by draft + published output-preview endpoints."""
-    try:
-        preview = _service().output_preview(
-            app_model=app_model,
-            workflow_run_id=str(run_id),
-            node_id=node_id,
-            output_name=output_name,
-        )
-    except NodeOutputInspectorError as error:
-        raise _InspectorNotFound(error) from error
-    return preview.model_dump(mode="json")
-
-
-class _InspectorNotFound(BaseHTTPException):
-    """404 that preserves the inspector's specific error code.
-
-    Without this the response body collapses to a generic ``not_found`` code
-    and clients lose the ability to distinguish, e.g.,
-    ``workflow_run_not_found`` from ``published_run_inspector_not_implemented``.
-    """
-
-    code = 404
-
-    def __init__(self, error: NodeOutputInspectorError) -> None:
-        self.error_code = error.code
-        super().__init__(description=str(error))
-
-
-@console_ns.route("/apps/<uuid:app_id>/workflows/draft/runs/<uuid:run_id>/node-outputs")
-class WorkflowDraftRunNodeOutputsApi(Resource):
-    """Whole-run snapshot organized by producer node."""
-
-    @console_ns.doc("get_workflow_draft_run_node_outputs")
-    @console_ns.doc(description="Snapshot of every node's declared outputs for a draft workflow run.")
-    @console_ns.doc(params={"app_id": "Application ID", "run_id": "Workflow run ID"})
-    @console_ns.response(404, "Workflow run not found")
-    @setup_required
-    @login_required
-    @account_initialization_required
-    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
-    def get(self, app_model: App, run_id: UUID):
-        return _serve_snapshot(app_model, run_id)
-
-
-@console_ns.route("/apps/<uuid:app_id>/workflows/draft/runs/<uuid:run_id>/node-outputs/<string:node_id>")
-class WorkflowDraftRunNodeOutputDetailApi(Resource):
-    """One node's declared outputs + per-output status."""
-
-    @console_ns.doc("get_workflow_draft_run_node_output_detail")
-    @console_ns.doc(description="One node's declared outputs for a draft workflow run.")
-    @console_ns.doc(
-        params={
-            "app_id": "Application ID",
-            "run_id": "Workflow run ID",
-            "node_id": "Node ID inside the workflow graph",
-        }
-    )
-    @console_ns.response(404, "Workflow run / node not found")
-    @setup_required
-    @login_required
-    @account_initialization_required
-    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
-    def get(self, app_model: App, run_id: UUID, node_id: str):
-        return _serve_node_detail(app_model, run_id, node_id)
-
-
-@console_ns.route(
-    "/apps/<uuid:app_id>/workflows/draft/runs/<uuid:run_id>/node-outputs/<string:node_id>/<string:output_name>/preview"
-)
-class WorkflowDraftRunNodeOutputPreviewApi(Resource):
-    """Full value for one declared output (with signed URL for file refs)."""
-
-    @console_ns.doc("get_workflow_draft_run_node_output_preview")
-    @console_ns.doc(description="Full value for one declared output, including signed download URL for files.")
-    @console_ns.doc(
-        params={
-            "app_id": "Application ID",
-            "run_id": "Workflow run ID",
-            "node_id": "Node ID inside the workflow graph",
-            "output_name": "Declared output name as exposed by Composer",
-        }
-    )
-    @console_ns.response(404, "Workflow run / node / output not found")
-    @setup_required
-    @login_required
-    @account_initialization_required
-    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
-    def get(self, app_model: App, run_id: UUID, node_id: str, output_name: str):
-        return _serve_output_preview(app_model, run_id, node_id, output_name)
-
-
-# ──────────────────────────────────────────────────────────────────────────────
-# SSE event stream — shared generator used by draft + published variants
-# ──────────────────────────────────────────────────────────────────────────────
-
-
-def _sse_envelope(event: str, data: dict | str, event_id: int) -> str:
-    """Format one SSE record per D-5 ``{event, data, id}`` envelope.
-
-    ``data`` is JSON-serialized when given as a dict; raw strings are
-    forwarded unchanged so we can also emit ``:keepalive`` comment lines.
-    """
-    payload = data if isinstance(data, str) else json.dumps(data, ensure_ascii=False)
-    return f"event: {event}\nid: {event_id}\ndata: {payload}\n\n"
-
-
-def _stream_inspector_events(app_model: App, run_id: UUID) -> Iterator[str]:
-    """Yield SSE-framed strings for one workflow run.
-
-    The stream begins with a full ``snapshot`` event so the client has a
-    starting state without needing a separate REST GET. Then for every
-    ``node_changed`` message from the pub/sub channel we re-read that node
-    from DB and push a fresh ``node_changed`` event. When the workflow run
-    reaches a terminal state we push one final ``workflow_run_completed``
-    event and close the stream.
-
-    Failures inside the loop are caught and surfaced as ``error`` events so
-    the frontend can show a banner rather than seeing the connection drop
-    silently. The Inspector never raises across the SSE boundary.
-    """
-    service = _service()
-    run_id_str = str(run_id)
-
-    # Initial snapshot — also flushes a 404 back at the client right away
-    # if the run is gone (raised before yielding any bytes, so Flask turns it
-    # into the normal HTTP 404 path).
-    try:
-        snapshot = service.snapshot_workflow_run(app_model=app_model, workflow_run_id=run_id_str)
-    except NodeOutputInspectorError as error:
-        raise _InspectorNotFound(error) from error
-
-    event_id = 0
-    yield _sse_envelope("snapshot", snapshot.model_dump(mode="json"), event_id)
-
-    # If the run already finished by the time the client connected, emit
-    # the terminal envelope synchronously and close — no point subscribing.
-    # The enum value for partial success is the hyphenated ``partial-succeeded``
-    # (graphon.enums.WorkflowExecutionStatus), not ``partial_succeeded``.
-    if snapshot.workflow_run_status.value in {"succeeded", "failed", "stopped", "partial-succeeded"}:
-        event_id += 1
-        yield _sse_envelope(
-            "workflow_run_completed",
-            {"workflow_run_id": run_id_str, "workflow_run_status": snapshot.workflow_run_status.value},
-            event_id,
-        )
-        return
-
-    # Live subscription
-    ticks_since_heartbeat = 0
-    total_ticks = 0
-    for message in inspector_events.subscribe(run_id_str, timeout_seconds=1.0):
-        total_ticks += 1
-        if total_ticks > _STREAM_HARD_TIMEOUT_TICKS:
-            logger.warning(
-                "Inspector SSE: forcing close after %ds without terminal event for run %s",
-                _STREAM_HARD_TIMEOUT_TICKS,
-                run_id_str,
-            )
-            return
-
-        # Heartbeat sentinel — ``inspector_events.subscribe`` synthesizes a
-        # ``node_changed`` message with both fields ``None`` on every redis
-        # timeout. Real ``workflow_completed`` messages keep their kind even
-        # when status couldn't be resolved (publisher race), so checking kind
-        # first makes the heartbeat branch safe.
-        if message.kind == "node_changed" and message.node_id is None and message.status is None:
-            ticks_since_heartbeat += 1
-            if ticks_since_heartbeat >= _HEARTBEAT_EVERY_TICKS:
-                yield ":keepalive\n\n"
-                ticks_since_heartbeat = 0
-            continue
-        ticks_since_heartbeat = 0
-
-        if message.kind == "workflow_completed":
-            event_id += 1
-            yield _sse_envelope(
-                "workflow_run_completed",
-                {"workflow_run_id": run_id_str, "workflow_run_status": message.status or "unknown"},
-                event_id,
-            )
-            return
-
-        # node_changed: recompute the node slice from DB
-        if not message.node_id:
-            continue
-        try:
-            node_view = service.node_detail(
-                app_model=app_model,
-                workflow_run_id=run_id_str,
-                node_id=message.node_id,
-            )
-        except NodeOutputInspectorError:
-            # Node may not appear in the graph yet (race with persistence); skip.
-            continue
-        except Exception:
-            logger.warning(
-                "Inspector SSE: node_detail failed for run %s node %s",
-                run_id_str,
-                message.node_id,
-                exc_info=True,
-            )
-            event_id += 1
-            yield _sse_envelope(
-                "error",
-                {"node_id": message.node_id, "message": "failed to refresh node detail"},
-                event_id,
-            )
-            continue
-
-        event_id += 1
-        yield _sse_envelope("node_changed", node_view.model_dump(mode="json"), event_id)
-
-
-@console_ns.route("/apps/<uuid:app_id>/workflows/draft/runs/<uuid:run_id>/node-outputs/events")
-class WorkflowDraftRunNodeOutputEventsApi(Resource):
-    """SSE stream of inspector deltas for a draft run."""
-
-    @console_ns.doc("stream_workflow_draft_run_node_output_events")
-    @console_ns.doc(description="Server-Sent Events stream of inspector deltas for a draft workflow run.")
-    @console_ns.doc(params={"app_id": "Application ID", "run_id": "Workflow run ID"})
-    @console_ns.response(404, "Workflow run not found")
-    @setup_required
-    @login_required
-    @account_initialization_required
-    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
-    def get(self, app_model: App, run_id: UUID):
-        return Response(
-            _stream_inspector_events(app_model, run_id),
-            mimetype="text/event-stream",
-            headers={"Cache-Control": "no-cache", "Connection": "keep-alive"},
-        )
-
-
-# ──────────────────────────────────────────────────────────────────────────────
-# Published-run endpoints — symmetric to the draft trio above
-# ──────────────────────────────────────────────────────────────────────────────
-
-
-@console_ns.route("/apps/<uuid:app_id>/workflows/published/runs/<uuid:run_id>/node-outputs")
-class WorkflowPublishedRunNodeOutputsApi(Resource):
-    """Whole-run snapshot for a *published* workflow run.
-
-    Same response shape as the ``/draft/`` variant — frontend can multiplex
-    based on which page (Composer test-run vs. Run History) is mounted.
-    """
-
-    @console_ns.doc("get_workflow_published_run_node_outputs")
-    @console_ns.doc(description="Snapshot of every node's declared outputs for a published workflow run.")
-    @console_ns.doc(params={"app_id": "Application ID", "run_id": "Workflow run ID"})
-    @console_ns.response(404, "Workflow run not found")
-    @setup_required
-    @login_required
-    @account_initialization_required
-    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
-    def get(self, app_model: App, run_id: UUID):
-        return _serve_snapshot(app_model, run_id)
-
-
-@console_ns.route("/apps/<uuid:app_id>/workflows/published/runs/<uuid:run_id>/node-outputs/<string:node_id>")
-class WorkflowPublishedRunNodeOutputDetailApi(Resource):
-    """One node's declared outputs + per-output status (published run)."""
-
-    @console_ns.doc("get_workflow_published_run_node_output_detail")
-    @console_ns.doc(description="One node's declared outputs for a published workflow run.")
-    @console_ns.doc(
-        params={
-            "app_id": "Application ID",
-            "run_id": "Workflow run ID",
-            "node_id": "Node ID inside the workflow graph",
-        }
-    )
-    @console_ns.response(404, "Workflow run / node not found")
-    @setup_required
-    @login_required
-    @account_initialization_required
-    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
-    def get(self, app_model: App, run_id: UUID, node_id: str):
-        return _serve_node_detail(app_model, run_id, node_id)
-
-
-@console_ns.route(
-    "/apps/<uuid:app_id>/workflows/published/runs/<uuid:run_id>"
-    "/node-outputs/<string:node_id>/<string:output_name>/preview"
-)
-class WorkflowPublishedRunNodeOutputPreviewApi(Resource):
-    """Full value for one declared output of a published run."""
-
-    @console_ns.doc("get_workflow_published_run_node_output_preview")
-    @console_ns.doc(description="Full value for one declared output of a published run.")
-    @console_ns.doc(
-        params={
-            "app_id": "Application ID",
-            "run_id": "Workflow run ID",
-            "node_id": "Node ID inside the workflow graph",
-            "output_name": "Declared output name as exposed by Composer",
-        }
-    )
-    @console_ns.response(404, "Workflow run / node / output not found")
-    @setup_required
-    @login_required
-    @account_initialization_required
-    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
-    def get(self, app_model: App, run_id: UUID, node_id: str, output_name: str):
-        return _serve_output_preview(app_model, run_id, node_id, output_name)
-
-
-@console_ns.route("/apps/<uuid:app_id>/workflows/published/runs/<uuid:run_id>/node-outputs/events")
-class WorkflowPublishedRunNodeOutputEventsApi(Resource):
-    """SSE stream of inspector deltas for a published run."""
-
-    @console_ns.doc("stream_workflow_published_run_node_output_events")
-    @console_ns.doc(description="Server-Sent Events stream of inspector deltas for a published workflow run.")
-    @console_ns.doc(params={"app_id": "Application ID", "run_id": "Workflow run ID"})
-    @console_ns.response(404, "Workflow run not found")
-    @setup_required
-    @login_required
-    @account_initialization_required
-    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
-    def get(self, app_model: App, run_id: UUID):
-        return Response(
-            _stream_inspector_events(app_model, run_id),
-            mimetype="text/event-stream",
-            headers={"Cache-Control": "no-cache", "Connection": "keep-alive"},
-        )

api/controllers/console/app/workflow_statistic.py

@@ -11,7 +11,7 @@ from extensions.ext_database import db
 from libs.datetime_utils import parse_time_range
 from libs.login import current_account_with_tenant, login_required
 from models.enums import WorkflowRunTriggeredFrom
-from models.model import App, AppMode
+from models.model import AppMode
 from repositories.factory import DifyAPIRepositoryFactory
 
 
@@ -46,7 +46,7 @@ class WorkflowDailyRunsStatistic(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    def get(self, app_model: App):
+    def get(self, app_model):
         account, _ = current_account_with_tenant()
 
         args = WorkflowStatisticQuery.model_validate(request.args.to_dict(flat=True))
@@ -86,7 +86,7 @@ class WorkflowDailyTerminalsStatistic(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    def get(self, app_model: App):
+    def get(self, app_model):
         account, _ = current_account_with_tenant()
 
         args = WorkflowStatisticQuery.model_validate(request.args.to_dict(flat=True))
@@ -126,7 +126,7 @@ class WorkflowDailyTokenCostStatistic(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    def get(self, app_model: App):
+    def get(self, app_model):
         account, _ = current_account_with_tenant()
 
         args = WorkflowStatisticQuery.model_validate(request.args.to_dict(flat=True))
@@ -166,7 +166,7 @@ class WorkflowAverageAppInteractionStatistic(Resource):
     @login_required
     @account_initialization_required
     @get_app_model(mode=[AppMode.WORKFLOW])
-    def get(self, app_model: App):
+    def get(self, app_model):
         account, _ = current_account_with_tenant()
 
         args = WorkflowStatisticQuery.model_validate(request.args.to_dict(flat=True))

api/controllers/console/auth/data_source_bearer_auth.py

@@ -5,12 +5,12 @@ from pydantic import BaseModel, Field
 
 from controllers.common.schema import register_response_schema_models, register_schema_models
 from fields.base import ResponseModel
-from libs.login import login_required
+from libs.login import current_account_with_tenant, login_required
 from services.auth.api_key_auth_service import ApiKeyAuthService
 
 from .. import console_ns
 from ..auth.error import ApiKeyAuthFailedError
-from ..wraps import account_initialization_required, is_admin_or_owner_required, setup_required, with_current_tenant_id
+from ..wraps import account_initialization_required, is_admin_or_owner_required, setup_required
 
 
 class ApiKeyAuthBindingPayload(BaseModel):
@@ -42,8 +42,8 @@ class ApiKeyAuthDataSource(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    @with_current_tenant_id
-    def get(self, current_tenant_id: str):
+    def get(self):
+        _, current_tenant_id = current_account_with_tenant()
         data_source_api_key_bindings = ApiKeyAuthService.get_provider_auth_list(current_tenant_id)
         if data_source_api_key_bindings:
             return {
@@ -69,9 +69,9 @@ class ApiKeyAuthDataSourceBinding(Resource):
     @account_initialization_required
     @is_admin_or_owner_required
     @console_ns.expect(console_ns.models[ApiKeyAuthBindingPayload.__name__])
-    @with_current_tenant_id
-    def post(self, current_tenant_id: str):
+    def post(self):
         # The role of the current user in the table must be admin or owner
+        _, current_tenant_id = current_account_with_tenant()
         payload = ApiKeyAuthBindingPayload.model_validate(console_ns.payload)
         data = payload.model_dump()
         ApiKeyAuthService.validate_api_key_auth_args(data)
@@ -89,9 +89,10 @@ class ApiKeyAuthDataSourceBindingDelete(Resource):
     @account_initialization_required
     @is_admin_or_owner_required
     @console_ns.response(204, "Binding deleted successfully")
-    @with_current_tenant_id
-    def delete(self, current_tenant_id: str, binding_id: UUID):
+    def delete(self, binding_id: UUID):
         # The role of the current user in the table must be admin or owner
+        _, current_tenant_id = current_account_with_tenant()
+
         ApiKeyAuthService.delete_provider_auth(current_tenant_id, str(binding_id))
 
         return "", 204

api/controllers/console/auth/oauth_server.py

@@ -8,9 +8,9 @@ from flask_restx import Resource
 from pydantic import BaseModel
 from werkzeug.exceptions import BadRequest, NotFound
 
-from controllers.console.wraps import account_initialization_required, setup_required, with_current_user
+from controllers.console.wraps import account_initialization_required, setup_required
 from graphon.model_runtime.utils.encoders import jsonable_encoder
-from libs.login import login_required
+from libs.login import current_account_with_tenant, login_required
 from models import Account
 from models.model import OAuthProviderApp
 from services.oauth_server import OAUTH_ACCESS_TOKEN_EXPIRES_IN, OAuthGrantType, OAuthServerService
@@ -133,10 +133,12 @@ class OAuthServerUserAuthorizeApi(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    @with_current_user
     @oauth_server_client_id_required
-    def post(self, oauth_provider_app: OAuthProviderApp, current_user: Account):
-        user_account_id = current_user.id
+    def post(self, oauth_provider_app: OAuthProviderApp):
+        current_user, _ = current_account_with_tenant()
+        account = current_user
+        user_account_id = account.id
+
         code = OAuthServerService.sign_oauth_authorization_code(oauth_provider_app.client_id, user_account_id)
         return jsonable_encoder(
             {

api/controllers/console/datasets/datasets_segments.py

@@ -169,12 +169,9 @@ class DatasetDocumentSegmentListApi(Resource):
             # Use database-specific methods for JSON array search
             if dify_config.SQLALCHEMY_DATABASE_URI_SCHEME == "postgresql":
                 # PostgreSQL: Use jsonb_array_elements_text to properly handle Unicode/Chinese text
-                # Guard with jsonb_typeof to avoid "cannot extract elements from a scalar" error
-                # when keywords is null or a non-array JSON value.
                 keywords_condition = func.array_to_string(
                     func.array(
                         select(func.jsonb_array_elements_text(cast(DocumentSegment.keywords, JSONB)))
-                        .where(func.jsonb_typeof(cast(DocumentSegment.keywords, JSONB)) == "array")
                         .correlate(DocumentSegment)
                         .scalar_subquery()
                     ),

api/controllers/console/datasets/hit_testing.py

@@ -1,12 +1,15 @@
 from __future__ import annotations
 
+from datetime import datetime
+from typing import Any
 from uuid import UUID
 
 from flask_restx import Resource
+from pydantic import Field, field_validator
 
-from controllers.common.schema import register_response_schema_models, register_schema_models
-from fields.hit_testing_fields import HitTestingResponse
-from libs.helper import dump_response
+from controllers.common.schema import register_schema_models
+from fields.base import ResponseModel
+from libs.helper import to_timestamp
 from libs.login import login_required
 
 from .. import console_ns
@@ -17,8 +20,86 @@ from ..wraps import (
     setup_required,
 )
 
-register_schema_models(console_ns, HitTestingPayload)
-register_response_schema_models(console_ns, HitTestingResponse)
+
+class HitTestingDocument(ResponseModel):
+    id: str | None = None
+    data_source_type: str | None = None
+    name: str | None = None
+    doc_type: str | None = None
+    doc_metadata: Any | None = None
+
+
+class HitTestingSegment(ResponseModel):
+    id: str | None = None
+    position: int | None = None
+    document_id: str | None = None
+    content: str | None = None
+    sign_content: str | None = None
+    answer: str | None = None
+    word_count: int | None = None
+    tokens: int | None = None
+    keywords: list[str] = Field(default_factory=list)
+    index_node_id: str | None = None
+    index_node_hash: str | None = None
+    hit_count: int | None = None
+    enabled: bool | None = None
+    disabled_at: int | None = None
+    disabled_by: str | None = None
+    status: str | None = None
+    created_by: str | None = None
+    created_at: int | None = None
+    indexing_at: int | None = None
+    completed_at: int | None = None
+    error: str | None = None
+    stopped_at: int | None = None
+    document: HitTestingDocument | None = None
+
+    @field_validator("disabled_at", "created_at", "indexing_at", "completed_at", "stopped_at", mode="before")
+    @classmethod
+    def _normalize_timestamp(cls, value: datetime | int | None) -> int | None:
+        return to_timestamp(value)
+
+
+class HitTestingChildChunk(ResponseModel):
+    id: str | None = None
+    content: str | None = None
+    position: int | None = None
+    score: float | None = None
+
+
+class HitTestingFile(ResponseModel):
+    id: str | None = None
+    name: str | None = None
+    size: int | None = None
+    extension: str | None = None
+    mime_type: str | None = None
+    source_url: str | None = None
+
+
+class HitTestingRecord(ResponseModel):
+    segment: HitTestingSegment | None = None
+    child_chunks: list[HitTestingChildChunk] = Field(default_factory=list)
+    score: float | None = None
+    tsne_position: Any | None = None
+    files: list[HitTestingFile] = Field(default_factory=list)
+    summary: str | None = None
+
+
+class HitTestingResponse(ResponseModel):
+    query: str
+    records: list[HitTestingRecord] = Field(default_factory=list)
+
+
+register_schema_models(
+    console_ns,
+    HitTestingPayload,
+    HitTestingDocument,
+    HitTestingSegment,
+    HitTestingChildChunk,
+    HitTestingFile,
+    HitTestingRecord,
+    HitTestingResponse,
+)
 
 
 @console_ns.route("/datasets/<uuid:dataset_id>/hit-testing")
@@ -38,11 +119,12 @@ class HitTestingApi(Resource, DatasetsHitTestingBase):
     @login_required
     @account_initialization_required
     @cloud_edition_billing_rate_limit_check("knowledge")
-    def post(self, dataset_id: UUID) -> dict[str, object]:
+    def post(self, dataset_id: UUID):
         dataset_id_str = str(dataset_id)
 
         dataset = self.get_and_validate_dataset(dataset_id_str)
-        args = self.parse_args(console_ns.payload)
+        payload = HitTestingPayload.model_validate(console_ns.payload or {})
+        args = payload.model_dump(exclude_none=True)
         self.hit_testing_args_check(args)
 
-        return dump_response(HitTestingResponse, self.perform_hit_testing(dataset, args))
+        return HitTestingResponse.model_validate(self.perform_hit_testing(dataset, args)).model_dump(mode="json")

api/controllers/console/datasets/hit_testing_base.py

@@ -1,6 +1,7 @@
 import logging
-from typing import Any, cast
+from typing import Any
 
+from flask_restx import marshal
 from pydantic import BaseModel, Field
 from werkzeug.exceptions import Forbidden, InternalServerError, NotFound
 
@@ -18,10 +19,10 @@ from core.errors.error import (
     ProviderTokenNotInitError,
     QuotaExceededError,
 )
+from fields.hit_testing_fields import hit_testing_record_fields
 from graphon.model_runtime.errors.invoke import InvokeError
 from libs.login import current_user
 from models.account import Account
-from models.dataset import Dataset
 from services.dataset_service import DatasetService
 from services.entities.knowledge_entities.knowledge_entities import RetrievalModel
 from services.hit_testing_service import HitTestingService
@@ -37,6 +38,16 @@ class HitTestingPayload(BaseModel):
 
 
 class DatasetsHitTestingBase:
+    @staticmethod
+    def _extract_hit_testing_query(query: Any) -> str:
+        """Return the query string from the service response shape."""
+        if isinstance(query, dict):
+            content = query.get("content")
+            if isinstance(content, str):
+                return content
+
+        raise ValueError("Invalid hit testing query response")
+
     @staticmethod
     def _prepare_hit_testing_records(records: Any) -> list[dict[str, Any]]:
         """Ensure collection fields match the API schema before response validation."""
@@ -52,7 +63,6 @@ class DatasetsHitTestingBase:
             segment = normalized_record.get("segment")
             if isinstance(segment, dict):
                 normalized_segment = dict(segment)
-                normalized_segment.setdefault("sign_content", None)
                 if normalized_segment.get("keywords") is None:
                     normalized_segment["keywords"] = []
                 normalized_record["segment"] = normalized_segment
@@ -63,15 +73,12 @@ class DatasetsHitTestingBase:
             if normalized_record.get("files") is None:
                 normalized_record["files"] = []
 
-            normalized_record.setdefault("tsne_position", None)
-            normalized_record.setdefault("summary", None)
-
             normalized_records.append(normalized_record)
 
         return normalized_records
 
     @staticmethod
-    def get_and_validate_dataset(dataset_id: str) -> Dataset:
+    def get_and_validate_dataset(dataset_id: str):
         assert isinstance(current_user, Account)
         dataset = DatasetService.get_dataset(dataset_id)
         if dataset is None:
@@ -85,35 +92,33 @@ class DatasetsHitTestingBase:
         return dataset
 
     @staticmethod
-    def hit_testing_args_check(args: dict[str, Any]) -> None:
+    def hit_testing_args_check(args: dict[str, Any]):
         HitTestingService.hit_testing_args_check(args)
 
     @staticmethod
-    def parse_args(payload: dict[str, Any] | None) -> dict[str, Any]:
+    def parse_args(payload: dict[str, Any]) -> dict[str, Any]:
         """Validate and return hit-testing arguments from an incoming payload."""
         hit_testing_payload = HitTestingPayload.model_validate(payload or {})
         return hit_testing_payload.model_dump(exclude_none=True)
 
     @staticmethod
-    def perform_hit_testing(dataset: Dataset, args: dict[str, Any]) -> dict[str, Any]:
+    def perform_hit_testing(dataset, args):
         assert isinstance(current_user, Account)
         try:
             response = HitTestingService.retrieve(
                 dataset=dataset,
-                query=cast(str, args.get("query")),
+                query=args.get("query"),
                 account=current_user,
                 retrieval_model=args.get("retrieval_model"),
-                external_retrieval_model=cast(dict[str, Any], args.get("external_retrieval_model")),
+                external_retrieval_model=args.get("external_retrieval_model"),
                 attachment_ids=args.get("attachment_ids"),
                 limit=10,
             )
-            query = response.get("query")
-            if not isinstance(query, dict) or not isinstance(query.get("content"), str):
-                raise ValueError("Invalid hit testing query response")
-
             return {
-                "query": {"content": query["content"]},
-                "records": DatasetsHitTestingBase._prepare_hit_testing_records(response.get("records", [])),
+                "query": DatasetsHitTestingBase._extract_hit_testing_query(response.get("query")),
+                "records": DatasetsHitTestingBase._prepare_hit_testing_records(
+                    marshal(response.get("records", []), hit_testing_record_fields)
+                ),
             }
         except services.errors.index.IndexNotInitializedError:
             raise DatasetNotInitializedError()

api/controllers/console/explore/audio.py

@@ -20,7 +20,6 @@ from controllers.console.app.error import (
 from controllers.console.explore.wraps import InstalledAppResource
 from core.errors.error import ModelCurrentlyNotSupportError, ProviderTokenNotInitError, QuotaExceededError
 from graphon.model_runtime.errors.invoke import InvokeError
-from models.model import InstalledApp
 from services.audio_service import AudioService
 from services.errors.audio import (
     AudioTooLargeServiceError,
@@ -41,10 +40,8 @@ register_schema_model(console_ns, TextToAudioPayload)
     endpoint="installed_app_audio",
 )
 class ChatAudioApi(InstalledAppResource):
-    def post(self, installed_app: InstalledApp):
+    def post(self, installed_app):
         app_model = installed_app.app
-        if app_model is None:
-            raise AppUnavailableError()
 
         file = request.files["file"]
 
@@ -84,10 +81,8 @@ class ChatAudioApi(InstalledAppResource):
 )
 class ChatTextApi(InstalledAppResource):
     @console_ns.expect(console_ns.models[TextToAudioPayload.__name__])
-    def post(self, installed_app: InstalledApp):
+    def post(self, installed_app):
         app_model = installed_app.app
-        if app_model is None:
-            raise AppUnavailableError()
         try:
             payload = TextToAudioPayload.model_validate(console_ns.payload or {})
 

api/controllers/console/explore/completion.py

@@ -31,7 +31,7 @@ from libs import helper
 from libs.datetime_utils import naive_utc_now
 from libs.login import current_user
 from models import Account
-from models.model import AppMode, InstalledApp
+from models.model import AppMode
 from services.app_generate_service import AppGenerateService
 from services.app_task_service import AppTaskService
 from services.errors.llm import InvokeRateLimitError
@@ -83,10 +83,8 @@ register_response_schema_models(console_ns, SimpleResultResponse)
 )
 class CompletionApi(InstalledAppResource):
     @console_ns.expect(console_ns.models[CompletionMessageExplorePayload.__name__])
-    def post(self, installed_app: InstalledApp):
+    def post(self, installed_app):
         app_model = installed_app.app
-        if app_model is None:
-            raise AppUnavailableError()
         if app_model.mode != AppMode.COMPLETION:
             raise NotCompletionAppError()
 
@@ -135,10 +133,8 @@ class CompletionApi(InstalledAppResource):
 )
 class CompletionStopApi(InstalledAppResource):
     @console_ns.response(200, "Success", console_ns.models[SimpleResultResponse.__name__])
-    def post(self, installed_app: InstalledApp, task_id: str):
+    def post(self, installed_app, task_id: str):
         app_model = installed_app.app
-        if app_model is None:
-            raise AppUnavailableError()
         if app_model.mode != AppMode.COMPLETION:
             raise NotCompletionAppError()
 
@@ -161,10 +157,8 @@ class CompletionStopApi(InstalledAppResource):
 )
 class ChatApi(InstalledAppResource):
     @console_ns.expect(console_ns.models[ChatMessagePayload.__name__])
-    def post(self, installed_app: InstalledApp):
+    def post(self, installed_app):
         app_model = installed_app.app
-        if app_model is None:
-            raise AppUnavailableError()
         app_mode = AppMode.value_of(app_model.mode)
         if app_mode not in {AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT}:
             raise NotChatAppError()
@@ -215,10 +209,8 @@ class ChatApi(InstalledAppResource):
 )
 class ChatStopApi(InstalledAppResource):
     @console_ns.response(200, "Success", console_ns.models[SimpleResultResponse.__name__])
-    def post(self, installed_app: InstalledApp, task_id: str):
+    def post(self, installed_app, task_id: str):
         app_model = installed_app.app
-        if app_model is None:
-            raise AppUnavailableError()
         app_mode = AppMode.value_of(app_model.mode)
         if app_mode not in {AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT}:
             raise NotChatAppError()

api/controllers/console/explore/conversation.py

@@ -8,7 +8,6 @@ from werkzeug.exceptions import NotFound
 
 from controllers.common.controller_schemas import ConversationRenamePayload
 from controllers.common.schema import register_response_schema_models, register_schema_models
-from controllers.console.app.error import AppUnavailableError
 from controllers.console.explore.error import NotChatAppError
 from controllers.console.explore.wraps import InstalledAppResource
 from core.app.entities.app_invoke_entities import InvokeFrom
@@ -21,7 +20,7 @@ from fields.conversation_fields import (
 from libs.helper import UUIDStrOrEmpty
 from libs.login import current_user
 from models import Account
-from models.model import AppMode, InstalledApp
+from models.model import AppMode
 from services.conversation_service import ConversationService
 from services.errors.conversation import ConversationNotExistsError, LastConversationNotExistsError
 from services.web_conversation_service import WebConversationService
@@ -45,10 +44,8 @@ register_response_schema_models(console_ns, ResultResponse)
 )
 class ConversationListApi(InstalledAppResource):
     @console_ns.expect(console_ns.models[ConversationListQuery.__name__])
-    def get(self, installed_app: InstalledApp):
+    def get(self, installed_app):
         app_model = installed_app.app
-        if app_model is None:
-            raise AppUnavailableError()
         app_mode = AppMode.value_of(app_model.mode)
         if app_mode not in {AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT}:
             raise NotChatAppError()
@@ -95,10 +92,8 @@ class ConversationListApi(InstalledAppResource):
 )
 class ConversationApi(InstalledAppResource):
     @console_ns.response(204, "Conversation deleted successfully")
-    def delete(self, installed_app: InstalledApp, c_id: UUID):
+    def delete(self, installed_app, c_id: UUID):
         app_model = installed_app.app
-        if app_model is None:
-            raise AppUnavailableError()
         app_mode = AppMode.value_of(app_model.mode)
         if app_mode not in {AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT}:
             raise NotChatAppError()
@@ -120,10 +115,8 @@ class ConversationApi(InstalledAppResource):
 )
 class ConversationRenameApi(InstalledAppResource):
     @console_ns.expect(console_ns.models[ConversationRenamePayload.__name__])
-    def post(self, installed_app: InstalledApp, c_id: UUID):
+    def post(self, installed_app, c_id: UUID):
         app_model = installed_app.app
-        if app_model is None:
-            raise AppUnavailableError()
         app_mode = AppMode.value_of(app_model.mode)
         if app_mode not in {AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT}:
             raise NotChatAppError()
@@ -153,10 +146,8 @@ class ConversationRenameApi(InstalledAppResource):
 )
 class ConversationPinApi(InstalledAppResource):
     @console_ns.response(200, "Success", console_ns.models[ResultResponse.__name__])
-    def patch(self, installed_app: InstalledApp, c_id: UUID):
+    def patch(self, installed_app, c_id: UUID):
         app_model = installed_app.app
-        if app_model is None:
-            raise AppUnavailableError()
         app_mode = AppMode.value_of(app_model.mode)
         if app_mode not in {AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT}:
             raise NotChatAppError()
@@ -179,10 +170,8 @@ class ConversationPinApi(InstalledAppResource):
 )
 class ConversationUnPinApi(InstalledAppResource):
     @console_ns.response(200, "Success", console_ns.models[ResultResponse.__name__])
-    def patch(self, installed_app: InstalledApp, c_id: UUID):
+    def patch(self, installed_app, c_id: UUID):
         app_model = installed_app.app
-        if app_model is None:
-            raise AppUnavailableError()
         app_mode = AppMode.value_of(app_model.mode)
         if app_mode not in {AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT}:
             raise NotChatAppError()

api/controllers/console/explore/installed_app.py

@@ -262,7 +262,7 @@ class InstalledAppApi(InstalledAppResource):
     """
 
     @console_ns.response(204, "App uninstalled successfully")
-    def delete(self, installed_app: InstalledApp):
+    def delete(self, installed_app):
         _, current_tenant_id = current_account_with_tenant()
         if installed_app.app_owner_tenant_id == current_tenant_id:
             raise BadRequest("You can't uninstall an app owned by the current tenant")
@@ -273,7 +273,7 @@ class InstalledAppApi(InstalledAppResource):
         return "", 204
 
     @console_ns.response(200, "Success", console_ns.models[SimpleResultMessageResponse.__name__])
-    def patch(self, installed_app: InstalledApp):
+    def patch(self, installed_app):
         payload = InstalledAppUpdatePayload.model_validate(console_ns.payload or {})
 
         commit_args = False

api/controllers/console/explore/message.py

@@ -10,7 +10,6 @@ from controllers.common.controller_schemas import MessageFeedbackPayload, Messag
 from controllers.common.schema import register_response_schema_models, register_schema_models
 from controllers.console.app.error import (
     AppMoreLikeThisDisabledError,
-    AppUnavailableError,
     CompletionRequestError,
     ProviderModelCurrentlyNotSupportError,
     ProviderNotInitializeError,
@@ -22,16 +21,15 @@ from controllers.console.explore.error import (
     NotCompletionAppError,
 )
 from controllers.console.explore.wraps import InstalledAppResource
-from controllers.console.wraps import with_current_user
 from core.app.entities.app_invoke_entities import InvokeFrom
 from core.errors.error import ModelCurrentlyNotSupportError, ProviderTokenNotInitError, QuotaExceededError
 from fields.conversation_fields import ResultResponse
 from fields.message_fields import MessageInfiniteScrollPagination, MessageListItem, SuggestedQuestionsResponse
 from graphon.model_runtime.errors.invoke import InvokeError
 from libs import helper
-from models import Account
+from libs.login import current_account_with_tenant
 from models.enums import FeedbackRating
-from models.model import AppMode, InstalledApp
+from models.model import AppMode
 from services.app_generate_service import AppGenerateService
 from services.errors.app import MoreLikeThisDisabledError
 from services.errors.conversation import ConversationNotExistsError
@@ -61,11 +59,9 @@ register_response_schema_models(console_ns, ResultResponse, SuggestedQuestionsRe
 )
 class MessageListApi(InstalledAppResource):
     @console_ns.expect(console_ns.models[MessageListQuery.__name__])
-    @with_current_user
-    def get(self, current_user: Account, installed_app: InstalledApp):
+    def get(self, installed_app):
+        current_user, _ = current_account_with_tenant()
         app_model = installed_app.app
-        if app_model is None:
-            raise AppUnavailableError()
 
         app_mode = AppMode.value_of(app_model.mode)
         if app_mode not in {AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT}:
@@ -100,11 +96,9 @@ class MessageListApi(InstalledAppResource):
 class MessageFeedbackApi(InstalledAppResource):
     @console_ns.expect(console_ns.models[MessageFeedbackPayload.__name__])
     @console_ns.response(200, "Feedback submitted successfully", console_ns.models[ResultResponse.__name__])
-    @with_current_user
-    def post(self, current_user: Account, installed_app: InstalledApp, message_id: UUID):
+    def post(self, installed_app, message_id: UUID):
+        current_user, _ = current_account_with_tenant()
         app_model = installed_app.app
-        if app_model is None:
-            raise AppUnavailableError()
 
         message_id_str = str(message_id)
 
@@ -130,11 +124,9 @@ class MessageFeedbackApi(InstalledAppResource):
 )
 class MessageMoreLikeThisApi(InstalledAppResource):
     @console_ns.expect(console_ns.models[MoreLikeThisQuery.__name__])
-    @with_current_user
-    def get(self, current_user: Account, installed_app: InstalledApp, message_id: UUID):
+    def get(self, installed_app, message_id: UUID):
+        current_user, _ = current_account_with_tenant()
         app_model = installed_app.app
-        if app_model is None:
-            raise AppUnavailableError()
         if app_model.mode != "completion":
             raise NotCompletionAppError()
 
@@ -178,11 +170,9 @@ class MessageMoreLikeThisApi(InstalledAppResource):
 )
 class MessageSuggestedQuestionApi(InstalledAppResource):
     @console_ns.response(200, "Success", console_ns.models[SuggestedQuestionsResponse.__name__])
-    @with_current_user
-    def get(self, current_user: Account, installed_app: InstalledApp, message_id: UUID):
+    def get(self, installed_app, message_id: UUID):
+        current_user, _ = current_account_with_tenant()
         app_model = installed_app.app
-        if app_model is None:
-            raise AppUnavailableError()
         app_mode = AppMode.value_of(app_model.mode)
         if app_mode not in {AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT}:
             raise NotChatAppError()

api/controllers/console/explore/saved_message.py

@@ -7,14 +7,12 @@ from werkzeug.exceptions import NotFound
 from controllers.common.controller_schemas import SavedMessageCreatePayload, SavedMessageListQuery
 from controllers.common.schema import register_response_schema_models, register_schema_models
 from controllers.console import console_ns
-from controllers.console.app.error import AppUnavailableError
 from controllers.console.explore.error import NotCompletionAppError
 from controllers.console.explore.wraps import InstalledAppResource
 from controllers.console.wraps import with_current_user
 from fields.conversation_fields import ResultResponse
 from fields.message_fields import SavedMessageInfiniteScrollPagination, SavedMessageItem
 from models import Account
-from models.model import InstalledApp
 from services.errors.message import MessageNotExistsError
 from services.saved_message_service import SavedMessageService
 
@@ -26,10 +24,8 @@ register_response_schema_models(console_ns, ResultResponse)
 class SavedMessageListApi(InstalledAppResource):
     @console_ns.expect(console_ns.models[SavedMessageListQuery.__name__])
     @with_current_user
-    def get(self, current_user: Account, installed_app: InstalledApp):
+    def get(self, current_user: Account, installed_app):
         app_model = installed_app.app
-        if app_model is None:
-            raise AppUnavailableError()
         if app_model.mode != "completion":
             raise NotCompletionAppError()
 
@@ -52,10 +48,8 @@ class SavedMessageListApi(InstalledAppResource):
     @console_ns.expect(console_ns.models[SavedMessageCreatePayload.__name__])
     @console_ns.response(200, "Success", console_ns.models[ResultResponse.__name__])
     @with_current_user
-    def post(self, current_user: Account, installed_app: InstalledApp):
+    def post(self, current_user: Account, installed_app):
         app_model = installed_app.app
-        if app_model is None:
-            raise AppUnavailableError()
         if app_model.mode != "completion":
             raise NotCompletionAppError()
 
@@ -75,10 +69,8 @@ class SavedMessageListApi(InstalledAppResource):
 class SavedMessageApi(InstalledAppResource):
     @console_ns.response(204, "Saved message deleted successfully")
     @with_current_user
-    def delete(self, current_user: Account, installed_app: InstalledApp, message_id: UUID):
+    def delete(self, current_user: Account, installed_app, message_id: UUID):
         app_model = installed_app.app
-        if app_model is None:
-            raise AppUnavailableError()
 
         message_id_str = str(message_id)
 

api/controllers/console/extension.py

@@ -9,14 +9,14 @@ from pydantic import BaseModel, Field, TypeAdapter, field_validator
 from constants import HIDDEN_VALUE
 from fields.base import ResponseModel
 from libs.helper import to_timestamp
-from libs.login import login_required
+from libs.login import current_account_with_tenant, login_required
 from models.api_based_extension import APIBasedExtension
 from services.api_based_extension_service import APIBasedExtensionService
 from services.code_based_extension_service import CodeBasedExtensionService
 
 from ..common.schema import DEFAULT_REF_TEMPLATE_SWAGGER_2_0, register_schema_models
 from . import console_ns
-from .wraps import account_initialization_required, setup_required, with_current_tenant_id
+from .wraps import account_initialization_required, setup_required
 
 
 class CodeBasedExtensionQuery(BaseModel):
@@ -116,11 +116,11 @@ class APIBasedExtensionAPI(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    @with_current_tenant_id
-    def get(self, current_tenant_id: str):
+    def get(self):
+        _, tenant_id = current_account_with_tenant()
         return [
             _serialize_api_based_extension(extension)
-            for extension in APIBasedExtensionService.get_all_by_tenant_id(current_tenant_id)
+            for extension in APIBasedExtensionService.get_all_by_tenant_id(tenant_id)
         ]
 
     @console_ns.doc("create_api_based_extension")
@@ -130,9 +130,9 @@ class APIBasedExtensionAPI(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    @with_current_tenant_id
-    def post(self, current_tenant_id: str):
+    def post(self):
         payload = APIBasedExtensionPayload.model_validate(console_ns.payload or {})
+        _, current_tenant_id = current_account_with_tenant()
 
         extension_data = APIBasedExtension(
             tenant_id=current_tenant_id,
@@ -153,12 +153,12 @@ class APIBasedExtensionDetailAPI(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    @with_current_tenant_id
-    def get(self, current_tenant_id: str, id: UUID):
+    def get(self, id: UUID):
         api_based_extension_id = str(id)
+        _, tenant_id = current_account_with_tenant()
 
         return _serialize_api_based_extension(
-            APIBasedExtensionService.get_with_tenant_id(current_tenant_id, api_based_extension_id)
+            APIBasedExtensionService.get_with_tenant_id(tenant_id, api_based_extension_id)
         )
 
     @console_ns.doc("update_api_based_extension")
@@ -169,9 +169,9 @@ class APIBasedExtensionDetailAPI(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    @with_current_tenant_id
-    def post(self, current_tenant_id: str, id: UUID):
+    def post(self, id: UUID):
         api_based_extension_id = str(id)
+        _, current_tenant_id = current_account_with_tenant()
 
         extension_data_from_db = APIBasedExtensionService.get_with_tenant_id(current_tenant_id, api_based_extension_id)
 
@@ -197,9 +197,9 @@ class APIBasedExtensionDetailAPI(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    @with_current_tenant_id
-    def delete(self, current_tenant_id: str, id: UUID):
+    def delete(self, id: UUID):
         api_based_extension_id = str(id)
+        _, current_tenant_id = current_account_with_tenant()
 
         extension_data_from_db = APIBasedExtensionService.get_with_tenant_id(current_tenant_id, api_based_extension_id)
 

api/controllers/console/feature.py

@@ -2,11 +2,11 @@ from flask_restx import Resource
 from werkzeug.exceptions import Unauthorized
 
 from controllers.common.schema import register_response_schema_models
-from libs.login import current_user, login_required
+from libs.login import current_account_with_tenant, current_user, login_required
 from services.feature_service import FeatureModel, FeatureService, LimitationModel, SystemFeatureModel
 
 from . import console_ns
-from .wraps import account_initialization_required, cloud_utm_record, setup_required, with_current_tenant_id
+from .wraps import account_initialization_required, cloud_utm_record, setup_required
 
 register_response_schema_models(console_ns, FeatureModel, LimitationModel, SystemFeatureModel)
 
@@ -24,9 +24,10 @@ class FeatureApi(Resource):
     @login_required
     @account_initialization_required
     @cloud_utm_record
-    @with_current_tenant_id
-    def get(self, current_tenant_id: str):
+    def get(self):
         """Get feature configuration for current tenant"""
+        _, current_tenant_id = current_account_with_tenant()
+
         payload = FeatureService.get_features(
             current_tenant_id,
             exclude_vector_space=True,
@@ -48,9 +49,10 @@ class FeatureVectorSpaceApi(Resource):
     @login_required
     @account_initialization_required
     @cloud_utm_record
-    @with_current_tenant_id
-    def get(self, current_tenant_id: str):
+    def get(self):
         """Get vector-space usage and limit for current tenant"""
+        _, current_tenant_id = current_account_with_tenant()
+
         return FeatureService.get_vector_space(current_tenant_id).model_dump()
 
 

api/controllers/console/files.py

@@ -22,13 +22,10 @@ from controllers.console.wraps import (
     account_initialization_required,
     cloud_edition_billing_resource_check,
     setup_required,
-    with_current_tenant_id,
-    with_current_user,
 )
 from extensions.ext_database import db
 from fields.file_fields import FileResponse, UploadConfig
-from libs.login import login_required
-from models import Account
+from libs.login import current_account_with_tenant, login_required
 from services.file_service import FileService
 
 from . import console_ns
@@ -65,8 +62,8 @@ class FileApi(Resource):
     @account_initialization_required
     @cloud_edition_billing_resource_check("documents")
     @console_ns.response(201, "File uploaded successfully", console_ns.models[FileResponse.__name__])
-    @with_current_user
-    def post(self, current_user: Account):
+    def post(self):
+        current_user, _ = current_account_with_tenant()
         source_str = request.form.get("source")
         source: Literal["datasets"] | None = "datasets" if source_str == "datasets" else None
 
@@ -110,10 +107,10 @@ class FilePreviewApi(Resource):
     @login_required
     @account_initialization_required
     @console_ns.response(200, "Success", console_ns.models[TextContentResponse.__name__])
-    @with_current_tenant_id
-    def get(self, current_tenant_id: str, file_id: UUID):
+    def get(self, file_id: UUID):
         file_id_str = str(file_id)
-        text = FileService(db.engine).get_file_preview(file_id_str, current_tenant_id)
+        _, tenant_id = current_account_with_tenant()
+        text = FileService(db.engine).get_file_preview(file_id_str, tenant_id)
         return {"content": text}
 
 

api/controllers/console/remote_files.py

@@ -12,13 +12,11 @@ from controllers.common.errors import (
 )
 from controllers.common.schema import register_response_schema_models, register_schema_models
 from controllers.console import console_ns
-from controllers.console.wraps import with_current_user
 from core.helper import ssrf_proxy
 from extensions.ext_database import db
 from fields.file_fields import FileWithSignedUrl, RemoteFileInfo
 from graphon.file import helpers as file_helpers
-from libs.login import login_required
-from models import Account
+from libs.login import current_account_with_tenant, login_required
 from services.file_service import FileService
 
 
@@ -51,8 +49,7 @@ class RemoteFileUpload(Resource):
     @console_ns.expect(console_ns.models[RemoteFileUploadPayload.__name__])
     @console_ns.response(201, "File uploaded successfully", console_ns.models[FileWithSignedUrl.__name__])
     @login_required
-    @with_current_user
-    def post(self, current_user: Account):
+    def post(self):
         payload = RemoteFileUploadPayload.model_validate(console_ns.payload)
         url = payload.url
 
@@ -77,11 +74,12 @@ class RemoteFileUpload(Resource):
         content = resp.content if resp.request.method == "GET" else ssrf_proxy.get(url).content
 
         try:
+            user, _ = current_account_with_tenant()
             upload_file = FileService(db.engine).upload_file(
                 filename=file_info.filename,
                 content=content,
                 mimetype=file_info.mimetype,
-                user=current_user,
+                user=user,
                 source_url=url,
             )
         except services.errors.file.FileTooLargeError as file_too_large_error:

api/controllers/console/tag/tags.py

@@ -9,16 +9,9 @@ from werkzeug.exceptions import Forbidden
 from controllers.common.fields import SimpleResultResponse
 from controllers.common.schema import register_response_schema_models, register_schema_models
 from controllers.console import console_ns
-from controllers.console.wraps import (
-    account_initialization_required,
-    edit_permission_required,
-    setup_required,
-    with_current_tenant_id,
-    with_current_user,
-)
+from controllers.console.wraps import account_initialization_required, edit_permission_required, setup_required
 from fields.base import ResponseModel
-from libs.login import login_required
-from models import Account
+from libs.login import current_account_with_tenant, login_required
 from models.enums import TagType
 from services.tag_service import (
     SaveTagPayload,
@@ -99,8 +92,8 @@ class TagListApi(Resource):
         params={"type": 'Tag type filter. Can be "knowledge" or "app".', "keyword": "Search keyword for tag name."}
     )
     @console_ns.doc(responses={200: ("Success", [console_ns.models[TagResponse.__name__]])})
-    @with_current_tenant_id
-    def get(self, current_tenant_id: str):
+    def get(self):
+        _, current_tenant_id = current_account_with_tenant()
         raw_args = request.args.to_dict()
         param = TagListQueryParam.model_validate(raw_args)
         tags = TagService.get_tags(param.type, current_tenant_id, param.keyword)
@@ -116,9 +109,9 @@ class TagListApi(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    @with_current_user
-    def post(self, current_user: Account):
-        # Allow users with edit permission, or dataset editors (including dataset operators).
+    def post(self):
+        current_user, _ = current_account_with_tenant()
+        # The role of the current user in the ta table must be admin, owner, or editor
         if not (current_user.has_edit_permission or current_user.is_dataset_editor):
             raise Forbidden()
 
@@ -139,8 +132,8 @@ class TagUpdateDeleteApi(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    @with_current_user
-    def patch(self, current_user: Account, tag_id: UUID):
+    def patch(self, tag_id: UUID):
+        current_user, _ = current_account_with_tenant()
         tag_id_str = str(tag_id)
         # The role of the current user in the ta table must be admin, owner, or editor
         if not (current_user.has_edit_permission or current_user.is_dataset_editor):
@@ -170,19 +163,20 @@ class TagUpdateDeleteApi(Resource):
         return "", 204
 
 
-def _require_tag_binding_edit_permission(current_user: Account) -> None:
+def _require_tag_binding_edit_permission() -> None:
     """
     Ensure the current account can edit tag bindings.
 
     Tag binding operations are allowed for users who can edit resources (app/dataset) within the current tenant.
     """
+    current_user, _ = current_account_with_tenant()
     # The role of the current user in the ta table must be admin, owner, editor, or dataset_operator
     if not (current_user.has_edit_permission or current_user.is_dataset_editor):
         raise Forbidden()
 
 
-def _create_tag_bindings(current_user: Account) -> tuple[dict[str, str], int]:
-    _require_tag_binding_edit_permission(current_user)
+def _create_tag_bindings() -> tuple[dict[str, str], int]:
+    _require_tag_binding_edit_permission()
 
     payload = TagBindingPayload.model_validate(console_ns.payload or {})
     TagService.save_tag_binding(
@@ -195,8 +189,8 @@ def _create_tag_bindings(current_user: Account) -> tuple[dict[str, str], int]:
     return {"result": "success"}, 200
 
 
-def _remove_tag_bindings(current_user: Account) -> tuple[dict[str, str], int]:
-    _require_tag_binding_edit_permission(current_user)
+def _remove_tag_bindings() -> tuple[dict[str, str], int]:
+    _require_tag_binding_edit_permission()
 
     payload = TagBindingRemovePayload.model_validate(console_ns.payload or {})
     TagService.delete_tag_binding(
@@ -219,9 +213,8 @@ class TagBindingCollectionApi(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    @with_current_user
-    def post(self, current_user: Account):
-        return _create_tag_bindings(current_user)
+    def post(self):
+        return _create_tag_bindings()
 
 
 @console_ns.route("/tag-bindings/remove")
@@ -235,6 +228,5 @@ class TagBindingRemoveApi(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    @with_current_user
-    def post(self, current_user: Account):
-        return _remove_tag_bindings(current_user)
+    def post(self):
+        return _remove_tag_bindings()

api/controllers/console/workspace/members.py

@@ -77,7 +77,7 @@ register_response_schema_models(console_ns, SimpleResultDataResponse, Verificati
 def _is_role_enabled(role: TenantAccountRole | str, tenant_id: str) -> bool:
     if role != TenantAccountRole.DATASET_OPERATOR:
         return True
-    return FeatureService.get_features(tenant_id=tenant_id, exclude_vector_space=True).dataset_operator_enabled
+    return FeatureService.get_features(tenant_id=tenant_id).dataset_operator_enabled
 
 
 def _normalize_invitee_emails(emails: list[str]) -> list[str]:
@@ -113,7 +113,7 @@ def _check_member_invite_limits(tenant_id: str, new_member_count: int) -> None:
     if new_member_count <= 0:
         return
 
-    features = FeatureService.get_features(tenant_id=tenant_id, exclude_vector_space=True)
+    features = FeatureService.get_features(tenant_id=tenant_id)
 
     if dify_config.ENTERPRISE_ENABLED:
         workspace_members = features.workspace_members

api/controllers/console/workspace/models.py

@@ -8,17 +8,12 @@ from pydantic import BaseModel, Field, field_validator
 from controllers.common.fields import SimpleResultResponse
 from controllers.common.schema import register_enum_models, register_response_schema_models, register_schema_models
 from controllers.console import console_ns
-from controllers.console.wraps import (
-    account_initialization_required,
-    is_admin_or_owner_required,
-    setup_required,
-    with_current_tenant_id,
-)
+from controllers.console.wraps import account_initialization_required, is_admin_or_owner_required, setup_required
 from graphon.model_runtime.entities.model_entities import ModelType
 from graphon.model_runtime.errors.validate import CredentialsValidateFailedError
 from graphon.model_runtime.utils.encoders import jsonable_encoder
 from libs.helper import uuid_value
-from libs.login import login_required
+from libs.login import current_account_with_tenant, login_required
 from services.model_load_balancing_service import ModelLoadBalancingService
 from services.model_provider_service import ModelProviderService
 
@@ -143,8 +138,9 @@ class DefaultModelApi(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    @with_current_tenant_id
-    def get(self, tenant_id: str):
+    def get(self):
+        _, tenant_id = current_account_with_tenant()
+
         args = ParserGetDefault.model_validate(request.args.to_dict(flat=True))
 
         model_provider_service = ModelProviderService()
@@ -160,8 +156,9 @@ class DefaultModelApi(Resource):
     @login_required
     @is_admin_or_owner_required
     @account_initialization_required
-    @with_current_tenant_id
-    def post(self, tenant_id: str):
+    def post(self):
+        _, tenant_id = current_account_with_tenant()
+
         args = ParserPostDefault.model_validate(console_ns.payload)
         model_provider_service = ModelProviderService()
         model_settings = args.model_settings
@@ -192,8 +189,9 @@ class ModelProviderModelApi(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    @with_current_tenant_id
-    def get(self, tenant_id: str, provider):
+    def get(self, provider):
+        _, tenant_id = current_account_with_tenant()
+
         model_provider_service = ModelProviderService()
         models = model_provider_service.get_models_by_provider(tenant_id=tenant_id, provider=provider)
 
@@ -204,9 +202,9 @@ class ModelProviderModelApi(Resource):
     @login_required
     @is_admin_or_owner_required
     @account_initialization_required
-    @with_current_tenant_id
-    def post(self, tenant_id: str, provider: str):
+    def post(self, provider: str):
         # To save the model's load balance configs
+        _, tenant_id = current_account_with_tenant()
         args = ParserPostModels.model_validate(console_ns.payload)
 
         if args.config_from == "custom-model":
@@ -251,8 +249,9 @@ class ModelProviderModelApi(Resource):
     @login_required
     @is_admin_or_owner_required
     @account_initialization_required
-    @with_current_tenant_id
-    def delete(self, tenant_id: str, provider: str):
+    def delete(self, provider: str):
+        _, tenant_id = current_account_with_tenant()
+
         args = ParserDeleteModels.model_validate(console_ns.payload)
 
         model_provider_service = ModelProviderService()
@@ -269,8 +268,9 @@ class ModelProviderModelCredentialApi(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    @with_current_tenant_id
-    def get(self, tenant_id: str, provider: str):
+    def get(self, provider: str):
+        _, tenant_id = current_account_with_tenant()
+
         args = ParserGetCredentials.model_validate(request.args.to_dict(flat=True))
 
         model_provider_service = ModelProviderService()
@@ -323,8 +323,9 @@ class ModelProviderModelCredentialApi(Resource):
     @login_required
     @is_admin_or_owner_required
     @account_initialization_required
-    @with_current_tenant_id
-    def post(self, tenant_id: str, provider: str):
+    def post(self, provider: str):
+        _, tenant_id = current_account_with_tenant()
+
         args = ParserCreateCredential.model_validate(console_ns.payload)
 
         model_provider_service = ModelProviderService()
@@ -354,8 +355,8 @@ class ModelProviderModelCredentialApi(Resource):
     @login_required
     @is_admin_or_owner_required
     @account_initialization_required
-    @with_current_tenant_id
-    def put(self, current_tenant_id: str, provider: str):
+    def put(self, provider: str):
+        _, current_tenant_id = current_account_with_tenant()
         args = ParserUpdateCredential.model_validate(console_ns.payload)
 
         model_provider_service = ModelProviderService()
@@ -381,8 +382,8 @@ class ModelProviderModelCredentialApi(Resource):
     @login_required
     @is_admin_or_owner_required
     @account_initialization_required
-    @with_current_tenant_id
-    def delete(self, current_tenant_id: str, provider: str):
+    def delete(self, provider: str):
+        _, current_tenant_id = current_account_with_tenant()
         args = ParserDeleteCredential.model_validate(console_ns.payload)
 
         model_provider_service = ModelProviderService()
@@ -405,8 +406,8 @@ class ModelProviderModelCredentialSwitchApi(Resource):
     @login_required
     @is_admin_or_owner_required
     @account_initialization_required
-    @with_current_tenant_id
-    def post(self, current_tenant_id: str, provider: str):
+    def post(self, provider: str):
+        _, current_tenant_id = current_account_with_tenant()
         args = ParserSwitch.model_validate(console_ns.payload)
 
         service = ModelProviderService()
@@ -429,8 +430,9 @@ class ModelProviderModelEnableApi(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    @with_current_tenant_id
-    def patch(self, tenant_id: str, provider: str):
+    def patch(self, provider: str):
+        _, tenant_id = current_account_with_tenant()
+
         args = ParserDeleteModels.model_validate(console_ns.payload)
 
         model_provider_service = ModelProviderService()
@@ -450,8 +452,9 @@ class ModelProviderModelDisableApi(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    @with_current_tenant_id
-    def patch(self, tenant_id: str, provider: str):
+    def patch(self, provider: str):
+        _, tenant_id = current_account_with_tenant()
+
         args = ParserDeleteModels.model_validate(console_ns.payload)
 
         model_provider_service = ModelProviderService()
@@ -477,8 +480,8 @@ class ModelProviderModelValidateApi(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    @with_current_tenant_id
-    def post(self, tenant_id: str, provider: str):
+    def post(self, provider: str):
+        _, tenant_id = current_account_with_tenant()
         args = ParserValidate.model_validate(console_ns.payload)
 
         model_provider_service = ModelProviderService()
@@ -512,9 +515,9 @@ class ModelProviderModelParameterRuleApi(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    @with_current_tenant_id
-    def get(self, tenant_id: str, provider: str):
+    def get(self, provider: str):
         args = ParserParameter.model_validate(request.args.to_dict(flat=True))
+        _, tenant_id = current_account_with_tenant()
 
         model_provider_service = ModelProviderService()
         parameter_rules = model_provider_service.get_model_parameter_rules(
@@ -529,8 +532,8 @@ class ModelProviderAvailableModelApi(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    @with_current_tenant_id
-    def get(self, tenant_id: str, model_type: str):
+    def get(self, model_type: str):
+        _, tenant_id = current_account_with_tenant()
         model_provider_service = ModelProviderService()
         models = model_provider_service.get_models_by_model_type(tenant_id=tenant_id, model_type=model_type)
 

api/controllers/console/workspace/workspace.py

@@ -166,10 +166,10 @@ class TenantListApi(Resource):
                 if tenant_plan:
                     plan = tenant_plan["plan"] or CloudPlan.SANDBOX
                 else:
-                    features = FeatureService.get_features(tenant.id, exclude_vector_space=True)
+                    features = FeatureService.get_features(tenant.id)
                     plan = features.billing.subscription.plan or CloudPlan.SANDBOX
             elif not is_enterprise_only:
-                features = FeatureService.get_features(tenant.id, exclude_vector_space=True)
+                features = FeatureService.get_features(tenant.id)
                 plan = features.billing.subscription.plan or CloudPlan.SANDBOX
 
             # Create a dictionary with tenant attributes

api/controllers/console/wraps.py

@@ -96,28 +96,21 @@ def cloud_edition_billing_resource_check[**P, R](resource: str) -> Callable[[Cal
         @wraps(view)
         def decorated(*args: P.args, **kwargs: P.kwargs):
             _, current_tenant_id = current_account_with_tenant()
-            if resource == "vector_space":
-                if not dify_config.BILLING_ENABLED:
-                    return view(*args, **kwargs)
-
-                vector_space = FeatureService.get_vector_space(current_tenant_id)
-                if 0 < vector_space.limit <= vector_space.size:
-                    abort(
-                        403,
-                        "The capacity of the knowledge storage space has reached the limit of your subscription.",
-                    )
-                return view(*args, **kwargs)
-
-            features = FeatureService.get_features(current_tenant_id, exclude_vector_space=True)
+            features = FeatureService.get_features(current_tenant_id)
             if features.billing.enabled:
                 members = features.members
                 apps = features.apps
+                vector_space = features.vector_space
                 documents_upload_quota = features.documents_upload_quota
                 annotation_quota_limit = features.annotation_quota_limit
                 if resource == "members" and 0 < members.limit <= members.size:
                     abort(403, "The number of members has reached the limit of your subscription.")
                 elif resource == "apps" and 0 < apps.limit <= apps.size:
                     abort(403, "The number of apps has reached the limit of your subscription.")
+                elif resource == "vector_space" and 0 < vector_space.limit <= vector_space.size:
+                    abort(
+                        403, "The capacity of the knowledge storage space has reached the limit of your subscription."
+                    )
                 elif resource == "documents" and 0 < documents_upload_quota.limit <= documents_upload_quota.size:
                     # The api of file upload is used in the multiple places,
                     # so we need to check the source of the request from datasets
@@ -147,7 +140,7 @@ def cloud_edition_billing_knowledge_limit_check[**P, R](
         @wraps(view)
         def decorated(*args: P.args, **kwargs: P.kwargs):
             _, current_tenant_id = current_account_with_tenant()
-            features = FeatureService.get_features(current_tenant_id, exclude_vector_space=True)
+            features = FeatureService.get_features(current_tenant_id)
             if features.billing.enabled:
                 if resource == "add_segment":
                     if features.billing.subscription.plan == CloudPlan.SANDBOX:
@@ -298,7 +291,7 @@ def knowledge_pipeline_publish_enabled[**P, R](view: Callable[P, R]) -> Callable
     @wraps(view)
     def decorated(*args: P.args, **kwargs: P.kwargs):
         _, current_tenant_id = current_account_with_tenant()
-        features = FeatureService.get_features(current_tenant_id, exclude_vector_space=True)
+        features = FeatureService.get_features(current_tenant_id)
         if features.knowledge_pipeline.publish_enabled:
             return view(*args, **kwargs)
         abort(403)

api/controllers/openapi/__init__.py

@@ -37,13 +37,6 @@ from controllers.openapi._models import (
     DeviceMutateRequest,
     DeviceMutateResponse,
     DevicePollRequest,
-    MemberActionResponse,
-    MemberInvitePayload,
-    MemberInviteResponse,
-    MemberListQuery,
-    MemberListResponse,
-    MemberResponse,
-    MemberRoleUpdatePayload,
     MessageMetadata,
     PermittedExternalAppsListQuery,
     PermittedExternalAppsListResponse,
@@ -70,9 +63,6 @@ register_schema_models(
     DevicePollRequest,
     DeviceLookupQuery,
     DeviceMutateRequest,
-    MemberInvitePayload,
-    MemberListQuery,
-    MemberRoleUpdatePayload,
     PermittedExternalAppsListQuery,
 )
 register_response_schema_models(
@@ -96,10 +86,6 @@ register_response_schema_models(
     WorkspaceSummaryResponse,
     WorkspaceListResponse,
     WorkspaceDetailResponse,
-    MemberResponse,
-    MemberListResponse,
-    MemberInviteResponse,
-    MemberActionResponse,
     DeviceCodeResponse,
     DeviceLookupResponse,
     DeviceMutateResponse,

api/controllers/openapi/_models.py

@@ -6,7 +6,7 @@ from typing import Any, Literal
 
 from pydantic import BaseModel, ConfigDict, Field, field_validator
 
-from libs.helper import EmailStr, UUIDStrOrEmpty, uuid_value
+from libs.helper import UUIDStrOrEmpty, uuid_value
 from models.model import AppMode
 
 # Server-side cap on `limit` query param for /openapi/v1/* list endpoints.
@@ -342,61 +342,3 @@ class ApprovalGrantClaimsPayload(BaseModel):
     user_code: str = Field(min_length=1, max_length=32)
     nonce: str = Field(min_length=1, max_length=128)
     csrf_token: str = Field(min_length=1, max_length=128)
-
-
-# Closed enum for invite/update-role payloads. Owner is intentionally not
-# assignable through these endpoints — ownership transfer goes through the
-# console's three-step email-verification flow.
-MemberAssignableRole = Literal["normal", "admin"]
-
-
-class MemberResponse(BaseModel):
-    id: str
-    name: str
-    email: str
-    role: str
-    status: str
-    avatar: str | None = None
-
-
-class MemberListResponse(BaseModel):
-    page: int
-    limit: int
-    total: int
-    has_more: bool
-    data: list[MemberResponse]
-
-
-class MemberListQuery(BaseModel):
-    """Strict (extra='forbid')."""
-
-    model_config = ConfigDict(extra="forbid")
-
-    page: int = Field(1, ge=1)
-    limit: int = Field(20, ge=1, le=MAX_PAGE_LIMIT)
-
-
-class MemberInvitePayload(BaseModel):
-    model_config = ConfigDict(extra="forbid")
-
-    email: EmailStr
-    role: MemberAssignableRole
-
-
-class MemberRoleUpdatePayload(BaseModel):
-    model_config = ConfigDict(extra="forbid")
-
-    role: MemberAssignableRole
-
-
-class MemberInviteResponse(BaseModel):
-    result: Literal["success"] = "success"
-    email: str
-    role: str
-    member_id: str
-    invite_url: str
-    tenant_id: str
-
-
-class MemberActionResponse(BaseModel):
-    result: Literal["success"] = "success"

api/controllers/openapi/account.py

@@ -4,7 +4,7 @@ from datetime import UTC, datetime
 
 from flask import request
 from flask_restx import Resource
-from werkzeug.exceptions import NotFound
+from werkzeug.exceptions import BadRequest, NotFound
 
 from controllers.openapi import openapi_ns
 from controllers.openapi._models import (
@@ -17,17 +17,18 @@ from controllers.openapi._models import (
     SessionRow,
     WorkspacePayload,
 )
-from controllers.openapi.auth.composition import auth_router
-from controllers.openapi.auth.data import AuthData
 from extensions.ext_database import db
 from extensions.ext_redis import redis_client
 from libs.oauth_bearer import (
-    Scope,
-    TokenType,
+    ACCEPT_USER_ANY,
+    AuthContext,
+    SubjectType,
     get_auth_ctx,
+    validate_bearer,
 )
 from libs.rate_limit import (
     LIMIT_ME_PER_ACCOUNT,
+    LIMIT_ME_PER_EMAIL,
     enforce,
 )
 from services.account_service import AccountService, TenantService
@@ -41,18 +42,32 @@ from services.oauth_device_flow import (
 @openapi_ns.route("/account")
 class AccountApi(Resource):
     @openapi_ns.response(200, "Account info", openapi_ns.models[AccountResponse.__name__])
-    @auth_router.guard(scope=Scope.FULL, allowed_token_types=frozenset({TokenType.OAUTH_ACCOUNT}))
-    def get(self, *, auth_data: AuthData):
-        enforce(LIMIT_ME_PER_ACCOUNT, key=f"account:{auth_data.account_id}")
+    @validate_bearer(accept=ACCEPT_USER_ANY)
+    def get(self):
+        ctx = get_auth_ctx()
 
-        account_id_str = str(auth_data.account_id) if auth_data.account_id else None
-        account = AccountService.get_account_by_id(db.session, account_id_str) if account_id_str else None
-        memberships = TenantService.get_account_memberships(db.session, account_id_str) if account_id_str else []
+        if ctx.subject_type == SubjectType.EXTERNAL_SSO:
+            enforce(LIMIT_ME_PER_EMAIL, key=f"subject:{ctx.subject_email}")
+        else:
+            enforce(LIMIT_ME_PER_ACCOUNT, key=f"account:{ctx.account_id}")
+
+        if ctx.subject_type == SubjectType.EXTERNAL_SSO:
+            return AccountResponse(
+                subject_type=ctx.subject_type,
+                subject_email=ctx.subject_email,
+                subject_issuer=ctx.subject_issuer,
+                account=None,
+                workspaces=[],
+                default_workspace_id=None,
+            ).model_dump(mode="json")
+
+        account = AccountService.get_account_by_id(db.session, str(ctx.account_id)) if ctx.account_id else None
+        memberships = TenantService.get_account_memberships(db.session, str(ctx.account_id)) if ctx.account_id else []
         default_ws_id = _pick_default_workspace(memberships)
 
         return AccountResponse(
-            subject_type="account",
-            subject_email=account.email if account else None,
+            subject_type=ctx.subject_type,
+            subject_email=ctx.subject_email or (account.email if account else None),
             account=_account_payload(account) if account else None,
             workspaces=[_workspace_payload(m) for m in memberships],
             default_workspace_id=default_ws_id,
@@ -62,17 +77,19 @@ class AccountApi(Resource):
 @openapi_ns.route("/account/sessions/self")
 class AccountSessionsSelfApi(Resource):
     @openapi_ns.response(200, "Session revoked", openapi_ns.models[RevokeResponse.__name__])
-    @auth_router.guard(scope=Scope.FULL, allowed_token_types=frozenset({TokenType.OAUTH_ACCOUNT}))
-    def delete(self, *, auth_data: AuthData):
-        revoke_oauth_token(db.session, redis_client, str(auth_data.token_id))
+    @validate_bearer(accept=ACCEPT_USER_ANY)
+    def delete(self):
+        ctx = get_auth_ctx()
+        _require_oauth_subject(ctx)
+        revoke_oauth_token(db.session, redis_client, str(ctx.token_id))
         return RevokeResponse(status="revoked").model_dump(mode="json"), 200
 
 
 @openapi_ns.route("/account/sessions")
 class AccountSessionsApi(Resource):
     @openapi_ns.response(200, "Session list", openapi_ns.models[SessionListResponse.__name__])
-    @auth_router.guard(scope=Scope.FULL, allowed_token_types=frozenset({TokenType.OAUTH_ACCOUNT}))
-    def get(self, *, auth_data: AuthData):
+    @validate_bearer(accept=ACCEPT_USER_ANY)
+    def get(self):
         ctx = get_auth_ctx()
         now = datetime.now(UTC)
         page = int(request.args.get("page", "1"))
@@ -105,9 +122,10 @@ class AccountSessionsApi(Resource):
 @openapi_ns.route("/account/sessions/<string:session_id>")
 class AccountSessionByIdApi(Resource):
     @openapi_ns.response(200, "Session revoked", openapi_ns.models[RevokeResponse.__name__])
-    @auth_router.guard(scope=Scope.FULL, allowed_token_types=frozenset({TokenType.OAUTH_ACCOUNT}))
-    def delete(self, session_id: str, *, auth_data: AuthData):
+    @validate_bearer(accept=ACCEPT_USER_ANY)
+    def delete(self, session_id: str):
         ctx = get_auth_ctx()
+        _require_oauth_subject(ctx)
 
         # 404 (not 403) on cross-subject so the endpoint doesn't leak
         # token IDs that belong to other subjects.
@@ -118,6 +136,13 @@ class AccountSessionByIdApi(Resource):
         return RevokeResponse(status="revoked").model_dump(mode="json"), 200
 
 
+def _require_oauth_subject(ctx: AuthContext) -> None:
+    if not ctx.source.startswith("oauth"):
+        raise BadRequest(
+            "this endpoint revokes OAuth bearer tokens; use /openapi/v1/personal-access-tokens/self for PATs"
+        )
+
+
 def _iso(dt: datetime | None) -> str | None:
     if dt is None:
         return None

api/controllers/openapi/app_run.py

@@ -16,8 +16,7 @@ import services
 from controllers.openapi import openapi_ns
 from controllers.openapi._audit import emit_app_run
 from controllers.openapi._models import AppRunRequest
-from controllers.openapi.auth.composition import auth_router
-from controllers.openapi.auth.data import AuthData
+from controllers.openapi.auth.composition import OAUTH_BEARER_PIPELINE
 from controllers.service_api.app.error import (
     AppUnavailableError,
     CompletionRequestError,
@@ -125,9 +124,8 @@ _DISPATCH: dict[AppMode, Callable[[App, Any, AppRunRequest], Any]] = {
 class AppRunApi(Resource):
     @openapi_ns.expect(openapi_ns.models[AppRunRequest.__name__])
     @openapi_ns.response(200, "Run result (SSE stream)")
-    @auth_router.guard(scope=Scope.APPS_RUN)
-    def post(self, app_id: str, *, auth_data: AuthData):
-        app_model, caller, caller_kind = auth_data.require_app_context()
+    @OAUTH_BEARER_PIPELINE.guard(scope=Scope.APPS_RUN)
+    def post(self, app_id: str, app_model: App, caller, caller_kind: str):
         body = request.get_json(silent=True) or {}
         try:
             payload = AppRunRequest.model_validate(body)
@@ -160,9 +158,8 @@ class AppRunApi(Resource):
 @openapi_ns.route("/apps/<string:app_id>/tasks/<string:task_id>/stop")
 class AppRunTaskStopApi(Resource):
     @openapi_ns.response(200, "Task stopped")
-    @auth_router.guard(scope=Scope.APPS_RUN)
-    def post(self, app_id: str, task_id: str, *, auth_data: AuthData):
-        app_model, caller, caller_kind = auth_data.require_app_context()
+    @OAUTH_BEARER_PIPELINE.guard(scope=Scope.APPS_RUN)
+    def post(self, app_id: str, task_id: str, app_model: App, caller, caller_kind: str):
         AppQueueManager.set_stop_flag_no_user_check(task_id)
         GraphEngineManager(redis_client).send_stop_command(task_id)
         return {"result": "success"}

api/controllers/openapi/apps.py

@@ -1,4 +1,9 @@
-"""GET /openapi/v1/apps and per-app reads."""
+"""GET /openapi/v1/apps and per-app reads.
+
+Decorator order: `method_decorators` is innermost-first. `validate_bearer`
+is last → outermost → publishes the auth ContextVar before `require_scope`
+reads it.
+"""
 
 from __future__ import annotations
 
@@ -23,17 +28,31 @@ from controllers.openapi._models import (
     AppListRow,
     TagItem,
 )
-from controllers.openapi.auth.composition import auth_router
-from controllers.openapi.auth.data import AuthData
+from controllers.openapi.auth.surface_gate import accept_subjects
 from controllers.service_api.app.error import AppUnavailableError
 from core.app.app_config.common.parameters_mapping import get_parameters_from_feature_dict
 from extensions.ext_database import db
-from libs.oauth_bearer import Scope, TokenType
+from libs.oauth_bearer import (
+    ACCEPT_USER_ANY,
+    AuthContext,
+    Scope,
+    SubjectType,
+    get_auth_ctx,
+    require_scope,
+    require_workspace_member,
+    validate_bearer,
+)
 from models import App
 from services.account_service import TenantService
 from services.app_service import AppListParams, AppService
 from services.tag_service import TagService
 
+_APPS_READ_DECORATORS = [
+    require_scope(Scope.APPS_READ),
+    accept_subjects(SubjectType.ACCOUNT),
+    validate_bearer(accept=ACCEPT_USER_ANY),
+]
+
 _ALLOWED_DESCRIBE_FIELDS: frozenset[str] = frozenset({"info", "parameters", "input_schema"})
 
 
@@ -47,9 +66,13 @@ _EMPTY_PARAMETERS: dict[str, Any] = {
 
 
 class AppReadResource(Resource):
-    """Base for per-app read endpoints; subclasses call `_load()` for membership/exists checks."""
+    """Base for per-app read endpoints; subclasses call `_load()` for SSO/membership/exists checks."""
+
+    method_decorators = _APPS_READ_DECORATORS
+
+    def _load(self, app_id: str, workspace_id: str | None = None) -> tuple[App, AuthContext]:
+        ctx: AuthContext = get_auth_ctx()
 
-    def _load(self, app_id: str, workspace_id: str | None = None) -> App:
         try:
             parsed_uuid = _uuid.UUID(app_id)
             is_uuid = True
@@ -76,7 +99,8 @@ class AppReadResource(Resource):
                 raise Conflict("".join(lines))
             app = matches[0]
 
-        return app
+        require_workspace_member(ctx, str(app.tenant_id))
+        return app, ctx
 
 
 def parameters_payload(app: App) -> dict:
@@ -90,14 +114,13 @@ def parameters_payload(app: App) -> dict:
 class AppDescribeApi(AppReadResource):
     @openapi_ns.doc(params=query_params_from_model(AppDescribeQuery))
     @openapi_ns.response(200, "App description", openapi_ns.models[AppDescribeResponse.__name__])
-    @auth_router.guard(scope=Scope.APPS_READ, allowed_token_types=frozenset({TokenType.OAUTH_ACCOUNT}))
-    def get(self, app_id: str, *, auth_data: AuthData):
+    def get(self, app_id: str):
         try:
             query = AppDescribeQuery.model_validate(request.args.to_dict(flat=True))
         except ValidationError as exc:
             raise UnprocessableEntity(exc.json())
 
-        app = self._load(app_id, workspace_id=query.workspace_id)
+        app, _ = self._load(app_id, workspace_id=query.workspace_id)
 
         requested = query.fields
         want_info = requested is None or "info" in requested
@@ -145,16 +168,20 @@ class AppDescribeApi(AppReadResource):
 
 @openapi_ns.route("/apps")
 class AppListApi(Resource):
+    method_decorators = _APPS_READ_DECORATORS
+
     @openapi_ns.doc(params=query_params_from_model(AppListQuery))
     @openapi_ns.response(200, "App list", openapi_ns.models[AppListResponse.__name__])
-    @auth_router.guard(scope=Scope.APPS_READ, allowed_token_types=frozenset({TokenType.OAUTH_ACCOUNT}))
-    def get(self, *, auth_data: AuthData):
+    def get(self):
+        ctx: AuthContext = get_auth_ctx()
+
         try:
             query: AppListQuery = AppListQuery.model_validate(request.args.to_dict(flat=True))
         except ValidationError as exc:
             raise UnprocessableEntity(exc.json())
 
         workspace_id = query.workspace_id
+        require_workspace_member(ctx, workspace_id)
 
         empty = (
             AppListResponse(page=query.page, limit=query.limit, total=0, has_more=False, data=[]).model_dump(
@@ -210,7 +237,7 @@ class AppListApi(Resource):
             openapi_visible=True,
         )
 
-        pagination = AppService().get_paginate_apps(str(auth_data.account_id), workspace_id, params)
+        pagination = AppService().get_paginate_apps(str(ctx.account_id), workspace_id, params)
         if pagination is None:
             return empty
 

api/controllers/openapi/apps_permitted_external.py

@@ -18,27 +18,37 @@ from controllers.openapi._models import (
     PermittedExternalAppsListQuery,
     PermittedExternalAppsListResponse,
 )
-from controllers.openapi.auth.composition import auth_router
-from controllers.openapi.auth.data import AuthData, Edition
+from controllers.openapi.auth.surface_gate import accept_subjects
 from extensions.ext_database import db
-from libs.oauth_bearer import Scope, TokenType
+from libs.device_flow_security import enterprise_only
+from libs.oauth_bearer import (
+    ACCEPT_USER_ANY,
+    Scope,
+    SubjectType,
+    require_scope,
+    validate_bearer,
+)
 from models import App
 from services.account_service import TenantService
 from services.app_service import AppService
 from services.enterprise.app_permitted_service import list_permitted_apps
+from services.openapi.license_gate import license_required
 
 
 @openapi_ns.route("/permitted-external-apps")
 class PermittedExternalAppsListApi(Resource):
+    method_decorators = [
+        require_scope(Scope.APPS_READ_PERMITTED_EXTERNAL),
+        license_required,
+        accept_subjects(SubjectType.EXTERNAL_SSO),
+        validate_bearer(accept=ACCEPT_USER_ANY),
+        enterprise_only,
+    ]
+
     @openapi_ns.response(
         200, "Permitted external apps list", openapi_ns.models[PermittedExternalAppsListResponse.__name__]
     )
-    @auth_router.guard(
-        scope=Scope.APPS_READ_PERMITTED_EXTERNAL,
-        allowed_token_types=frozenset({TokenType.OAUTH_EXTERNAL_SSO}),
-        edition=frozenset({Edition.EE}),
-    )
-    def get(self, *, auth_data: AuthData):
+    def get(self):
         try:
             query = PermittedExternalAppsListQuery.model_validate(request.args.to_dict(flat=True))
         except ValidationError as exc:

api/controllers/openapi/auth/__init__.py

@@ -1,3 +1,3 @@
-from controllers.openapi.auth.composition import auth_router
+from controllers.openapi.auth.composition import OAUTH_BEARER_PIPELINE
 
-__all__ = ["auth_router"]
+__all__ = ["OAUTH_BEARER_PIPELINE"]

api/controllers/openapi/auth/composition.py

@@ -1,64 +1,46 @@
+"""`OAUTH_BEARER_PIPELINE` — the auth scheme for openapi `/run` endpoints.
+
+Endpoints attach via `@OAUTH_BEARER_PIPELINE.guard(scope=…)`. No alternative
+paths. Read endpoints (`/apps`, `/info`, `/parameters`, `/describe`) skip
+the pipeline and use `validate_bearer + require_scope + require_workspace_member`
+inline — they don't need `AppAuthzCheck`/`CallerMount`.
+"""
+
 from __future__ import annotations
 
-from controllers.openapi.auth.conditions import (
-    EDITION_CE,
-    EDITION_EE,
-    LOADED_APP_IS_PRIVATE,
-    PATH_HAS_APP_ID,
-    WEBAPP_AUTH_ENABLED,
+from controllers.openapi.auth.pipeline import Pipeline
+from controllers.openapi.auth.steps import (
+    AppAuthzCheck,
+    AppResolver,
+    BearerCheck,
+    CallerMount,
+    ScopeCheck,
+    SurfaceCheck,
+    WorkspaceMembershipCheck,
 )
-from controllers.openapi.auth.data import Edition
-from controllers.openapi.auth.flow import When
-from controllers.openapi.auth.pipeline import AuthPipeline, PipelineRoute, PipelineRouter
-from controllers.openapi.auth.prepare import (
-    load_account,
-    load_app,
-    load_app_access_mode,
-    load_tenant,
-    resolve_external_user,
+from controllers.openapi.auth.strategies import (
+    AccountMounter,
+    AclStrategy,
+    AppAuthzStrategy,
+    EndUserMounter,
+    MembershipStrategy,
 )
-from controllers.openapi.auth.verify import (
-    check_acl,
-    check_app_access,
-    check_membership,
-    check_private_app_permission,
-    check_scope,
-)
-from libs.oauth_bearer import TokenType
+from libs.oauth_bearer import SubjectType
+from services.feature_service import FeatureService
 
-account_pipeline = AuthPipeline(
-    prepare=[
-        When(PATH_HAS_APP_ID, then=load_app),
-        When(PATH_HAS_APP_ID, then=load_tenant),
-        load_account,  # all tokens here are account tokens
-        When(PATH_HAS_APP_ID & EDITION_EE, then=load_app_access_mode),
-    ],
-    auth=[
-        check_scope,
-        When(EDITION_CE & PATH_HAS_APP_ID, then=check_membership),
-        When(EDITION_EE & PATH_HAS_APP_ID & ~WEBAPP_AUTH_ENABLED, then=check_app_access),
-        When(PATH_HAS_APP_ID & EDITION_EE & WEBAPP_AUTH_ENABLED, then=check_acl),
-        When(EDITION_EE & LOADED_APP_IS_PRIVATE, then=check_private_app_permission),
-    ],
-)
 
-external_sso_pipeline = AuthPipeline(
-    prepare=[
-        When(PATH_HAS_APP_ID, then=load_app),
-        When(PATH_HAS_APP_ID, then=load_tenant),
-        When(PATH_HAS_APP_ID, then=resolve_external_user),
-        When(PATH_HAS_APP_ID, then=load_app_access_mode),
-    ],
-    auth=[
-        check_scope,
-        When(PATH_HAS_APP_ID & WEBAPP_AUTH_ENABLED, then=check_acl),
-        When(LOADED_APP_IS_PRIVATE, then=check_private_app_permission),
-    ],
-)
+def _resolve_app_authz_strategy() -> AppAuthzStrategy:
+    if FeatureService.get_system_features().webapp_auth.enabled:
+        return AclStrategy()
+    return MembershipStrategy()
 
-auth_router = PipelineRouter(
-    {
-        TokenType.OAUTH_ACCOUNT: PipelineRoute(account_pipeline),
-        TokenType.OAUTH_EXTERNAL_SSO: PipelineRoute(external_sso_pipeline, required_edition=frozenset({Edition.EE})),
-    }
+
+OAUTH_BEARER_PIPELINE = Pipeline(
+    BearerCheck(),
+    SurfaceCheck(accepted=frozenset({SubjectType.ACCOUNT})),
+    ScopeCheck(),
+    AppResolver(),
+    WorkspaceMembershipCheck(),
+    AppAuthzCheck(_resolve_app_authz_strategy),
+    CallerMount(AccountMounter(), EndUserMounter()),
 )

api/controllers/openapi/auth/conditions.py

@@ -1,53 +0,0 @@
-from __future__ import annotations
-
-from collections.abc import Callable
-
-from controllers.openapi.auth.data import AuthData, Edition, RequestContext, current_edition
-from libs.oauth_bearer import TokenType
-from services.enterprise.enterprise_service import WebAppAccessMode
-from services.feature_service import FeatureService
-
-CondFn = Callable[[RequestContext, AuthData | None], bool]
-
-
-class Cond:
-    def __init__(self, fn: CondFn) -> None:
-        self._fn = fn
-
-    def __call__(self, ctx: RequestContext, data: AuthData | None = None) -> bool:
-        return self._fn(ctx, data)
-
-    def __and__(self, other: Cond) -> Cond:
-        return Cond(lambda ctx, data: self(ctx, data) and other(ctx, data))
-
-    def __or__(self, other: Cond) -> Cond:
-        return Cond(lambda ctx, data: self(ctx, data) or other(ctx, data))
-
-    def __invert__(self) -> Cond:
-        return Cond(lambda ctx, data: not self(ctx, data))
-
-
-def request_cond(fn: Callable[[RequestContext], bool]) -> Cond:
-    return Cond(lambda ctx, _: fn(ctx))
-
-
-def data_cond(fn: Callable[[AuthData], bool]) -> Cond:
-    return Cond(lambda _, data: data is not None and fn(data))
-
-
-def config_cond(fn: Callable[[], bool]) -> Cond:
-    return Cond(lambda _, __: fn())
-
-
-TOKEN_IS_OAUTH_ACCOUNT = request_cond(lambda ctx: ctx.token_type == TokenType.OAUTH_ACCOUNT)
-TOKEN_IS_OAUTH_EXTERNAL_SSO = request_cond(lambda ctx: ctx.token_type == TokenType.OAUTH_EXTERNAL_SSO)
-
-PATH_HAS_APP_ID = request_cond(lambda ctx: "app_id" in ctx.path_params)
-
-EDITION_CE = config_cond(lambda: current_edition() == Edition.CE)
-EDITION_EE = config_cond(lambda: current_edition() == Edition.EE)
-EDITION_SAAS = config_cond(lambda: current_edition() == Edition.SAAS)
-
-WEBAPP_AUTH_ENABLED = config_cond(lambda: FeatureService.get_system_features().webapp_auth.enabled)
-
-LOADED_APP_IS_PRIVATE = data_cond(lambda data: data.app_access_mode == WebAppAccessMode.PRIVATE)

api/controllers/openapi/auth/context.py

@@ -0,0 +1,68 @@
+"""Mutable per-request context for the openapi auth pipeline.
+
+Every field starts None / empty and is filled in by a step. The pipeline
+is the only thing that should construct or mutate Context — handlers
+read populated values via the decorator's kwargs unpacking.
+
+Context is intentionally decoupled from Flask's ``Request``: the pipeline
+guard extracts whatever transport-level inputs the steps need (bearer
+token, path params) at the boundary and writes them into Context fields,
+so steps stay testable without a request object and won't leak coupling
+to a specific framework.
+"""
+
+from __future__ import annotations
+
+import uuid
+from collections.abc import Mapping
+from contextvars import Token
+from dataclasses import dataclass, field
+from datetime import datetime
+from typing import TYPE_CHECKING, Literal, Protocol
+
+from werkzeug.exceptions import Unauthorized
+
+from libs.oauth_bearer import AuthContext, Scope, SubjectType
+
+if TYPE_CHECKING:
+    from models import App, Tenant
+
+
+@dataclass
+class Context:
+    required_scope: Scope
+    bearer_token: str | None = None
+    path_params: Mapping[str, str] = field(default_factory=dict)
+    subject_type: SubjectType | None = None
+    subject_email: str | None = None
+    subject_issuer: str | None = None
+    account_id: uuid.UUID | None = None
+    scopes: frozenset[Scope] = field(default_factory=frozenset)
+    token_id: uuid.UUID | None = None
+    token_hash: str | None = None
+    cached_verified_tenants: dict[str, bool] | None = None
+    source: str | None = None
+    expires_at: datetime | None = None
+    app: App | None = None
+    tenant: Tenant | None = None
+    caller: object | None = None
+    caller_kind: Literal["account", "end_user"] | None = None
+    auth_ctx_reset_token: Token[AuthContext] | None = None
+
+    @property
+    def must_tenant(self) -> Tenant:
+        if not self.tenant:
+            raise Unauthorized("tenant is not associated")
+        return self.tenant
+
+    @property
+    def must_subject_type(self) -> SubjectType:
+        if not self.subject_type:
+            raise Unauthorized("subject_type unset — BearerCheck did not run")
+        return self.subject_type
+
+
+class Step(Protocol):
+    """One responsibility. Mutate ctx or raise to short-circuit."""
+
+    def __call__(self, ctx: Context) -> None: ...

api/controllers/openapi/auth/data.py

@@ -1,69 +0,0 @@
-from __future__ import annotations
-
-import uuid
-from enum import StrEnum
-from typing import Literal
-
-from pydantic import BaseModel, ConfigDict, Field
-from werkzeug.exceptions import InternalServerError
-
-from configs import dify_config
-from libs.oauth_bearer import Scope, TokenType
-from models.account import Account, Tenant
-from models.model import App, EndUser
-from services.enterprise.enterprise_service import WebAppAccessMode
-
-
-class Edition(StrEnum):
-    CE = "ce"
-    EE = "ee"
-    SAAS = "saas"
-
-
-def current_edition() -> Edition:
-    if dify_config.EDITION == "CLOUD":
-        return Edition.SAAS
-    if dify_config.ENTERPRISE_ENABLED:
-        return Edition.EE
-    return Edition.CE
-
-
-class ExternalIdentity(BaseModel):
-    model_config = ConfigDict(frozen=True)
-
-    email: str
-    issuer: str | None = None
-
-
-class RequestContext(BaseModel):
-    model_config = ConfigDict(frozen=True)
-
-    token_type: TokenType
-    scope: Scope | None = None
-    path_params: dict[str, str]
-
-
-class AuthData(BaseModel):
-    model_config = ConfigDict(arbitrary_types_allowed=True)
-
-    required_scope: Scope | None = None
-    token_type: TokenType
-    account_id: uuid.UUID | None = None
-    token_hash: str
-    token_id: uuid.UUID | None = None
-    scopes: frozenset[Scope]
-    tenants: dict[str, bool] = Field(default_factory=dict)
-    external_identity: ExternalIdentity | None = None
-    path_params: dict[str, str] = Field(default_factory=dict)
-
-    app: App | None = None
-    tenant: Tenant | None = None
-    app_access_mode: WebAppAccessMode | None = None
-
-    caller: Account | EndUser | None = None
-    caller_kind: Literal["account", "end_user"] | None = None
-
-    def require_app_context(self) -> tuple[App, Account | EndUser, Literal["account", "end_user"]]:
-        if self.app is None or self.caller is None or self.caller_kind is None:
-            raise InternalServerError("pipeline_invariant_violated: app context missing")
-        return self.app, self.caller, self.caller_kind

api/controllers/openapi/auth/flow.py

@@ -1,19 +0,0 @@
-from __future__ import annotations
-
-from collections.abc import Callable
-from typing import Any
-
-from controllers.openapi.auth.conditions import Cond
-from controllers.openapi.auth.data import AuthData, RequestContext
-
-
-class When:
-    def __init__(self, condition: Cond, *, then: Callable[[Any], None]) -> None:
-        self.condition = condition
-        self._step = then
-
-    def applies(self, ctx: RequestContext, data: AuthData | None = None) -> bool:
-        return self.condition(ctx, data)
-
-    def __call__(self, arg: Any) -> None:
-        self._step(arg)

api/controllers/openapi/auth/pipeline.py

@@ -1,209 +1,51 @@
-"""Auth pipeline — entry point for all openapi auth.
+"""Pipeline IS the auth scheme.
 
-`PipelineRouter.guard()` is the only attachment point for endpoints.
-`AuthPipeline` is a pure step-runner with no routing concerns.
-`PipelineRoute` binds a pipeline to optional edition requirements.
+`Pipeline.guard(scope=…)` is the only attachment point for endpoints —
+that is the design lock-in: forgetting an auth layer is structurally
+impossible because there is no "sometimes wrap, sometimes don't" choice.
 """
 
 from __future__ import annotations
 
-from collections.abc import Callable
-from dataclasses import dataclass
 from functools import wraps
-from typing import Any
 
-from flask import current_app, request
-from flask_login import user_logged_in
-from werkzeug.exceptions import Forbidden, NotFound, Unauthorized
+from flask import request
 
-from controllers.openapi._audit import emit_wrong_surface
-from controllers.openapi.auth.data import (
-    AuthData,
-    Edition,
-    ExternalIdentity,
-    RequestContext,
-    current_edition,
-)
-from controllers.openapi.auth.flow import When
-from libs.oauth_bearer import (
-    AuthContext,
-    Scope,
-    TokenType,
-    extract_bearer,
-    get_authenticator,
-    reset_auth_ctx,
-    set_auth_ctx,
-)
-from services.feature_service import FeatureService, LicenseStatus
+from controllers.openapi.auth.context import Context, Step
+from libs.oauth_bearer import Scope, extract_bearer, reset_auth_ctx
 
 
-class AuthPipeline:
-    """Pure step-runner — no routing, no guard.
+class Pipeline:
+    def __init__(self, *steps: Step) -> None:
+        self._steps = steps
 
-    Both `prepare` and `auth` steps receive the same `AuthData` instance.
-    `prepare` steps populate it; `auth` steps validate it.
-    """
+    def run(self, ctx: Context) -> None:
+        for step in self._steps:
+            step(ctx)
 
-    def __init__(self, prepare: list, auth: list) -> None:
-        self._prepare = prepare
-        self._auth = auth
-
-    def _run(
-        self,
-        identity: AuthContext,
-        args: tuple,
-        kwargs: dict,
-        view: Callable,
-        *,
-        scope: Scope | None,
-    ) -> Any:
-        req_ctx = RequestContext(
-            token_type=identity.token_type,
-            scope=scope,
-            path_params=dict(request.view_args or {}),
-        )
-
-        data = AuthData(
-            token_type=identity.token_type,
-            account_id=identity.account_id,
-            token_hash=identity.token_hash,
-            token_id=identity.token_id,
-            scopes=frozenset(identity.scopes),
-            tenants=dict(identity.verified_tenants),
-            required_scope=scope,
-            path_params=dict(req_ctx.path_params),
-            external_identity=(
-                ExternalIdentity(email=identity.subject_email, issuer=identity.subject_issuer)
-                if identity.subject_email
-                else None
-            ),
-        )
-
-        for step in self._prepare:
-            if _should_run(step, req_ctx, data=None):
-                step(data)
-
-        for step in self._auth:
-            if _should_run(step, req_ctx, data=data):
-                step(data)
-
-        reset_token = set_auth_ctx(identity)
-        if data.caller:
-            _mount_flask_login(data.caller)
-
-        try:
-            kwargs["auth_data"] = data
-            return view(*args, **kwargs)
-        finally:
-            reset_auth_ctx(reset_token)
-
-
-@dataclass(frozen=True)
-class PipelineRoute:
-    pipeline: AuthPipeline
-    required_edition: frozenset[Edition] | None = None
-
-
-class PipelineRouter:
-    """Entry point for openapi auth.
-
-    `guard()` is the decorator that endpoints attach to. It applies
-    global gates (edition, token type) then dispatches to the matching
-    `PipelineRoute` for the token type.
-    """
-
-    def __init__(self, routes: dict[TokenType, PipelineRoute]) -> None:
-        self._routes = routes
-
-    def guard(
-        self,
-        *,
-        scope: Scope | None = None,
-        allowed_token_types: frozenset[TokenType] | None = None,
-        edition: frozenset[Edition] | None = None,
-    ) -> Callable:
-        def decorator(view: Callable) -> Callable:
+    def guard(self, *, scope: Scope):
+        def decorator(view):
             @wraps(view)
-            def decorated(*args: Any, **kwargs: Any) -> Any:
-                return self._execute(
-                    args,
-                    kwargs,
-                    view,
-                    scope=scope,
-                    allowed_token_types=allowed_token_types,
-                    edition=edition,
+            def decorated(*args, **kwargs):
+                # Extract transport-level inputs at the boundary so steps
+                # stay decoupled from Flask's request object.
+                ctx = Context(
+                    required_scope=scope,
+                    bearer_token=extract_bearer(request),
+                    path_params=dict(request.view_args or {}),
                 )
+                try:
+                    self.run(ctx)
+                    kwargs.update(
+                        app_model=ctx.app,
+                        caller=ctx.caller,
+                        caller_kind=ctx.caller_kind,
+                    )
+                    return view(*args, **kwargs)
+                finally:
+                    if ctx.auth_ctx_reset_token is not None:
+                        reset_auth_ctx(ctx.auth_ctx_reset_token)
 
             return decorated
 
         return decorator
-
-    def _execute(
-        self,
-        args: tuple,
-        kwargs: dict,
-        view: Callable,
-        *,
-        scope: Scope | None,
-        allowed_token_types: frozenset[TokenType] | None,
-        edition: frozenset[Edition] | None,
-    ) -> Any:
-        # 404 not 403 — this edition doesn't expose the feature at all
-        if edition is not None and current_edition() not in edition:
-            raise NotFound()
-
-        license_checked = False
-        if edition is not None and Edition.EE in edition:
-            _check_license()
-            license_checked = True
-
-        token = extract_bearer(request)
-        if not token:
-            raise Unauthorized("bearer required")
-
-        identity = get_authenticator().authenticate(token)
-
-        if allowed_token_types is not None and identity.token_type not in allowed_token_types:
-            emit_wrong_surface(
-                subject_type=_subject_type_str(identity),
-                attempted_path=request.path,
-                client_id=getattr(identity, "client_id", None),
-                token_id=str(identity.token_id) if identity.token_id else None,
-            )
-            raise Forbidden("unsupported_token_type")
-
-        route = self._routes.get(identity.token_type)
-        if route is None:
-            raise Forbidden("unsupported_token_type")
-
-        if route.required_edition is not None:
-            if current_edition() not in route.required_edition:
-                raise Forbidden("external_sso_requires_ee")
-            if not license_checked and Edition.EE in route.required_edition:
-                _check_license()
-
-        return route.pipeline._run(identity, args, kwargs, view, scope=scope)
-
-
-def _should_run(step: Any, req_ctx: RequestContext, data: AuthData | None) -> bool:
-    if isinstance(step, When):
-        return step.applies(req_ctx, data)
-    return True
-
-
-def _subject_type_str(identity: Any) -> str | None:
-    subject = getattr(identity, "subject_type", None)
-    if subject is None:
-        return None
-    return subject.value if hasattr(subject, "value") else str(subject)
-
-
-def _check_license() -> None:
-    settings = FeatureService.get_system_features()
-    if settings.license.status in {LicenseStatus.INACTIVE, LicenseStatus.EXPIRED, LicenseStatus.LOST}:
-        raise Forbidden("license_invalid")
-
-
-def _mount_flask_login(user: Any) -> None:
-    current_app.login_manager._update_request_context_with_user(user)  # type: ignore[attr-defined]
-    user_logged_in.send(current_app._get_current_object(), user=user)  # type: ignore[attr-defined]

api/controllers/openapi/auth/prepare.py

@@ -1,67 +0,0 @@
-from __future__ import annotations
-
-from werkzeug.exceptions import Forbidden, InternalServerError, NotFound, Unauthorized
-
-from controllers.openapi.auth.data import AuthData
-from core.app.entities.app_invoke_entities import InvokeFrom
-from extensions.ext_database import db
-from models.account import TenantStatus
-from services.account_service import AccountService, TenantService
-from services.app_service import AppService
-from services.end_user_service import EndUserService
-from services.enterprise.enterprise_service import EnterpriseService, WebAppAccessMode
-
-
-def load_app(data: AuthData) -> None:
-    app_id = data.path_params["app_id"]
-    app = AppService.get_app_by_id(db.session, app_id)
-    if not app or app.status != "normal":
-        raise NotFound("app not found")
-    if not app.enable_api:
-        raise Forbidden("service_api_disabled")
-    data.app = app
-
-
-def load_tenant(data: AuthData) -> None:
-    if data.app is None:
-        raise InternalServerError("pipeline_invariant_violated: app not loaded before load_tenant")
-    tenant = TenantService.get_tenant_by_id(db.session, str(data.app.tenant_id))
-    if tenant is None or tenant.status == TenantStatus.ARCHIVE:
-        raise Forbidden("workspace unavailable")
-    data.tenant = tenant
-
-
-def load_account(data: AuthData) -> None:
-    account = AccountService.get_account_by_id(db.session, str(data.account_id))
-    if account is None:
-        raise Unauthorized("account not found")
-    if data.tenant:
-        account.current_tenant = data.tenant
-    data.caller = account
-    data.caller_kind = "account"
-
-
-def resolve_external_user(data: AuthData) -> None:
-    if data.tenant is None or data.app is None or data.external_identity is None:
-        raise Unauthorized("missing context for external user resolution")
-    end_user = EndUserService.get_or_create_end_user_by_type(
-        InvokeFrom.OPENAPI,
-        tenant_id=str(data.tenant.id),
-        app_id=str(data.app.id),
-        user_id=data.external_identity.email,
-    )
-    data.caller = end_user
-    data.caller_kind = "end_user"
-
-
-def load_app_access_mode(data: AuthData) -> None:
-    if data.app is None:
-        return
-    try:
-        settings = EnterpriseService.WebAppAuth.get_app_access_mode_by_id(app_id=str(data.app.id))
-        if settings is None:
-            data.app_access_mode = None
-            return
-        data.app_access_mode = WebAppAccessMode(settings.access_mode)
-    except ValueError:
-        data.app_access_mode = None

api/controllers/openapi/auth/role_gate.py

@@ -1,77 +0,0 @@
-"""Workspace role gate.
-
-Layered on top of `validate_bearer` + `accept_subjects(SubjectType.ACCOUNT)`
-for routes whose access depends on the caller's `TenantAccountJoin.role`
-in the workspace named by the `workspace_id` path parameter.
-
-Usage::
-
-    @openapi_ns.route("/workspaces/<string:workspace_id>/members")
-    class Members(Resource):
-        @validate_bearer(accept=ACCEPT_USER_ANY)
-        @accept_subjects(SubjectType.ACCOUNT)
-        @require_workspace_role()  # any member
-        def get(self, workspace_id: str): ...
-
-        @validate_bearer(accept=ACCEPT_USER_ANY)
-        @accept_subjects(SubjectType.ACCOUNT)
-        @require_workspace_role(TenantAccountRole.OWNER, TenantAccountRole.ADMIN)
-        def post(self, workspace_id: str): ...
-
-Non-member callers get 404 (matching `GET /openapi/v1/workspaces/<id>`)
-so workspace IDs do not leak across tenants. A member without one of the
-allowed roles gets 403.
-"""
-
-from __future__ import annotations
-
-from collections.abc import Callable
-from functools import wraps
-from typing import TypeVar
-
-from werkzeug.exceptions import Forbidden, NotFound
-
-from extensions.ext_database import db
-from libs.oauth_bearer import try_get_auth_ctx
-from models.account import TenantAccountRole
-from services.account_service import TenantService
-
-F = TypeVar("F", bound=Callable[..., object])
-
-
-def require_workspace_role(*allowed_roles: TenantAccountRole) -> Callable[[F], F]:
-    """Gate a route on the caller's role in ``workspace_id``.
-
-    Pass no roles to require only membership. Pass one or more roles to
-    require the caller's role be in that set.
-    """
-
-    allowed = frozenset(allowed_roles)
-
-    def deco(fn: F) -> F:
-        @wraps(fn)
-        def wrapper(*args: object, **kwargs: object) -> object:
-            ctx = try_get_auth_ctx()
-            if ctx is None or ctx.account_id is None:
-                raise RuntimeError(
-                    "require_workspace_role called without account-bearer context; "
-                    "stack validate_bearer + accept_subjects(SubjectType.ACCOUNT) above it"
-                )
-
-            workspace_id = kwargs.get("workspace_id")
-            if not workspace_id:
-                raise RuntimeError("require_workspace_role expects a 'workspace_id' route parameter")
-
-            role = TenantService.get_account_role_in_tenant(db.session, str(ctx.account_id), str(workspace_id))
-
-            if role is None:
-                raise NotFound("workspace not found")
-
-            if allowed and role not in allowed:
-                raise Forbidden("insufficient workspace role")
-
-            return fn(*args, **kwargs)
-
-        return wrapper  # type: ignore[return-value]
-
-    return deco

api/controllers/openapi/auth/steps.py

@@ -0,0 +1,170 @@
+"""Pipeline steps. Each is one responsibility.
+
+`BearerCheck` is the only step that touches the token registry; downstream
+steps see only the populated `Context`. `BearerCheck` also publishes the
+resolved identity to the openapi auth ``ContextVar`` (the same one the
+decorator-level :func:`libs.oauth_bearer.validate_bearer` writes to) so the
+surface gate and any handler reading the request-scoped context has a single
+source of truth across both auth-attach paths. The reset token is stashed
+on `ctx.auth_ctx_reset_token`; `Pipeline.guard` resets the ContextVar in
+its `finally` so worker-thread reuse can't leak identity across requests.
+"""
+
+from __future__ import annotations
+
+from collections.abc import Callable
+
+from werkzeug.exceptions import BadRequest, Forbidden, NotFound, Unauthorized
+
+from configs import dify_config
+from controllers.openapi.auth.context import Context
+from controllers.openapi.auth.strategies import AppAuthzStrategy, CallerMounter
+from controllers.openapi.auth.surface_gate import check_surface
+from extensions.ext_database import db
+from libs.oauth_bearer import (
+    AuthContext,
+    InvalidBearerError,
+    Scope,
+    SubjectType,
+    check_workspace_membership,
+    get_authenticator,
+    set_auth_ctx,
+)
+from models import TenantStatus
+from services.account_service import TenantService
+from services.app_service import AppService
+
+
+class BearerCheck:
+    """Resolve bearer → populate identity fields. Rate-limit is enforced
+    inside `BearerAuthenticator.authenticate`, so no separate step here.
+    Also publishes the resolved `AuthContext` via
+    :func:`libs.oauth_bearer.set_auth_ctx` — same shape the decorator-level
+    ``validate_bearer`` writes — so the surface gate + downstream readers
+    don't see two different identity sources. The reset token is parked on
+    ``ctx.auth_ctx_reset_token`` for `Pipeline.guard` to consume."""
+
+    def __call__(self, ctx: Context) -> None:
+        if not ctx.bearer_token:
+            raise Unauthorized("bearer required")
+
+        try:
+            authn = get_authenticator().authenticate(ctx.bearer_token)
+        except InvalidBearerError as e:
+            raise Unauthorized(str(e))
+
+        ctx.subject_type = authn.subject_type
+        ctx.subject_email = authn.subject_email
+        ctx.subject_issuer = authn.subject_issuer
+        ctx.account_id = authn.account_id
+        ctx.scopes = frozenset(authn.scopes)
+        ctx.source = authn.source
+        ctx.token_id = authn.token_id
+        ctx.expires_at = authn.expires_at
+        ctx.token_hash = authn.token_hash
+        ctx.cached_verified_tenants = dict(authn.verified_tenants)
+        ctx.auth_ctx_reset_token = set_auth_ctx(authn)
+
+
+class ScopeCheck:
+    """Verify ctx.scopes (already populated by BearerCheck) covers required."""
+
+    def __call__(self, ctx: Context) -> None:
+        if Scope.FULL in ctx.scopes or ctx.required_scope in ctx.scopes:
+            return
+        raise Forbidden("insufficient_scope")
+
+
+class SurfaceCheck:
+    """Reject the request if the resolved subject is not in `accepted`."""
+
+    def __init__(self, *, accepted: frozenset[SubjectType]) -> None:
+        self._accepted = accepted
+
+    def __call__(self, ctx: Context) -> None:
+        check_surface(self._accepted)
+
+
+class AppResolver:
+    """Read ``app_id`` from ``ctx.path_params``; populate ctx.app + ctx.tenant.
+
+    Every endpoint using the OAuth bearer pipeline must declare
+    ``<string:app_id>`` in its route — that is the design lock-in (no body /
+    header coupling). ``Pipeline.guard`` lifts ``request.view_args`` into
+    ``ctx.path_params`` at the boundary so this step doesn't need to know
+    about the request object.
+    """
+
+    def __call__(self, ctx: Context) -> None:
+        app_id = ctx.path_params.get("app_id")
+        if not app_id:
+            raise BadRequest("app_id is required in path")
+        app = AppService.get_app_by_id(db.session, app_id)
+        if not app or app.status != "normal":
+            raise NotFound("app not found")
+        if not app.enable_api:
+            raise Forbidden("service_api_disabled")
+        tenant = TenantService.get_tenant_by_id(db.session, str(app.tenant_id))
+        if tenant is None or tenant.status == TenantStatus.ARCHIVE:
+            raise Forbidden("workspace unavailable")
+        ctx.app, ctx.tenant = app, tenant
+
+
+class WorkspaceMembershipCheck:
+    """Layer 0 — workspace membership gate.
+
+    CE-only (skipped when ENTERPRISE_ENABLED). Account-subject bearers
+    (dfoa_) only — SSO subjects skip.
+    """
+
+    def __call__(self, ctx: Context) -> None:
+        if dify_config.ENTERPRISE_ENABLED:
+            return
+        if ctx.subject_type != SubjectType.ACCOUNT:
+            return
+        if ctx.account_id is None or ctx.tenant is None:
+            raise Unauthorized("account_id or tenant unset — BearerCheck or AppResolver did not run")
+        if ctx.token_hash is None:
+            raise Unauthorized("token_hash unset — BearerCheck did not run")
+
+        check_workspace_membership(
+            account_id=ctx.account_id,
+            tenant_id=ctx.must_tenant.id,
+            token_hash=ctx.token_hash,
+            cached_verdicts=ctx.cached_verified_tenants or {},
+        )
+
+
+class AppAuthzCheck:
+    def __init__(self, resolve_strategy: Callable[[], AppAuthzStrategy]) -> None:
+        self._resolve = resolve_strategy
+
+    def __call__(self, ctx: Context) -> None:
+        if not self._resolve().authorize(ctx):
+            raise Forbidden("subject_no_app_access")
+
+
+class CallerMount:
+    def __init__(self, *mounters: CallerMounter) -> None:
+        self._mounters = mounters
+
+    def __call__(self, ctx: Context) -> None:
+        if ctx.subject_type is None:
+            raise Unauthorized("subject_type unset — BearerCheck did not run")
+        for m in self._mounters:
+            if m.applies_to(ctx.must_subject_type):
+                m.mount(ctx)
+                return
+        raise Unauthorized("no caller mounter for subject type")
+
+
+__all__ = [
+    "AppAuthzCheck",
+    "AppResolver",
+    "AuthContext",
+    "BearerCheck",
+    "CallerMount",
+    "ScopeCheck",
+    "SurfaceCheck",
+    "WorkspaceMembershipCheck",
+]

api/controllers/openapi/auth/strategies.py

@@ -0,0 +1,168 @@
+"""Strategy classes for the openapi auth pipeline.
+
+App authorization (Acl/Membership) and caller mounting (Account/EndUser)
+vary along independent axes; each strategy is one class so the pipeline
+composition stays a flat list.
+"""
+
+from __future__ import annotations
+
+from typing import Protocol
+
+from flask import current_app
+from flask_login import user_logged_in
+
+from controllers.openapi.auth.context import Context
+from core.app.entities.app_invoke_entities import InvokeFrom
+from extensions.ext_database import db
+from libs.oauth_bearer import SubjectType
+from services.account_service import AccountService, TenantService
+from services.end_user_service import EndUserService
+from services.enterprise.enterprise_service import (
+    EnterpriseService,
+    WebAppAccessMode,
+)
+
+
+class AppAuthzStrategy(Protocol):
+    def authorize(self, ctx: Context) -> bool: ...
+
+
+class AclStrategy:
+    """Per-app ACL, evaluated in two stages.
+
+    The EE gateway has already enforced tenancy and workspace membership
+    by the time this strategy runs, so AclStrategy only owns per-app ACL:
+
+    1. Subject vs access-mode compatibility (pure rule table). External-SSO
+       bearers belong to public-facing apps only; account bearers cover the
+       full set. A mismatch is an immediate deny — no IO.
+    2. For modes that pair with the subject, decide whether the inner
+       permission API must run. Only `PRIVATE` (per-app selected-user list)
+       requires it; the remaining modes are pass-through.
+    """
+
+    _ALLOWED_MODES_BY_SUBJECT: dict[SubjectType, frozenset[WebAppAccessMode]] = {
+        SubjectType.ACCOUNT: frozenset(
+            {
+                WebAppAccessMode.PUBLIC,
+                WebAppAccessMode.SSO_VERIFIED,
+                WebAppAccessMode.PRIVATE_ALL,
+                WebAppAccessMode.PRIVATE,
+            }
+        ),
+        SubjectType.EXTERNAL_SSO: frozenset(
+            {
+                WebAppAccessMode.PUBLIC,
+                WebAppAccessMode.SSO_VERIFIED,
+            }
+        ),
+    }
+
+    _MODES_REQUIRING_INNER_CHECK: frozenset[WebAppAccessMode] = frozenset({WebAppAccessMode.PRIVATE})
+
+    def authorize(self, ctx: Context) -> bool:
+        if ctx.app is None:
+            return False
+        access_mode = self._fetch_access_mode(ctx.app.id)
+        if access_mode is None:
+            return False
+        if not self._subject_allowed_for_mode(ctx.must_subject_type, access_mode):
+            return False
+        if access_mode not in self._MODES_REQUIRING_INNER_CHECK:
+            return True
+        return self._inner_permission_check(ctx)
+
+    @staticmethod
+    def _fetch_access_mode(app_id: str) -> WebAppAccessMode | None:
+        settings = EnterpriseService.WebAppAuth.get_app_access_mode_by_id(app_id=app_id)
+        if settings is None:
+            return None
+        try:
+            return WebAppAccessMode(settings.access_mode)
+        except ValueError:
+            return None
+
+    @classmethod
+    def _subject_allowed_for_mode(cls, subject_type: SubjectType, access_mode: WebAppAccessMode) -> bool:
+        return access_mode in cls._ALLOWED_MODES_BY_SUBJECT.get(subject_type, frozenset())
+
+    def _inner_permission_check(self, ctx: Context) -> bool:
+        if ctx.app is None:
+            return False
+        user_id = self._resolve_user_id(ctx)
+        if user_id is None:
+            return False
+        return EnterpriseService.WebAppAuth.is_user_allowed_to_access_webapp(
+            user_id=user_id,
+            app_id=ctx.app.id,
+        )
+
+    @staticmethod
+    def _resolve_user_id(ctx: Context) -> str | None:
+        if ctx.subject_type == SubjectType.ACCOUNT:
+            return str(ctx.account_id) if ctx.account_id is not None else None
+        if ctx.subject_email is None:
+            return None
+        account = AccountService.get_account_by_email(db.session, ctx.subject_email)
+        return str(account.id) if account is not None else None
+
+
+class MembershipStrategy:
+    """Tenant-membership fallback.
+
+    Used when webapp-auth is disabled (CE deployment). Account-bearing
+    subjects pass if they have a TenantAccountJoin row; EXTERNAL_SSO is
+    denied (it requires the webapp-auth surface).
+    """
+
+    def authorize(self, ctx: Context) -> bool:
+        if ctx.subject_type == SubjectType.EXTERNAL_SSO:
+            return False
+        if ctx.tenant is None:
+            return False
+        return TenantService.account_belongs_to_tenant(db.session, ctx.account_id, ctx.tenant.id)
+
+
+def _login_as(user) -> None:
+    """Set Flask-Login request user so downstream services see the caller."""
+    current_app.login_manager._update_request_context_with_user(user)  # type:ignore
+    user_logged_in.send(current_app._get_current_object(), user=user)  # type:ignore
+
+
+class CallerMounter(Protocol):
+    def applies_to(self, subject_type: SubjectType) -> bool: ...
+
+    def mount(self, ctx: Context) -> None: ...
+
+
+class AccountMounter:
+    def applies_to(self, subject_type: SubjectType) -> bool:
+        return subject_type == SubjectType.ACCOUNT
+
+    def mount(self, ctx: Context) -> None:
+        if ctx.account_id is None:
+            raise RuntimeError("AccountMounter: account_id unset — BearerCheck did not run")
+        account = AccountService.get_account_by_id(db.session, str(ctx.account_id))
+        if account is None:
+            raise RuntimeError("AccountMounter: account row missing for resolved bearer")
+        account.current_tenant = ctx.must_tenant
+        _login_as(account)
+        ctx.caller, ctx.caller_kind = account, "account"
+
+
+class EndUserMounter:
+    def applies_to(self, subject_type: SubjectType) -> bool:
+        return subject_type == SubjectType.EXTERNAL_SSO
+
+    def mount(self, ctx: Context) -> None:
+        if ctx.tenant is None or ctx.app is None or ctx.subject_email is None:
+            raise RuntimeError("EndUserMounter: tenant/app/subject_email unset — earlier steps did not run")
+        end_user = EndUserService.get_or_create_end_user_by_type(
+            InvokeFrom.OPENAPI,
+            tenant_id=ctx.tenant.id,
+            app_id=ctx.app.id,
+            user_id=ctx.subject_email,
+        )
+        _login_as(end_user)
+        ctx.caller, ctx.caller_kind = end_user, "end_user"

api/controllers/openapi/auth/verify.py

@@ -1,82 +0,0 @@
-from __future__ import annotations
-
-from werkzeug.exceptions import Forbidden, Unauthorized
-
-from controllers.openapi.auth.data import AuthData
-from extensions.ext_database import db
-from libs.oauth_bearer import Scope, TokenType, check_workspace_membership
-from services.account_service import AccountService, TenantService
-from services.enterprise.enterprise_service import EnterpriseService, WebAppAccessMode
-
-
-def check_scope(data: AuthData) -> None:
-    if data.required_scope is None:
-        return
-    if Scope.FULL in data.scopes or data.required_scope in data.scopes:
-        return
-    raise Forbidden("insufficient_scope")
-
-
-def check_membership(data: AuthData) -> None:
-    if data.tenant is None:
-        raise Unauthorized("tenant unset")
-    if data.account_id is None:
-        raise Unauthorized("account_id unset")
-    check_workspace_membership(
-        account_id=data.account_id,
-        tenant_id=data.tenant.id,
-        token_hash=data.token_hash,
-        membership_cache=data.tenants,
-    )
-
-
-def check_app_access(data: AuthData) -> None:
-    if data.tenant is None:
-        return
-    if not TenantService.account_belongs_to_tenant(db.session, data.account_id, data.tenant.id):
-        raise Forbidden("subject_no_app_access")
-
-
-_ALLOWED_MODES_BY_TOKEN_TYPE: dict[TokenType, frozenset[WebAppAccessMode]] = {
-    TokenType.OAUTH_ACCOUNT: frozenset(
-        {
-            WebAppAccessMode.PUBLIC,
-            WebAppAccessMode.SSO_VERIFIED,
-            WebAppAccessMode.PRIVATE_ALL,
-            WebAppAccessMode.PRIVATE,
-        }
-    ),
-    TokenType.OAUTH_EXTERNAL_SSO: frozenset(
-        {
-            WebAppAccessMode.PUBLIC,
-            WebAppAccessMode.SSO_VERIFIED,
-        }
-    ),
-}
-
-
-def check_acl(data: AuthData) -> None:
-    if data.app is None or data.app_access_mode is None:
-        raise Forbidden("app or access mode not loaded")
-    allowed_modes = _ALLOWED_MODES_BY_TOKEN_TYPE.get(data.token_type, frozenset())
-    if data.app_access_mode not in allowed_modes:
-        raise Forbidden("subject_not_allowed_for_access_mode")
-
-
-def check_private_app_permission(data: AuthData) -> None:
-    if data.app is None:
-        raise Forbidden("app not loaded")
-    user_id = _resolve_user_id(data)
-    if user_id is None:
-        raise Forbidden("cannot resolve user for private app check")
-    if not EnterpriseService.WebAppAuth.is_user_allowed_to_access_webapp(user_id=user_id, app_id=data.app.id):
-        raise Forbidden("user_not_allowed_for_private_app")
-
-
-def _resolve_user_id(data: AuthData) -> str | None:
-    if data.token_type == TokenType.OAUTH_ACCOUNT:
-        return str(data.account_id) if data.account_id is not None else None
-    if data.external_identity is None:
-        return None
-    account = AccountService.get_account_by_email(db.session, data.external_identity.email)
-    return str(account.id) if account is not None else None

api/controllers/openapi/files.py

@@ -17,11 +17,11 @@ from controllers.common.errors import (
     UnsupportedFileTypeError,
 )
 from controllers.openapi import openapi_ns
-from controllers.openapi.auth.composition import auth_router
-from controllers.openapi.auth.data import AuthData
+from controllers.openapi.auth.composition import OAUTH_BEARER_PIPELINE
 from extensions.ext_database import db
 from fields.file_fields import FileResponse
 from libs.oauth_bearer import Scope
+from models import Account, App
 from services.file_service import FileService
 
 
@@ -39,9 +39,8 @@ class AppFileUploadApi(Resource):
         }
     )
     @openapi_ns.response(HTTPStatus.CREATED, "File uploaded", openapi_ns.models[FileResponse.__name__])
-    @auth_router.guard(scope=Scope.APPS_RUN)
-    def post(self, app_id: str, *, auth_data: AuthData):
-        app_model, caller, _ = auth_data.require_app_context()
+    @OAUTH_BEARER_PIPELINE.guard(scope=Scope.APPS_RUN)
+    def post(self, app_id: str, app_model: App, caller: Account, caller_kind: str):
         if "file" not in request.files:
             raise NoFileUploadedError()
         if len(request.files) > 1:

api/controllers/openapi/human_input_form.py

@@ -17,8 +17,7 @@ from werkzeug.exceptions import BadRequest, NotFound
 from controllers.common.human_input import HumanInputFormSubmitPayload, stringify_form_default_values
 from controllers.common.schema import register_schema_models
 from controllers.openapi import openapi_ns
-from controllers.openapi.auth.composition import auth_router
-from controllers.openapi.auth.data import AuthData
+from controllers.openapi.auth.composition import OAUTH_BEARER_PIPELINE
 from core.workflow.human_input_policy import HumanInputSurface, is_recipient_type_allowed_for_surface
 from extensions.ext_database import db
 from libs.helper import to_timestamp
@@ -56,9 +55,8 @@ def _ensure_form_is_allowed_for_openapi(form) -> None:
 @openapi_ns.route("/apps/<string:app_id>/form/human_input/<string:form_token>")
 class OpenApiWorkflowHumanInputFormApi(Resource):
     @openapi_ns.response(200, "Form definition")
-    @auth_router.guard(scope=Scope.APPS_RUN)
-    def get(self, app_id: str, form_token: str, *, auth_data: AuthData):
-        app_model, caller, caller_kind = auth_data.require_app_context()
+    @OAUTH_BEARER_PIPELINE.guard(scope=Scope.APPS_RUN)
+    def get(self, app_id: str, form_token: str, app_model: App, caller, caller_kind: str):
         service = HumanInputService(db.engine)
         form = service.get_form_by_token(form_token)
         if form is None:
@@ -71,9 +69,8 @@ class OpenApiWorkflowHumanInputFormApi(Resource):
 
     @openapi_ns.expect(openapi_ns.models[HumanInputFormSubmitPayload.__name__])
     @openapi_ns.response(200, "Form submitted")
-    @auth_router.guard(scope=Scope.APPS_RUN)
-    def post(self, app_id: str, form_token: str, *, auth_data: AuthData):
-        app_model, caller, caller_kind = auth_data.require_app_context()
+    @OAUTH_BEARER_PIPELINE.guard(scope=Scope.APPS_RUN)
+    def post(self, app_id: str, form_token: str, app_model: App, caller, caller_kind: str):
         payload = HumanInputFormSubmitPayload.model_validate(request.get_json(silent=True) or {})
 
         service = HumanInputService(db.engine)

api/controllers/openapi/workflow_events.py

@@ -17,8 +17,7 @@ from sqlalchemy.orm import sessionmaker
 from werkzeug.exceptions import NotFound, UnprocessableEntity
 
 from controllers.openapi import openapi_ns
-from controllers.openapi.auth.composition import auth_router
-from controllers.openapi.auth.data import AuthData
+from controllers.openapi.auth.composition import OAUTH_BEARER_PIPELINE
 from core.app.apps.advanced_chat.app_generator import AdvancedChatAppGenerator
 from core.app.apps.base_app_generator import BaseAppGenerator
 from core.app.apps.common.workflow_response_converter import WorkflowResponseConverter
@@ -29,7 +28,7 @@ from core.workflow.human_input_policy import HumanInputSurface
 from extensions.ext_database import db
 from libs.oauth_bearer import Scope
 from models.enums import CreatorUserRole
-from models.model import AppMode
+from models.model import App, AppMode
 from repositories.factory import DifyAPIRepositoryFactory
 from services.workflow_event_snapshot_service import build_workflow_event_stream
 
@@ -37,9 +36,8 @@ from services.workflow_event_snapshot_service import build_workflow_event_stream
 @openapi_ns.route("/apps/<string:app_id>/tasks/<string:task_id>/events")
 class OpenApiWorkflowEventsApi(Resource):
     @openapi_ns.response(200, "SSE event stream")
-    @auth_router.guard(scope=Scope.APPS_RUN)
-    def get(self, app_id: str, task_id: str, *, auth_data: AuthData):
-        app_model, caller, caller_kind = auth_data.require_app_context()
+    @OAUTH_BEARER_PIPELINE.guard(scope=Scope.APPS_RUN)
+    def get(self, app_id: str, task_id: str, app_model: App, caller, caller_kind: str):
         app_mode = AppMode.value_of(app_model.mode)
         if app_mode not in {AppMode.WORKFLOW, AppMode.ADVANCED_CHAT}:
             raise UnprocessableEntity("mode_not_supported_for_event_reconnect")

api/controllers/openapi/workspaces.py

@@ -1,129 +1,41 @@
-"""User-scoped workspace reads and member management under /openapi/v1/workspaces.
+"""User-scoped workspace reads under /openapi/v1/workspaces. Bearer-authed
+counterparts to the cookie-authed /console/api/workspaces endpoints.
 
-Bearer-authed counterparts to the cookie-authed /console/api/workspaces
-endpoints. Account bearers (dfoa_) see every tenant they're a member of.
-External SSO bearers (dfoe_) have no account_id and so see an empty list —
-that matches /openapi/v1/account.
-
-Member-management endpoints are gated by both `accept_subjects` (SSO out)
-and `require_workspace_role` (membership / role lookup against the path's
-``workspace_id``).
+Account bearers (dfoa_) see every tenant they're a member of. External
+SSO bearers (dfoe_) have no account_id and so see an empty list — that
+matches /openapi/v1/account.
 """
 
 from __future__ import annotations
 
 from itertools import starmap
-from urllib import parse
 
-from flask import jsonify, make_response, request
 from flask_restx import Resource
-from pydantic import BaseModel, ValidationError
-from werkzeug.exceptions import BadRequest, Forbidden, NotFound
+from werkzeug.exceptions import NotFound
 
-from configs import dify_config
-from controllers.common.schema import query_params_from_model
 from controllers.openapi import openapi_ns
-from controllers.openapi._models import (
-    MemberActionResponse,
-    MemberInvitePayload,
-    MemberInviteResponse,
-    MemberListQuery,
-    MemberListResponse,
-    MemberResponse,
-    MemberRoleUpdatePayload,
-    WorkspaceDetailResponse,
-    WorkspaceListResponse,
-    WorkspaceSummaryResponse,
-)
-from controllers.openapi.auth.composition import auth_router
-from controllers.openapi.auth.data import AuthData
-from controllers.openapi.auth.role_gate import require_workspace_role
+from controllers.openapi._models import WorkspaceDetailResponse, WorkspaceListResponse, WorkspaceSummaryResponse
+from controllers.openapi.auth.surface_gate import accept_subjects
 from extensions.ext_database import db
-from libs.oauth_bearer import Scope, TokenType
-from models import Account, Tenant, TenantAccountJoin
-from models.account import TenantAccountRole, TenantStatus
-from services.account_service import AccountService, RegisterService, TenantService
-from services.errors.account import (
-    AccountAlreadyInTenantError,
-    AccountNotLinkTenantError,
-    AccountRegisterError,
-    CannotOperateSelfError,
-    MemberNotInTenantError,
-    NoPermissionError,
-    RoleAlreadyAssignedError,
+from libs.oauth_bearer import (
+    ACCEPT_USER_ANY,
+    SubjectType,
+    get_auth_ctx,
+    validate_bearer,
 )
-from services.feature_service import FeatureService
-
-
-def _validate_body[M: BaseModel](model: type[M]) -> M:
-    body = request.get_json(silent=True) or {}
-    try:
-        return model.model_validate(body)
-    except ValidationError as exc:
-        raise BadRequest(str(exc))
-
-
-def _member_response(account: Account) -> MemberResponse:
-    return MemberResponse(
-        id=str(account.id),
-        name=account.name,
-        email=account.email,
-        role=account.role.value if account.role else "",
-        status=account.status.value if account.status else "",
-        avatar=account.avatar,
-    )
-
-
-def _load_tenant(workspace_id: str) -> Tenant:
-    tenant = TenantService.get_tenant_by_id(db.session, workspace_id)
-    if tenant is None or tenant.status != TenantStatus.NORMAL:
-        raise NotFound("workspace not found")
-    return tenant
-
-
-def _load_account(account_id: object) -> Account:
-    account = AccountService.get_account_by_id(db.session, str(account_id)) if account_id else None
-    if account is None:
-        raise RuntimeError("authenticated account_id has no Account row")
-    return account
-
-
-def _quota_error(*, code: str, message: str, hint: str) -> Forbidden:
-    err = Forbidden(message)
-    err.response = make_response(
-        jsonify({"code": code, "message": message, "hint": hint}),
-        403,
-    )
-    return err
-
-
-def _check_member_invite_quota(tenant_id: str) -> None:
-    features = FeatureService.get_features(tenant_id)
-
-    if features.billing.enabled:
-        members = features.members
-        if 0 < members.limit <= members.size:
-            raise _quota_error(
-                code="members.limit_exceeded",
-                message="Subscription member limit reached.",
-                hint="Upgrade your plan to invite more members or remove an existing member first.",
-            )
-
-    if features.workspace_members.enabled:
-        if not features.workspace_members.is_available(1):
-            raise _quota_error(
-                code="workspace_members.license_exceeded",
-                message="Workspace member license capacity reached.",
-                hint="Contact your workspace administrator to expand the license seat count.",
-            )
+from models import Tenant, TenantAccountJoin
+from services.account_service import TenantService
 
 
 @openapi_ns.route("/workspaces")
 class WorkspacesApi(Resource):
     @openapi_ns.response(200, "Workspace list", openapi_ns.models[WorkspaceListResponse.__name__])
-    @auth_router.guard(scope=Scope.WORKSPACE_READ, allowed_token_types=frozenset({TokenType.OAUTH_ACCOUNT}))
-    def get(self, *, auth_data: AuthData):
-        rows = TenantService.get_workspaces_for_account(db.session, str(auth_data.account_id))
+    @validate_bearer(accept=ACCEPT_USER_ANY)
+    @accept_subjects(SubjectType.ACCOUNT)
+    def get(self):
+        ctx = get_auth_ctx()
+
+        rows = TenantService.get_workspaces_for_account(db.session, str(ctx.account_id))
 
         return WorkspaceListResponse(workspaces=list(starmap(_workspace_summary, rows))).model_dump(mode="json"), 200
 
@@ -131,9 +43,12 @@ class WorkspacesApi(Resource):
 @openapi_ns.route("/workspaces/<string:workspace_id>")
 class WorkspaceByIdApi(Resource):
     @openapi_ns.response(200, "Workspace detail", openapi_ns.models[WorkspaceDetailResponse.__name__])
-    @auth_router.guard(scope=Scope.WORKSPACE_READ, allowed_token_types=frozenset({TokenType.OAUTH_ACCOUNT}))
-    def get(self, workspace_id: str, *, auth_data: AuthData):
-        row = TenantService.find_workspace_for_account(db.session, str(auth_data.account_id), workspace_id)
+    @validate_bearer(accept=ACCEPT_USER_ANY)
+    @accept_subjects(SubjectType.ACCOUNT)
+    def get(self, workspace_id: str):
+        ctx = get_auth_ctx()
+
+        row = TenantService.find_workspace_for_account(db.session, str(ctx.account_id), workspace_id)
         # 404 (not 403) on non-member so workspace IDs don't leak across tenants.
         if row is None:
             raise NotFound("workspace not found")
@@ -142,172 +57,6 @@ class WorkspaceByIdApi(Resource):
         return _workspace_detail(tenant, membership).model_dump(mode="json"), 200
 
 
-@openapi_ns.route("/workspaces/<string:workspace_id>/switch")
-class WorkspaceSwitchApi(Resource):
-    """Server-side switch — equivalent to the console's POST /workspaces/switch.
-
-    CLI `difyctl use workspace <id>` calls this; it does NOT mutate
-    ``hosts.yml`` on its own. Failure here must abort the local write so
-    that ``hosts.yml`` never diverges from the server's ``current`` state.
-    """
-
-    @openapi_ns.response(200, "Workspace detail", openapi_ns.models[WorkspaceDetailResponse.__name__])
-    @auth_router.guard(scope=Scope.WORKSPACE_READ, allowed_token_types=frozenset({TokenType.OAUTH_ACCOUNT}))
-    @require_workspace_role()
-    def post(self, workspace_id: str, *, auth_data: AuthData):
-        account = _load_account(auth_data.account_id)
-
-        try:
-            TenantService.switch_tenant(account, workspace_id)
-        except AccountNotLinkTenantError:
-            raise NotFound("workspace not found")
-
-        row = TenantService.find_workspace_for_account(db.session, str(auth_data.account_id), workspace_id)
-        if row is None:
-            raise NotFound("workspace not found")
-        tenant, membership = row
-        return _workspace_detail(tenant, membership).model_dump(mode="json"), 200
-
-
-@openapi_ns.route("/workspaces/<string:workspace_id>/members")
-class WorkspaceMembersApi(Resource):
-    """List + invite members.
-
-    GET is any-member. POST requires admin/owner — owner can never be
-    assigned through invite (ownership transfer is console-only).
-    """
-
-    @openapi_ns.doc(params=query_params_from_model(MemberListQuery))
-    @openapi_ns.response(200, "Member list", openapi_ns.models[MemberListResponse.__name__])
-    @auth_router.guard(scope=Scope.WORKSPACE_READ, allowed_token_types=frozenset({TokenType.OAUTH_ACCOUNT}))
-    @require_workspace_role()
-    def get(self, workspace_id: str, *, auth_data: AuthData):
-        try:
-            query = MemberListQuery.model_validate(request.args.to_dict(flat=True))
-        except ValidationError as exc:
-            raise BadRequest(str(exc))
-
-        tenant = _load_tenant(workspace_id)
-        members = TenantService.get_tenant_members(tenant)
-        total = len(members)
-        start = (query.page - 1) * query.limit
-        page_items = members[start : start + query.limit]
-        return MemberListResponse(
-            page=query.page,
-            limit=query.limit,
-            total=total,
-            has_more=query.page * query.limit < total,
-            data=[_member_response(m) for m in page_items],
-        ).model_dump(mode="json"), 200
-
-    @openapi_ns.expect(openapi_ns.models[MemberInvitePayload.__name__])
-    @openapi_ns.response(201, "Member invited", openapi_ns.models[MemberInviteResponse.__name__])
-    @auth_router.guard(scope=Scope.WORKSPACE_WRITE, allowed_token_types=frozenset({TokenType.OAUTH_ACCOUNT}))
-    @require_workspace_role(TenantAccountRole.OWNER, TenantAccountRole.ADMIN)
-    def post(self, workspace_id: str, *, auth_data: AuthData):
-        payload = _validate_body(MemberInvitePayload)
-        inviter = _load_account(auth_data.account_id)
-        tenant = _load_tenant(workspace_id)
-
-        _check_member_invite_quota(str(tenant.id))
-
-        try:
-            token = RegisterService.invite_new_member(
-                tenant=tenant,
-                email=payload.email,
-                language=None,
-                role=payload.role,
-                inviter=inviter,
-            )
-        except AccountAlreadyInTenantError as exc:
-            raise BadRequest(str(exc))
-        except NoPermissionError as exc:
-            raise BadRequest(str(exc))
-        except AccountRegisterError as exc:
-            raise BadRequest(str(exc))
-
-        normalized_email = payload.email.lower()
-        member = AccountService.get_account_by_email_with_case_fallback(normalized_email)
-        if member is None:
-            # invite_new_member just created or fetched this account.
-            raise RuntimeError("invited member missing from DB after invite")
-
-        encoded_email = parse.quote(normalized_email)
-        invite_url = f"{dify_config.CONSOLE_WEB_URL}/activate?email={encoded_email}&token={token}"
-        return MemberInviteResponse(
-            email=normalized_email,
-            role=payload.role,
-            member_id=str(member.id),
-            invite_url=invite_url,
-            tenant_id=str(tenant.id),
-        ).model_dump(mode="json"), 201
-
-
-@openapi_ns.route("/workspaces/<string:workspace_id>/members/<string:member_id>")
-class WorkspaceMemberApi(Resource):
-    """Remove a member.
-
-    Self-removal and owner-removal are explicitly rejected by the service
-    layer (CannotOperateSelfError, NoPermissionError) — both surface as
-    400 per the spec, with the service's message preserved.
-    """
-
-    @openapi_ns.response(200, "Member removed", openapi_ns.models[MemberActionResponse.__name__])
-    @auth_router.guard(scope=Scope.WORKSPACE_WRITE, allowed_token_types=frozenset({TokenType.OAUTH_ACCOUNT}))
-    @require_workspace_role(TenantAccountRole.OWNER, TenantAccountRole.ADMIN)
-    def delete(self, workspace_id: str, member_id: str, *, auth_data: AuthData):
-        operator = _load_account(auth_data.account_id)
-        tenant = _load_tenant(workspace_id)
-        member = AccountService.get_account_by_id(db.session, member_id)
-        if member is None:
-            raise NotFound("member not found")
-
-        try:
-            TenantService.remove_member_from_tenant(tenant, member, operator)
-        except CannotOperateSelfError as exc:
-            raise BadRequest(str(exc))
-        except NoPermissionError as exc:
-            raise BadRequest(str(exc))
-        except MemberNotInTenantError as exc:
-            raise NotFound(str(exc))
-
-        return MemberActionResponse().model_dump(mode="json"), 200
-
-
-@openapi_ns.route("/workspaces/<string:workspace_id>/members/<string:member_id>/role")
-class WorkspaceMemberRoleApi(Resource):
-    """Change a member's role.
-
-    Owner cannot be assigned here (closed enum). Admin cannot demote the
-    standing owner (service NoPermissionError → 400, per spec).
-    """
-
-    @openapi_ns.expect(openapi_ns.models[MemberRoleUpdatePayload.__name__])
-    @openapi_ns.response(200, "Role updated", openapi_ns.models[MemberActionResponse.__name__])
-    @auth_router.guard(scope=Scope.WORKSPACE_WRITE, allowed_token_types=frozenset({TokenType.OAUTH_ACCOUNT}))
-    @require_workspace_role(TenantAccountRole.OWNER, TenantAccountRole.ADMIN)
-    def put(self, workspace_id: str, member_id: str, *, auth_data: AuthData):
-        payload = _validate_body(MemberRoleUpdatePayload)
-        operator = _load_account(auth_data.account_id)
-        tenant = _load_tenant(workspace_id)
-        member = AccountService.get_account_by_id(db.session, member_id)
-        if member is None:
-            raise NotFound("member not found")
-
-        try:
-            TenantService.update_member_role(tenant, member, payload.role, operator)
-        except CannotOperateSelfError as exc:
-            raise BadRequest(str(exc))
-        except NoPermissionError as exc:
-            raise BadRequest(str(exc))
-        except MemberNotInTenantError as exc:
-            raise NotFound(str(exc))
-        except RoleAlreadyAssignedError as exc:
-            raise BadRequest(str(exc))
-
-        return MemberActionResponse().model_dump(mode="json"), 200
-
-
 def _workspace_summary(tenant: Tenant, membership: TenantAccountJoin) -> WorkspaceSummaryResponse:
     return WorkspaceSummaryResponse(
         id=str(tenant.id),

api/controllers/service_api/dataset/hit_testing.py

@@ -1,14 +1,11 @@
 from uuid import UUID
 
-from controllers.common.schema import register_response_schema_models, register_schema_models
+from controllers.common.schema import register_schema_model
 from controllers.console.datasets.hit_testing_base import DatasetsHitTestingBase, HitTestingPayload
 from controllers.service_api import service_api_ns
 from controllers.service_api.wraps import DatasetApiResource, cloud_edition_billing_rate_limit_check
-from fields.hit_testing_fields import HitTestingResponse
-from libs.helper import dump_response
 
-register_schema_models(service_api_ns, HitTestingPayload)
-register_response_schema_models(service_api_ns, HitTestingResponse)
+register_schema_model(service_api_ns, HitTestingPayload)
 
 
 @service_api_ns.route("/datasets/<uuid:dataset_id>/hit-testing", "/datasets/<uuid:dataset_id>/retrieve")
@@ -16,16 +13,16 @@ class HitTestingApi(DatasetApiResource, DatasetsHitTestingBase):
     @service_api_ns.doc("dataset_hit_testing")
     @service_api_ns.doc(description="Perform hit testing on a dataset")
     @service_api_ns.doc(params={"dataset_id": "Dataset ID"})
-    @service_api_ns.response(
-        200,
-        "Hit testing results",
-        model=service_api_ns.models[HitTestingResponse.__name__],
+    @service_api_ns.doc(
+        responses={
+            200: "Hit testing results",
+            401: "Unauthorized - invalid API token",
+            404: "Dataset not found",
+        }
     )
-    @service_api_ns.response(401, "Unauthorized - invalid API token")
-    @service_api_ns.response(404, "Dataset not found")
     @service_api_ns.expect(service_api_ns.models[HitTestingPayload.__name__])
     @cloud_edition_billing_rate_limit_check("knowledge", "dataset")
-    def post(self, tenant_id: str, dataset_id: UUID) -> dict[str, object]:
+    def post(self, tenant_id, dataset_id: UUID):
         """Perform hit testing on a dataset.
 
         Tests retrieval performance for the specified dataset.
@@ -36,4 +33,4 @@ class HitTestingApi(DatasetApiResource, DatasetsHitTestingBase):
         args = self.parse_args(service_api_ns.payload)
         self.hit_testing_args_check(args)
 
-        return dump_response(HitTestingResponse, self.perform_hit_testing(dataset, args))
+        return self.perform_hit_testing(dataset, args)

api/controllers/service_api/wraps.py

@@ -13,7 +13,6 @@ from pydantic import BaseModel
 from sqlalchemy import select
 from werkzeug.exceptions import Forbidden, NotFound, Unauthorized
 
-from configs import dify_config
 from enums.cloud_plan import CloudPlan
 from extensions.ext_database import db
 from extensions.ext_redis import redis_client
@@ -141,26 +140,20 @@ def cloud_edition_billing_resource_check[**P, R](
     def interceptor(view: Callable[P, R]):
         def decorated(*args: P.args, **kwargs: P.kwargs):
             api_token = validate_and_get_api_token(api_token_type)
-            if resource == "vector_space":
-                if not dify_config.BILLING_ENABLED:
-                    return view(*args, **kwargs)
-
-                vector_space = FeatureService.get_vector_space(api_token.tenant_id)
-                if 0 < vector_space.limit <= vector_space.size:
-                    raise Forbidden("The capacity of the vector space has reached the limit of your subscription.")
-                return view(*args, **kwargs)
-
-            features = FeatureService.get_features(api_token.tenant_id, exclude_vector_space=True)
+            features = FeatureService.get_features(api_token.tenant_id)
 
             if features.billing.enabled:
                 members = features.members
                 apps = features.apps
+                vector_space = features.vector_space
                 documents_upload_quota = features.documents_upload_quota
 
                 if resource == "members" and 0 < members.limit <= members.size:
                     raise Forbidden("The number of members has reached the limit of your subscription.")
                 elif resource == "apps" and 0 < apps.limit <= apps.size:
                     raise Forbidden("The number of apps has reached the limit of your subscription.")
+                elif resource == "vector_space" and 0 < vector_space.limit <= vector_space.size:
+                    raise Forbidden("The capacity of the vector space has reached the limit of your subscription.")
                 elif resource == "documents" and 0 < documents_upload_quota.limit <= documents_upload_quota.size:
                     raise Forbidden("The number of documents has reached the limit of your subscription.")
                 else:
@@ -181,7 +174,7 @@ def cloud_edition_billing_knowledge_limit_check[**P, R](
         @wraps(view)
         def decorated(*args: P.args, **kwargs: P.kwargs):
             api_token = validate_and_get_api_token(api_token_type)
-            features = FeatureService.get_features(api_token.tenant_id, exclude_vector_space=True)
+            features = FeatureService.get_features(api_token.tenant_id)
             if features.billing.enabled:
                 if resource == "add_segment":
                     if features.billing.subscription.plan == CloudPlan.SANDBOX:

api/controllers/web/app.py

@@ -12,7 +12,7 @@ from controllers.common.schema import register_response_schema_models, register_
 from core.app.app_config.common.parameters_mapping import get_parameters_from_feature_dict
 from libs.passport import PassportService
 from libs.token import extract_webapp_passport
-from models.model import App, AppMode, EndUser
+from models.model import App, AppMode
 from services.app_service import AppService
 from services.enterprise.enterprise_service import EnterpriseService
 from services.feature_service import FeatureService
@@ -56,7 +56,7 @@ class AppParameterApi(WebApiResource):
             500: "Internal Server Error",
         }
     )
-    def get(self, app_model: App, end_user: EndUser):
+    def get(self, app_model: App, end_user):
         """Retrieve app parameters."""
         if app_model.mode in {AppMode.ADVANCED_CHAT, AppMode.WORKFLOW}:
             workflow = app_model.workflow
@@ -92,7 +92,7 @@ class AppMeta(WebApiResource):
             500: "Internal Server Error",
         }
     )
-    def get(self, app_model: App, end_user: EndUser):
+    def get(self, app_model: App, end_user):
         """Get app meta"""
         return AppService().get_app_meta(app_model)
 

api/controllers/web/completion.py

@@ -29,7 +29,7 @@ from core.errors.error import (
 from graphon.model_runtime.errors.invoke import InvokeError
 from libs import helper
 from libs.helper import uuid_value
-from models.model import App, AppMode, EndUser
+from models.model import AppMode
 from services.app_generate_service import AppGenerateService
 from services.app_task_service import AppTaskService
 from services.errors.llm import InvokeRateLimitError
@@ -86,7 +86,7 @@ class CompletionApi(WebApiResource):
             500: "Internal Server Error",
         }
     )
-    def post(self, app_model: App, end_user: EndUser):
+    def post(self, app_model, end_user):
         if app_model.mode != AppMode.COMPLETION:
             raise NotCompletionAppError()
 
@@ -140,7 +140,7 @@ class CompletionStopApi(WebApiResource):
         }
     )
     @web_ns.response(200, "Success", web_ns.models[SimpleResultResponse.__name__])
-    def post(self, app_model: App, end_user: EndUser, task_id: str):
+    def post(self, app_model, end_user, task_id: str):
         if app_model.mode != AppMode.COMPLETION:
             raise NotCompletionAppError()
 
@@ -169,7 +169,7 @@ class ChatApi(WebApiResource):
             500: "Internal Server Error",
         }
     )
-    def post(self, app_model: App, end_user: EndUser):
+    def post(self, app_model, end_user):
         app_mode = AppMode.value_of(app_model.mode)
         if app_mode not in {AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT}:
             raise NotChatAppError()
@@ -226,7 +226,7 @@ class ChatStopApi(WebApiResource):
         }
     )
     @web_ns.response(200, "Success", web_ns.models[SimpleResultResponse.__name__])
-    def post(self, app_model: App, end_user: EndUser, task_id: str):
+    def post(self, app_model, end_user, task_id: str):
         app_mode = AppMode.value_of(app_model.mode)
         if app_mode not in {AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT}:
             raise NotChatAppError()

api/controllers/web/conversation.py

@@ -19,7 +19,7 @@ from fields.conversation_fields import (
     SimpleConversation,
 )
 from libs.helper import uuid_value
-from models.model import App, AppMode, EndUser
+from models.model import AppMode
 from services.conversation_service import ConversationService
 from services.errors.conversation import ConversationNotExistsError, LastConversationNotExistsError
 from services.web_conversation_service import WebConversationService
@@ -81,7 +81,7 @@ class ConversationListApi(WebApiResource):
             500: "Internal Server Error",
         }
     )
-    def get(self, app_model: App, end_user: EndUser):
+    def get(self, app_model, end_user):
         app_mode = AppMode.value_of(app_model.mode)
         if app_mode not in {AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT}:
             raise NotChatAppError()
@@ -127,7 +127,7 @@ class ConversationApi(WebApiResource):
             500: "Internal Server Error",
         }
     )
-    def delete(self, app_model: App, end_user: EndUser, c_id: UUID):
+    def delete(self, app_model, end_user, c_id: UUID):
         app_mode = AppMode.value_of(app_model.mode)
         if app_mode not in {AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT}:
             raise NotChatAppError()
@@ -166,7 +166,7 @@ class ConversationRenameApi(WebApiResource):
             500: "Internal Server Error",
         }
     )
-    def post(self, app_model: App, end_user: EndUser, c_id: UUID):
+    def post(self, app_model, end_user, c_id: UUID):
         app_mode = AppMode.value_of(app_model.mode)
         if app_mode not in {AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT}:
             raise NotChatAppError()
@@ -204,7 +204,7 @@ class ConversationPinApi(WebApiResource):
         }
     )
     @web_ns.response(200, "Conversation pinned successfully", web_ns.models[ResultResponse.__name__])
-    def patch(self, app_model: App, end_user: EndUser, c_id: UUID):
+    def patch(self, app_model, end_user, c_id: UUID):
         app_mode = AppMode.value_of(app_model.mode)
         if app_mode not in {AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT}:
             raise NotChatAppError()
@@ -235,7 +235,7 @@ class ConversationUnPinApi(WebApiResource):
         }
     )
     @web_ns.response(200, "Conversation unpinned successfully", web_ns.models[ResultResponse.__name__])
-    def patch(self, app_model: App, end_user: EndUser, c_id: UUID):
+    def patch(self, app_model, end_user, c_id: UUID):
         app_mode = AppMode.value_of(app_model.mode)
         if app_mode not in {AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT}:
             raise NotChatAppError()

api/controllers/web/files.py

@@ -13,7 +13,6 @@ from controllers.web import web_ns
 from controllers.web.wraps import WebApiResource
 from extensions.ext_database import db
 from fields.file_fields import FileResponse
-from models.model import App, EndUser
 from services.file_service import FileService
 
 register_schema_models(web_ns, FileResponse)
@@ -32,7 +31,7 @@ class FileApi(WebApiResource):
         }
     )
     @web_ns.response(201, "File uploaded successfully", web_ns.models[FileResponse.__name__])
-    def post(self, app_model: App, end_user: EndUser):
+    def post(self, app_model, end_user):
         """Upload a file for use in web applications.
 
         Accepts file uploads for use within web applications, supporting

api/controllers/web/message.py

@@ -27,7 +27,7 @@ from fields.message_fields import SuggestedQuestionsResponse, WebMessageInfinite
 from graphon.model_runtime.errors.invoke import InvokeError
 from libs import helper
 from models.enums import FeedbackRating
-from models.model import App, AppMode, EndUser
+from models.model import AppMode
 from services.app_generate_service import AppGenerateService
 from services.errors.app import MoreLikeThisDisabledError
 from services.errors.conversation import ConversationNotExistsError
@@ -81,7 +81,7 @@ class MessageListApi(WebApiResource):
             500: "Internal Server Error",
         }
     )
-    def get(self, app_model: App, end_user: EndUser):
+    def get(self, app_model, end_user):
         app_mode = AppMode.value_of(app_model.mode)
         if app_mode not in {AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT}:
             raise NotChatAppError()
@@ -133,7 +133,7 @@ class MessageFeedbackApi(WebApiResource):
         }
     )
     @web_ns.response(200, "Feedback submitted successfully", web_ns.models[ResultResponse.__name__])
-    def post(self, app_model: App, end_user: EndUser, message_id: UUID):
+    def post(self, app_model, end_user, message_id: UUID):
         message_id_str = str(message_id)
 
         payload = MessageFeedbackPayload.model_validate(web_ns.payload or {})
@@ -167,7 +167,7 @@ class MessageMoreLikeThisApi(WebApiResource):
             500: "Internal Server Error",
         }
     )
-    def get(self, app_model: App, end_user: EndUser, message_id: UUID):
+    def get(self, app_model, end_user, message_id: UUID):
         if app_model.mode != "completion":
             raise NotCompletionAppError()
 
@@ -223,7 +223,7 @@ class MessageSuggestedQuestionApi(WebApiResource):
             500: "Internal Server Error",
         }
     )
-    def get(self, app_model: App, end_user: EndUser, message_id: UUID):
+    def get(self, app_model, end_user, message_id: UUID):
         app_mode = AppMode.value_of(app_model.mode)
         if app_mode not in {AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT}:
             raise NotChatAppError()

api/controllers/web/remote_files.py

@@ -13,7 +13,6 @@ from core.helper import ssrf_proxy
 from extensions.ext_database import db
 from fields.file_fields import FileWithSignedUrl, RemoteFileInfo
 from graphon.file import helpers as file_helpers
-from models.model import App, EndUser
 from services.file_service import FileService
 
 from ..common.schema import register_response_schema_models, register_schema_models
@@ -42,7 +41,7 @@ class RemoteFileInfoApi(WebApiResource):
         }
     )
     @web_ns.response(200, "Remote file info", web_ns.models[RemoteFileInfo.__name__])
-    def get(self, app_model: App, end_user: EndUser, url: str):
+    def get(self, app_model, end_user, url):
         """Get information about a remote file.
 
         Retrieves basic information about a file located at a remote URL,
@@ -86,7 +85,7 @@ class RemoteFileUploadApi(WebApiResource):
         }
     )
     @web_ns.response(201, "Remote file uploaded", web_ns.models[FileWithSignedUrl.__name__])
-    def post(self, app_model: App, end_user: EndUser):
+    def post(self, app_model, end_user):
         """Upload a file from a remote URL.
 
         Downloads a file from the provided remote URL and uploads it

api/controllers/web/saved_message.py

@@ -11,7 +11,6 @@ from controllers.web.error import NotCompletionAppError
 from controllers.web.wraps import WebApiResource
 from fields.conversation_fields import ResultResponse
 from fields.message_fields import SavedMessageInfiniteScrollPagination, SavedMessageItem
-from models.model import App, EndUser
 from services.errors.message import MessageNotExistsError
 from services.saved_message_service import SavedMessageService
 
@@ -44,7 +43,7 @@ class SavedMessageListApi(WebApiResource):
             500: "Internal Server Error",
         }
     )
-    def get(self, app_model: App, end_user: EndUser):
+    def get(self, app_model, end_user):
         if app_model.mode != "completion":
             raise NotCompletionAppError()
 
@@ -78,7 +77,7 @@ class SavedMessageListApi(WebApiResource):
         }
     )
     @web_ns.response(200, "Message saved successfully", web_ns.models[ResultResponse.__name__])
-    def post(self, app_model: App, end_user: EndUser):
+    def post(self, app_model, end_user):
         if app_model.mode != "completion":
             raise NotCompletionAppError()
 
@@ -107,7 +106,7 @@ class SavedMessageApi(WebApiResource):
             500: "Internal Server Error",
         }
     )
-    def delete(self, app_model: App, end_user: EndUser, message_id: UUID):
+    def delete(self, app_model, end_user, message_id: UUID):
         message_id_str = str(message_id)
 
         if app_model.mode != "completion":

api/controllers/web/site.py

@@ -10,7 +10,7 @@ from controllers.web.wraps import WebApiResource
 from extensions.ext_database import db
 from libs.helper import AppIconUrlField
 from models.account import TenantStatus
-from models.model import App, EndUser, Site
+from models.model import App, Site
 from services.feature_service import FeatureService
 
 
@@ -70,7 +70,7 @@ class AppSiteApi(WebApiResource):
         }
     )
     @marshal_with(app_fields)
-    def get(self, app_model: App, end_user: EndUser):
+    def get(self, app_model, end_user):
         """Retrieve app site info."""
         # get site
         site = db.session.scalar(select(Site).where(Site.app_id == app_model.id).limit(1))
@@ -78,10 +78,10 @@ class AppSiteApi(WebApiResource):
         if not site:
             raise Forbidden()
 
-        if app_model.tenant and app_model.tenant.status == TenantStatus.ARCHIVE:
+        if app_model.tenant.status == TenantStatus.ARCHIVE:
             raise Forbidden()
 
-        can_replace_logo = FeatureService.get_features(app_model.tenant_id, exclude_vector_space=True).can_replace_logo
+        can_replace_logo = FeatureService.get_features(app_model.tenant_id).can_replace_logo
 
         return AppSiteInfo(app_model.tenant, app_model, site, end_user.id, can_replace_logo)
 
@@ -119,6 +119,6 @@ def serialize_site(site: Site) -> dict[str, Any]:
 
 
 def serialize_app_site_payload(app_model: App, site: Site, end_user_id: str | None) -> dict[str, Any]:
-    can_replace_logo = FeatureService.get_features(app_model.tenant_id, exclude_vector_space=True).can_replace_logo
+    can_replace_logo = FeatureService.get_features(app_model.tenant_id).can_replace_logo
     app_site_info = AppSiteInfo(app_model.tenant, app_model, site, end_user_id, can_replace_logo)
     return cast(dict[str, Any], marshal(app_site_info, AppSiteApi.app_fields))

api/core/agent/base_agent_runner.py

@@ -22,6 +22,9 @@ from core.memory.token_buffer_memory import TokenBufferMemory
 from core.model_manager import ModelInstance
 from core.prompt.utils.extract_thread_messages import extract_thread_messages
 from core.tools.__base.tool import Tool
+from core.tools.entities.tool_entities import (
+    ToolParameter,
+)
 from core.tools.tool_manager import ToolManager
 from core.tools.utils.dataset_retriever_tool import DatasetRetrieverTool
 from extensions.ext_database import db
@@ -147,9 +150,44 @@ class BaseAgentRunner(AppRunner):
         message_tool = PromptMessageTool(
             name=tool.tool_name,
             description=tool_entity.entity.description.llm,
-            parameters=tool_entity.get_llm_parameters_json_schema(),
+            parameters={
+                "type": "object",
+                "properties": {},
+                "required": [],
+            },
         )
 
+        parameters = tool_entity.get_merged_runtime_parameters()
+        for parameter in parameters:
+            if parameter.form != ToolParameter.ToolParameterForm.LLM:
+                continue
+
+            parameter_type = parameter.type.as_normal_type()
+            if parameter.type in {
+                ToolParameter.ToolParameterType.SYSTEM_FILES,
+                ToolParameter.ToolParameterType.FILE,
+                ToolParameter.ToolParameterType.FILES,
+            }:
+                continue
+            enum = []
+            if parameter.type == ToolParameter.ToolParameterType.SELECT:
+                enum = [option.value for option in parameter.options] if parameter.options else []
+
+            message_tool.parameters["properties"][parameter.name] = (
+                {
+                    "type": parameter_type,
+                    "description": parameter.llm_description or "",
+                }
+                if parameter.input_schema is None
+                else parameter.input_schema
+            )
+
+            if len(enum) > 0:
+                message_tool.parameters["properties"][parameter.name]["enum"] = enum
+
+            if parameter.required:
+                message_tool.parameters["required"].append(parameter.name)
+
         return message_tool, tool_entity
 
     def _convert_dataset_retriever_tool_to_prompt_message_tool(self, tool: DatasetRetrieverTool) -> PromptMessageTool:
@@ -214,7 +252,40 @@ class BaseAgentRunner(AppRunner):
         """
         update prompt message tool
         """
-        prompt_tool.parameters = tool.get_llm_parameters_json_schema()
+        # try to get tool runtime parameters
+        tool_runtime_parameters = tool.get_runtime_parameters()
+
+        for parameter in tool_runtime_parameters:
+            if parameter.form != ToolParameter.ToolParameterForm.LLM:
+                continue
+
+            parameter_type = parameter.type.as_normal_type()
+            if parameter.type in {
+                ToolParameter.ToolParameterType.SYSTEM_FILES,
+                ToolParameter.ToolParameterType.FILE,
+                ToolParameter.ToolParameterType.FILES,
+            }:
+                continue
+            enum = []
+            if parameter.type == ToolParameter.ToolParameterType.SELECT:
+                enum = [option.value for option in parameter.options] if parameter.options else []
+
+            prompt_tool.parameters["properties"][parameter.name] = (
+                {
+                    "type": parameter_type,
+                    "description": parameter.llm_description or "",
+                }
+                if parameter.input_schema is None
+                else parameter.input_schema
+            )
+
+            if len(enum) > 0:
+                prompt_tool.parameters["properties"][parameter.name]["enum"] = enum
+
+            if parameter.required:
+                if parameter.name not in prompt_tool.parameters["required"]:
+                    prompt_tool.parameters["required"].append(parameter.name)
+
         return prompt_tool
 
     def create_agent_thought(

api/core/app/apps/advanced_chat/app_runner.py

@@ -27,7 +27,6 @@ from core.moderation.base import ModerationError
 from core.moderation.input_moderation import InputModeration
 from core.repositories.factory import WorkflowExecutionRepository, WorkflowNodeExecutionRepository
 from core.workflow.node_factory import get_default_root_node_id
-from core.workflow.nodes.agent_v2.session_cleanup_layer import build_workflow_agent_session_cleanup_layer
 from core.workflow.system_variables import (
     build_bootstrap_variables,
     build_system_variables,
@@ -240,7 +239,6 @@ class AdvancedChatAppRunner(WorkflowBasedAppRunner):
         )
 
         workflow_entry.graph_engine.layer(persistence_layer)
-        workflow_entry.graph_engine.layer(build_workflow_agent_session_cleanup_layer())
         conversation_variable_layer = ConversationVariablePersistenceLayer(
             ConversationVariableUpdater(session_factory.get_session_maker())
         )

api/core/app/apps/base_app_runner.py

@@ -7,7 +7,6 @@ from typing import TYPE_CHECKING, Any, Union
 
 from core.app.app_config.entities import ExternalDataVariableEntity, PromptTemplateEntity
 from core.app.apps.base_app_queue_manager import AppQueueManager, PublishFrom
-from core.app.apps.exc import GenerateTaskStoppedError
 from core.app.entities.app_invoke_entities import (
     AppGenerateEntity,
     EasyUIBasedAppGenerateEntity,
@@ -293,51 +292,46 @@ class AppRunner:
         prompt_messages: list[PromptMessage] = []
         text = ""
         usage = None
-        try:
-            for result in invoke_result:
-                if not agent:
-                    queue_manager.publish(QueueLLMChunkEvent(chunk=result), PublishFrom.APPLICATION_MANAGER)
-                else:
-                    queue_manager.publish(QueueAgentMessageEvent(chunk=result), PublishFrom.APPLICATION_MANAGER)
+        for result in invoke_result:
+            if not agent:
+                queue_manager.publish(QueueLLMChunkEvent(chunk=result), PublishFrom.APPLICATION_MANAGER)
+            else:
+                queue_manager.publish(QueueAgentMessageEvent(chunk=result), PublishFrom.APPLICATION_MANAGER)
 
-                message = result.delta.message
-                if isinstance(message.content, str):
-                    text += message.content
-                elif isinstance(message.content, list):
-                    for content in message.content:
-                        if isinstance(content, str):
-                            text += content
-                        elif isinstance(content, TextPromptMessageContent):
-                            text += content.data
-                        elif isinstance(content, ImagePromptMessageContent):
-                            if message_id and user_id and tenant_id:
-                                try:
-                                    self._handle_multimodal_image_content(
-                                        content=content,
-                                        message_id=message_id,
-                                        user_id=user_id,
-                                        tenant_id=tenant_id,
-                                        queue_manager=queue_manager,
-                                    )
-                                except Exception:
-                                    _logger.exception("Failed to handle multimodal image output")
-                            else:
-                                _logger.warning("Received multimodal output but missing required parameters")
+            message = result.delta.message
+            if isinstance(message.content, str):
+                text += message.content
+            elif isinstance(message.content, list):
+                for content in message.content:
+                    if isinstance(content, str):
+                        text += content
+                    elif isinstance(content, TextPromptMessageContent):
+                        text += content.data
+                    elif isinstance(content, ImagePromptMessageContent):
+                        if message_id and user_id and tenant_id:
+                            try:
+                                self._handle_multimodal_image_content(
+                                    content=content,
+                                    message_id=message_id,
+                                    user_id=user_id,
+                                    tenant_id=tenant_id,
+                                    queue_manager=queue_manager,
+                                )
+                            except Exception:
+                                _logger.exception("Failed to handle multimodal image output")
                         else:
-                            text += content.data if hasattr(content, "data") else str(content)
+                            _logger.warning("Received multimodal output but missing required parameters")
+                    else:
+                        text += content.data if hasattr(content, "data") else str(content)
 
-                if not model:
-                    model = result.model
+            if not model:
+                model = result.model
 
-                if not prompt_messages:
-                    prompt_messages = list(result.prompt_messages)
+            if not prompt_messages:
+                prompt_messages = list(result.prompt_messages)
 
-                if result.delta.usage:
-                    usage = result.delta.usage
-        except GenerateTaskStoppedError:
-            # Explicitly close provider stream to stop in-flight token generation ASAP.
-            invoke_result.close()
-            raise
+            if result.delta.usage:
+                usage = result.delta.usage
 
         if usage is None:
             usage = LLMUsage.empty_usage()

api/core/app/apps/workflow/app_runner.py

@@ -10,7 +10,6 @@ from core.app.entities.app_invoke_entities import InvokeFrom, WorkflowAppGenerat
 from core.app.workflow.layers.persistence import PersistenceWorkflowInfo, WorkflowPersistenceLayer
 from core.repositories.factory import WorkflowExecutionRepository, WorkflowNodeExecutionRepository
 from core.workflow.node_factory import get_default_root_node_id
-from core.workflow.nodes.agent_v2.session_cleanup_layer import build_workflow_agent_session_cleanup_layer
 from core.workflow.system_variables import build_bootstrap_variables, build_system_variables
 from core.workflow.variable_pool_initializer import add_node_inputs_to_pool, add_variables_to_pool
 from core.workflow.workflow_entry import WorkflowEntry
@@ -167,7 +166,6 @@ class WorkflowAppRunner(WorkflowBasedAppRunner):
         )
 
         workflow_entry.graph_engine.layer(persistence_layer)
-        workflow_entry.graph_engine.layer(build_workflow_agent_session_cleanup_layer())
         for layer in self._graph_engine_layers:
             workflow_entry.graph_engine.layer(layer)
 

api/core/app/workflow/layers/persistence.py

@@ -47,12 +47,6 @@ from graphon.graph_events import (
 )
 from graphon.node_events import NodeRunResult
 from libs.datetime_utils import naive_utc_now
-from services.workflow.inspector_events import (
-    publish_node_changed as _inspector_publish_node_changed,
-)
-from services.workflow.inspector_events import (
-    publish_workflow_completed as _inspector_publish_workflow_completed,
-)
 
 
 @dataclass(slots=True)
@@ -169,7 +163,6 @@ class WorkflowPersistenceLayer(GraphEngineLayer):
 
         self._workflow_execution_repository.save(execution)
         self._enqueue_trace_task(execution)
-        _inspector_publish_workflow_completed(workflow_run_id=execution.id_, status=str(execution.status.value))
 
     def _handle_graph_run_partial_succeeded(self, event: GraphRunPartialSucceededEvent) -> None:
         execution = self._get_workflow_execution()
@@ -180,7 +173,6 @@ class WorkflowPersistenceLayer(GraphEngineLayer):
 
         self._workflow_execution_repository.save(execution)
         self._enqueue_trace_task(execution)
-        _inspector_publish_workflow_completed(workflow_run_id=execution.id_, status=str(execution.status.value))
 
     def _handle_graph_run_failed(self, event: GraphRunFailedEvent) -> None:
         execution = self._get_workflow_execution()
@@ -192,7 +184,6 @@ class WorkflowPersistenceLayer(GraphEngineLayer):
         self._fail_running_node_executions(error_message=event.error)
         self._workflow_execution_repository.save(execution)
         self._enqueue_trace_task(execution)
-        _inspector_publish_workflow_completed(workflow_run_id=execution.id_, status=str(execution.status.value))
 
     def _handle_graph_run_aborted(self, event: GraphRunAbortedEvent) -> None:
         execution = self._get_workflow_execution()
@@ -203,7 +194,6 @@ class WorkflowPersistenceLayer(GraphEngineLayer):
         self._fail_running_node_executions(error_message=execution.error_message or "")
         self._workflow_execution_repository.save(execution)
         self._enqueue_trace_task(execution)
-        _inspector_publish_workflow_completed(workflow_run_id=execution.id_, status=str(execution.status.value))
 
     def _handle_graph_run_paused(self, event: GraphRunPausedEvent) -> None:
         execution = self._get_workflow_execution()
@@ -251,7 +241,6 @@ class WorkflowPersistenceLayer(GraphEngineLayer):
             created_at=event.start_at,
         )
         self._node_snapshots[event.id] = snapshot
-        _inspector_publish_node_changed(workflow_run_id=execution.id_, node_id=event.node_id, status="running")
 
     def _handle_node_retry(self, event: NodeRunRetryEvent) -> None:
         domain_execution = self._get_node_execution(event.id)
@@ -259,11 +248,6 @@ class WorkflowPersistenceLayer(GraphEngineLayer):
         domain_execution.error = event.error
         self._workflow_node_execution_repository.save(domain_execution)
         self._workflow_node_execution_repository.save_execution_data(domain_execution)
-        _inspector_publish_node_changed(
-            workflow_run_id=self._get_workflow_execution().id_,
-            node_id=domain_execution.node_id,
-            status="retry",
-        )
 
     def _handle_node_succeeded(self, event: NodeRunSucceededEvent) -> None:
         domain_execution = self._get_node_execution(event.id)
@@ -273,11 +257,6 @@ class WorkflowPersistenceLayer(GraphEngineLayer):
             WorkflowNodeExecutionStatus.SUCCEEDED,
             finished_at=event.finished_at,
         )
-        _inspector_publish_node_changed(
-            workflow_run_id=self._get_workflow_execution().id_,
-            node_id=domain_execution.node_id,
-            status="succeeded",
-        )
 
     def _handle_node_failed(self, event: NodeRunFailedEvent) -> None:
         domain_execution = self._get_node_execution(event.id)
@@ -288,11 +267,6 @@ class WorkflowPersistenceLayer(GraphEngineLayer):
             error=event.error,
             finished_at=event.finished_at,
         )
-        _inspector_publish_node_changed(
-            workflow_run_id=self._get_workflow_execution().id_,
-            node_id=domain_execution.node_id,
-            status="failed",
-        )
 
     def _handle_node_exception(self, event: NodeRunExceptionEvent) -> None:
         domain_execution = self._get_node_execution(event.id)
@@ -303,11 +277,6 @@ class WorkflowPersistenceLayer(GraphEngineLayer):
             error=event.error,
             finished_at=event.finished_at,
         )
-        _inspector_publish_node_changed(
-            workflow_run_id=self._get_workflow_execution().id_,
-            node_id=domain_execution.node_id,
-            status="exception",
-        )
 
     def _handle_node_pause_requested(self, event: NodeRunPauseRequestedEvent) -> None:
         domain_execution = self._get_node_execution(event.id)

api/core/provider_manager.py

@@ -534,9 +534,7 @@ class ProviderManager:
         cache_key = f"tenant:{tenant_id}:model_load_balancing_enabled"
         cache_result = redis_client.get(cache_key)
         if cache_result is None:
-            model_load_balancing_enabled = FeatureService.get_features(
-                tenant_id, exclude_vector_space=True
-            ).model_load_balancing_enabled
+            model_load_balancing_enabled = FeatureService.get_features(tenant_id).model_load_balancing_enabled
             redis_client.setex(cache_key, 120, str(model_load_balancing_enabled))
         else:
             cache_result = cache_result.decode("utf-8")

api/core/tools/__base/tool.py

@@ -126,89 +126,34 @@ class Tool(ABC):
         message_id: str | None = None,
     ) -> list[ToolParameter]:
         """
-        Get the effective parameter declarations for this tool.
-
-        Runtime parameters override declared parameters by name and append new
-        parameters, but the returned list is always detached from the tool's
-        cached declarations so callers can safely mutate it while building
-        downstream schemas.
+        get merged runtime parameters
 
         :return: merged runtime parameters
         """
-        parameters = [deepcopy(parameter) for parameter in self.entity.parameters or []]
-        user_parameters = [
-            deepcopy(parameter)
-            for parameter in self.get_runtime_parameters(
-                conversation_id=conversation_id,
-                app_id=app_id,
-                message_id=message_id,
-            )
-            or []
-        ]
-
-        parameter_indexes = {parameter.name: index for index, parameter in enumerate(parameters)}
+        parameters = self.entity.parameters
+        parameters = parameters.copy()
+        user_parameters = self.get_runtime_parameters() or []
+        user_parameters = user_parameters.copy()
 
+        # override parameters
         for parameter in user_parameters:
-            existing_index = parameter_indexes.get(parameter.name)
-            if existing_index is None:
-                parameter_indexes[parameter.name] = len(parameters)
+            # check if parameter in tool parameters
+            for tool_parameter in parameters:
+                if tool_parameter.name == parameter.name:
+                    # override parameter
+                    tool_parameter.type = parameter.type
+                    tool_parameter.form = parameter.form
+                    tool_parameter.required = parameter.required
+                    tool_parameter.default = parameter.default
+                    tool_parameter.options = parameter.options
+                    tool_parameter.llm_description = parameter.llm_description
+                    break
+            else:
+                # add new parameter
                 parameters.append(parameter)
-                continue
-            parameters[existing_index] = parameter
 
         return parameters
 
-    def get_llm_parameters_json_schema(
-        self,
-        conversation_id: str | None = None,
-        app_id: str | None = None,
-        message_id: str | None = None,
-    ) -> dict[str, Any]:
-        """Build the model-visible JSON schema from effective tool parameters.
-
-        Hidden/manual parameters stay available for invocation preparation on the
-        API side, but are intentionally omitted from the LLM-facing schema.
-        """
-        schema: dict[str, Any] = {
-            "type": "object",
-            "properties": {},
-            "required": [],
-        }
-
-        for parameter in self.get_merged_runtime_parameters(
-            conversation_id=conversation_id,
-            app_id=app_id,
-            message_id=message_id,
-        ):
-            if parameter.form != ToolParameter.ToolParameterForm.LLM:
-                continue
-
-            if parameter.type in {
-                ToolParameter.ToolParameterType.SYSTEM_FILES,
-                ToolParameter.ToolParameterType.FILE,
-                ToolParameter.ToolParameterType.FILES,
-            }:
-                continue
-
-            parameter_schema: dict[str, Any] = (
-                {
-                    "type": parameter.type.as_normal_type(),
-                    "description": parameter.llm_description or "",
-                }
-                if parameter.input_schema is None
-                else deepcopy(parameter.input_schema)
-            )
-            parameter_schema.setdefault("description", parameter.llm_description or "")
-
-            if parameter.type == ToolParameter.ToolParameterType.SELECT and parameter.options:
-                parameter_schema["enum"] = [option.value for option in parameter.options]
-
-            schema["properties"][parameter.name] = parameter_schema
-            if parameter.required:
-                schema["required"].append(parameter.name)
-
-        return schema
-
     def create_image_message(
         self,
         image: str,

api/core/workflow/node_factory.py

@@ -475,7 +475,6 @@ class DifyNodeFactory(NodeFactory):
             from core.workflow.nodes.agent_v2.file_tenant_validator import UploadFileTenantValidator
             from core.workflow.nodes.agent_v2.output_failure_orchestrator import OutputFailureOrchestrator
             from core.workflow.nodes.agent_v2.output_type_checker import PerOutputTypeChecker
-            from core.workflow.nodes.agent_v2.session_store import WorkflowAgentRuntimeSessionStore
 
             return {
                 "binding_resolver": WorkflowAgentBindingResolver(),
@@ -495,7 +494,6 @@ class DifyNodeFactory(NodeFactory):
                 # outputs contain no file refs.
                 "type_checker": PerOutputTypeChecker(file_validator=UploadFileTenantValidator()),
                 "failure_orchestrator": OutputFailureOrchestrator(),
-                "session_store": WorkflowAgentRuntimeSessionStore(),
             }
         return {
             "strategy_resolver": self._agent_strategy_resolver,

api/core/workflow/nodes/agent_v2/agent_node.py

@@ -1,11 +1,8 @@
 from __future__ import annotations
 
-import logging
 from collections.abc import Generator, Mapping, Sequence
 from typing import TYPE_CHECKING, Any
 
-from agenton.compositor import CompositorSessionSnapshot
-
 from clients.agent_backend import (
     AgentBackendError,
     AgentBackendHTTPError,
@@ -20,14 +17,11 @@ from clients.agent_backend import (
     AgentBackendStreamInternalEvent,
     AgentBackendTransportError,
     AgentBackendValidationError,
-    CleanupLayerSpec,
-    extract_cleanup_layer_specs,
 )
 from core.app.entities.app_invoke_entities import DIFY_RUN_CONTEXT_KEY, DifyRunContext
 from core.workflow.system_variables import SystemVariableKey, get_system_text
-from graphon.entities.pause_reason import SchedulingPause
 from graphon.enums import BuiltinNodeTypes, WorkflowNodeExecutionMetadataKey, WorkflowNodeExecutionStatus
-from graphon.node_events import NodeEventBase, NodeRunResult, PauseRequestedEvent, StreamCompletedEvent
+from graphon.node_events import NodeEventBase, NodeRunResult, StreamCompletedEvent
 from graphon.nodes.base.node import Node
 from models.agent_config_entities import WorkflowNodeJobConfig
 
@@ -46,14 +40,11 @@ from .runtime_request_builder import (
     WorkflowAgentRuntimeRequestBuilder,
     WorkflowAgentRuntimeRequestBuildError,
 )
-from .session_store import WorkflowAgentRuntimeSessionStore, WorkflowAgentSessionScope
 
 if TYPE_CHECKING:
     from graphon.entities import GraphInitParams
     from graphon.runtime import GraphRuntimeState
 
-logger = logging.getLogger(__name__)
-
 
 # Stage 4 §5+§7: the terminal events that `_consume_event_stream` may return.
 # Stream + started events are filtered out before we yield; transport errors
@@ -83,7 +74,6 @@ class DifyAgentNode(Node[DifyAgentNodeData]):
         output_adapter: WorkflowAgentOutputAdapter,
         type_checker: PerOutputTypeChecker,
         failure_orchestrator: OutputFailureOrchestrator,
-        session_store: WorkflowAgentRuntimeSessionStore | None = None,
     ) -> None:
         super().__init__(
             node_id=node_id,
@@ -98,7 +88,6 @@ class DifyAgentNode(Node[DifyAgentNodeData]):
         self._output_adapter = output_adapter
         self._type_checker = type_checker
         self._failure_orchestrator = failure_orchestrator
-        self._session_store = session_store
 
     @classmethod
     def version(cls) -> str:
@@ -145,17 +134,6 @@ class DifyAgentNode(Node[DifyAgentNodeData]):
             "agent_config_snapshot_id": bundle.snapshot.id,
             "binding_id": bundle.binding.id,
         }
-        session_scope = WorkflowAgentSessionScope(
-            tenant_id=dify_ctx.tenant_id,
-            app_id=dify_ctx.app_id,
-            workflow_id=workflow_id,
-            workflow_run_id=workflow_run_id,
-            node_id=self._node_id,
-            node_execution_id=self.id,
-            binding_id=bundle.binding.id,
-            agent_id=bundle.agent.id,
-            agent_config_snapshot_id=bundle.snapshot.id,
-        )
 
         # Stage 4 §4.1 (D-3): use effective outputs so defaults flow through both
         # the backend request and the post-run type check.
@@ -169,9 +147,6 @@ class DifyAgentNode(Node[DifyAgentNodeData]):
         attempt = 0
         while True:
             try:
-                session_snapshot = None
-                if self._session_store is not None:
-                    session_snapshot = self._session_store.load_active_snapshot(session_scope)
                 runtime_request = self._runtime_request_builder.build(
                     WorkflowAgentRuntimeBuildContext(
                         dify_context=dify_ctx,
@@ -184,7 +159,6 @@ class DifyAgentNode(Node[DifyAgentNodeData]):
                         agent=bundle.agent,
                         snapshot=bundle.snapshot,
                         attempt=attempt,
-                        session_snapshot=session_snapshot,
                     )
                 )
             except WorkflowAgentRuntimeRequestBuildError as error:
@@ -247,35 +221,9 @@ class DifyAgentNode(Node[DifyAgentNodeData]):
                 )
                 return
 
-            if isinstance(terminal_event, AgentBackendRunPausedInternalEvent):
-                self._save_session_snapshot(
-                    session_scope=session_scope,
-                    backend_run_id=terminal_event.run_id,
-                    snapshot=terminal_event.session_snapshot,
-                    composition_layer_specs=extract_cleanup_layer_specs(runtime_request.request.composition),
-                    metadata=metadata,
-                )
-                yield PauseRequestedEvent(
-                    reason=SchedulingPause(
-                        message=terminal_event.message
-                        or "Agent backend run requested workflow pause for external input."
-                    )
-                )
-                return
-
-            # Non-success terminal (failed / cancelled) skips per-output
-            # post-processing — the backend itself already failed. We also retire
-            # the local ACTIVE session row so a workflow loop back into the same
-            # Agent node cannot resume from a stale snapshot. The failed agent
-            # backend layers (suspended per ``on_exit``) are left for agent
-            # backend's own GC; this row will no longer be picked up by the
-            # workflow-terminal cleanup layer.
+            # Non-success terminal (failed / cancelled / paused) skips per-output
+            # post-processing — the backend itself already failed.
             if not isinstance(terminal_event, AgentBackendRunSucceededInternalEvent):
-                self._mark_session_cleaned_on_failure(
-                    session_scope=session_scope,
-                    backend_run_id=terminal_event.run_id,
-                    metadata=metadata,
-                )
                 yield StreamCompletedEvent(
                     node_run_result=self._output_adapter.build_failure_result(
                         event=terminal_event,
@@ -286,14 +234,6 @@ class DifyAgentNode(Node[DifyAgentNodeData]):
                 )
                 return
 
-            self._save_session_snapshot(
-                session_scope=session_scope,
-                backend_run_id=terminal_event.run_id,
-                snapshot=terminal_event.session_snapshot,
-                composition_layer_specs=extract_cleanup_layer_specs(runtime_request.request.composition),
-                metadata=metadata,
-            )
-
             # ──── Stage 4: per-output type check ────
             type_check = self._type_checker.check(
                 declared_outputs=effective_outputs,
@@ -444,75 +384,6 @@ class DifyAgentNode(Node[DifyAgentNodeData]):
             ],
         }
 
-    def _save_session_snapshot(
-        self,
-        *,
-        session_scope: WorkflowAgentSessionScope,
-        backend_run_id: str,
-        snapshot: CompositorSessionSnapshot | None,
-        composition_layer_specs: list[CleanupLayerSpec],
-        metadata: dict[str, Any],
-    ) -> None:
-        if self._session_store is None:
-            return
-        try:
-            self._session_store.save_active_snapshot(
-                scope=session_scope,
-                backend_run_id=backend_run_id,
-                snapshot=snapshot,
-                composition_layer_specs=composition_layer_specs,
-            )
-            agent_backend = dict(metadata.get("agent_backend") or {})
-            agent_backend["session_snapshot_persisted"] = snapshot is not None
-            metadata["agent_backend"] = agent_backend
-        except Exception:
-            logger.warning(
-                "Failed to persist workflow Agent runtime session snapshot: "
-                "tenant_id=%s workflow_run_id=%s node_id=%s binding_id=%s agent_id=%s backend_run_id=%s",
-                session_scope.tenant_id,
-                session_scope.workflow_run_id,
-                session_scope.node_id,
-                session_scope.binding_id,
-                session_scope.agent_id,
-                backend_run_id,
-                exc_info=True,
-            )
-            agent_backend = dict(metadata.get("agent_backend") or {})
-            agent_backend["session_snapshot_persisted"] = False
-            agent_backend["session_snapshot_persist_error"] = "workflow_agent_runtime_session_store_error"
-            metadata["agent_backend"] = agent_backend
-
-    def _mark_session_cleaned_on_failure(
-        self,
-        *,
-        session_scope: WorkflowAgentSessionScope,
-        backend_run_id: str,
-        metadata: dict[str, Any],
-    ) -> None:
-        if self._session_store is None:
-            return
-        try:
-            self._session_store.mark_cleaned(scope=session_scope, backend_run_id=backend_run_id)
-            agent_backend = dict(metadata.get("agent_backend") or {})
-            agent_backend["session_snapshot_cleaned_on_failure"] = True
-            metadata["agent_backend"] = agent_backend
-        except Exception:
-            logger.warning(
-                "Failed to mark workflow Agent runtime session cleaned on agent run failure: "
-                "tenant_id=%s workflow_run_id=%s node_id=%s binding_id=%s agent_id=%s backend_run_id=%s",
-                session_scope.tenant_id,
-                session_scope.workflow_run_id,
-                session_scope.node_id,
-                session_scope.binding_id,
-                session_scope.agent_id,
-                backend_run_id,
-                exc_info=True,
-            )
-            agent_backend = dict(metadata.get("agent_backend") or {})
-            agent_backend["session_snapshot_cleaned_on_failure"] = False
-            agent_backend["session_snapshot_cleanup_error"] = "workflow_agent_runtime_session_store_error"
-            metadata["agent_backend"] = agent_backend
-
     @staticmethod
     def _patch_event_with_defaults(
         event: AgentBackendRunSucceededInternalEvent,

api/core/workflow/nodes/agent_v2/plugin_tools_builder.py

@@ -1,268 +0,0 @@
-from __future__ import annotations
-
-from collections.abc import Mapping
-from typing import Any, Protocol, cast
-
-from dify_agent.layers.dify_plugin import (
-    DifyPluginCredentialValue,
-    DifyPluginToolConfig,
-    DifyPluginToolCredentialType,
-    DifyPluginToolParameter,
-    DifyPluginToolParameterForm,
-    DifyPluginToolsLayerConfig,
-)
-
-from core.agent.entities import AgentToolEntity
-from core.app.entities.app_invoke_entities import InvokeFrom
-from core.tools.__base.tool import Tool
-from core.tools.entities.tool_entities import ToolProviderType
-from core.tools.errors import (
-    ToolProviderCredentialValidationError,
-    ToolProviderNotFoundError,
-)
-from core.tools.tool_manager import ToolManager
-from models.agent_config_entities import AgentSoulDifyToolConfig, AgentSoulToolsConfig
-from models.provider_ids import ToolProviderID
-
-
-class WorkflowAgentPluginToolsBuildError(ValueError):
-    """Raised when Agent Soul tools cannot be prepared for Agent backend."""
-
-    def __init__(self, error_code: str, message: str) -> None:
-        self.error_code = error_code
-        super().__init__(message)
-
-
-class AgentToolRuntimeProvider(Protocol):
-    def get_agent_tool_runtime(
-        self,
-        tenant_id: str,
-        app_id: str,
-        agent_tool: AgentToolEntity,
-        user_id: str | None = None,
-        invoke_from: InvokeFrom = InvokeFrom.DEBUGGER,
-        variable_pool: Any | None = None,
-    ) -> Tool: ...
-
-
-class WorkflowAgentPluginToolsBuilder:
-    """Prepare Agent Soul Dify Plugin Tools for the public Agent backend DTO."""
-
-    def __init__(self, *, tool_runtime_provider: AgentToolRuntimeProvider | None = None) -> None:
-        self._tool_runtime_provider = tool_runtime_provider or ToolManager
-
-    def build(
-        self,
-        *,
-        tenant_id: str,
-        app_id: str,
-        user_id: str | None,
-        tools: AgentSoulToolsConfig,
-        invoke_from: InvokeFrom,
-    ) -> DifyPluginToolsLayerConfig | None:
-        """Resolve user-selected Dify Plugin Tools into the Agent backend DTO.
-
-        ``invoke_from`` is the *real* runtime caller category (DEBUGGER for a
-        Composer test run, SERVICE_API / WEB_APP for a published run). It must
-        be threaded through to :class:`ToolManager` so credential quotas, rate
-        limits, and audit tags match the actual call site.
-        """
-        enabled_tools = [tool for tool in tools.dify_tools if tool.enabled]
-        if not enabled_tools:
-            return None
-
-        prepared: list[DifyPluginToolConfig] = []
-        seen_names: set[str] = set()
-        for tool_config in enabled_tools:
-            agent_tool = self._to_agent_tool_entity(tool_config)
-            tool_runtime = self._fetch_tool_runtime(
-                tenant_id=tenant_id,
-                app_id=app_id,
-                user_id=user_id,
-                agent_tool=agent_tool,
-                invoke_from=invoke_from,
-                tool_config=tool_config,
-            )
-
-            exposed_name = self._exposed_tool_name(tool_config)
-            if exposed_name in seen_names:
-                raise WorkflowAgentPluginToolsBuildError(
-                    "agent_tool_name_duplicated",
-                    f"Duplicate Dify Plugin Tool name {exposed_name!r}.",
-                )
-            seen_names.add(exposed_name)
-
-            prepared.append(self._to_backend_tool_config(tool_config, tool_runtime, exposed_name))
-
-        return DifyPluginToolsLayerConfig(tools=prepared)
-
-    def _fetch_tool_runtime(
-        self,
-        *,
-        tenant_id: str,
-        app_id: str,
-        user_id: str | None,
-        agent_tool: AgentToolEntity,
-        invoke_from: InvokeFrom,
-        tool_config: AgentSoulDifyToolConfig,
-    ) -> Tool:
-        """Resolve the API-side ``Tool`` runtime, mapping fetch errors to
-        Inspector-friendly error codes so callers can render distinct UX for
-        "tool definition gone" vs "credential failed".
-        """
-        try:
-            return self._tool_runtime_provider.get_agent_tool_runtime(
-                tenant_id=tenant_id,
-                app_id=app_id,
-                agent_tool=agent_tool,
-                user_id=user_id,
-                invoke_from=invoke_from,
-                variable_pool=None,
-            )
-        except ToolProviderNotFoundError as exc:
-            raise WorkflowAgentPluginToolsBuildError(
-                "agent_tool_declaration_not_found",
-                f"Dify Plugin Tool {tool_config.tool_name!r} declaration not found: {exc}",
-            ) from exc
-        except ToolProviderCredentialValidationError as exc:
-            raise WorkflowAgentPluginToolsBuildError(
-                "agent_tool_credential_invalid",
-                f"Dify Plugin Tool {tool_config.tool_name!r} credential validation failed: {exc}",
-            ) from exc
-        except ValueError as exc:
-            # ToolManager raises bare ValueError when the agent tool's
-            # ``runtime`` / runtime parameters are missing. Surface it under a
-            # narrower error code than a generic "declaration not found" so
-            # frontend can render an actionable hint.
-            raise WorkflowAgentPluginToolsBuildError(
-                "agent_tool_config_invalid",
-                f"Dify Plugin Tool {tool_config.tool_name!r} runtime construction failed: {exc}",
-            ) from exc
-
-    @staticmethod
-    def _to_agent_tool_entity(tool_config: AgentSoulDifyToolConfig) -> AgentToolEntity:
-        return AgentToolEntity(
-            provider_type=ToolProviderType.value_of(tool_config.provider_type),
-            provider_id=WorkflowAgentPluginToolsBuilder._provider_id(tool_config),
-            tool_name=tool_config.tool_name,
-            tool_parameters=dict(tool_config.runtime_parameters),
-            credential_id=tool_config.credential_ref.id if tool_config.credential_ref else None,
-        )
-
-    @staticmethod
-    def _provider_id(tool_config: AgentSoulDifyToolConfig) -> str:
-        if tool_config.provider_id:
-            return tool_config.provider_id
-        assert tool_config.plugin_id is not None
-        assert tool_config.provider is not None
-        return f"{tool_config.plugin_id}/{tool_config.provider}"
-
-    @staticmethod
-    def _exposed_tool_name(tool_config: AgentSoulDifyToolConfig) -> str:
-        # Stage 3.1 decision: no user rename yet. Keep the model-visible tool
-        # name aligned with the plugin declaration identity.
-        return tool_config.tool_name
-
-    def _to_backend_tool_config(
-        self,
-        tool_config: AgentSoulDifyToolConfig,
-        tool_runtime: Tool,
-        exposed_name: str,
-    ) -> DifyPluginToolConfig:
-        runtime = tool_runtime.runtime
-        if runtime is None:
-            raise WorkflowAgentPluginToolsBuildError(
-                "agent_tool_config_invalid",
-                f"Dify Plugin Tool {tool_config.tool_name!r} has no runtime.",
-            )
-
-        provider_id = self._provider_id(tool_config)
-        plugin_id, provider = self._plugin_provider(tool_config, provider_id)
-        parameters = [
-            DifyPluginToolParameter.model_validate(parameter.model_dump(mode="json"))
-            for parameter in tool_runtime.get_merged_runtime_parameters()
-        ]
-        runtime_parameters = self._runtime_parameters(tool_runtime, parameters)
-        description = tool_config.description
-        if description is None and tool_runtime.entity.description is not None:
-            description = tool_runtime.entity.description.llm
-
-        return DifyPluginToolConfig(
-            plugin_id=plugin_id,
-            provider=provider,
-            tool_name=tool_config.tool_name,
-            credential_type=self._credential_type(tool_config, runtime.credentials),
-            name=exposed_name,
-            description=description,
-            credentials=self._normalize_credentials(runtime.credentials, tool_name=tool_config.tool_name),
-            runtime_parameters=runtime_parameters,
-            parameters=parameters,
-            parameters_json_schema=cast(dict[str, Any], tool_runtime.get_llm_parameters_json_schema()),
-        )
-
-    @staticmethod
-    def _plugin_provider(tool_config: AgentSoulDifyToolConfig, provider_id: str) -> tuple[str, str]:
-        if tool_config.plugin_id and tool_config.provider:
-            return tool_config.plugin_id, tool_config.provider
-        provider_id_entity = ToolProviderID(provider_id)
-        return provider_id_entity.plugin_id, provider_id_entity.provider_name
-
-    @staticmethod
-    def _credential_type(
-        tool_config: AgentSoulDifyToolConfig,
-        credentials: Mapping[str, Any],
-    ) -> DifyPluginToolCredentialType:
-        if not credentials and tool_config.credential_type == "unauthorized":
-            return "unauthorized"
-        return tool_config.credential_type
-
-    @staticmethod
-    def _runtime_parameters(
-        tool_runtime: Tool,
-        parameters: list[DifyPluginToolParameter],
-    ) -> dict[str, Any]:
-        runtime = tool_runtime.runtime
-        runtime_parameters = dict(runtime.runtime_parameters if runtime is not None else {})
-        missing = [
-            parameter.name
-            for parameter in parameters
-            if parameter.form is not DifyPluginToolParameterForm.LLM
-            and parameter.required
-            and parameter.default is None
-            and parameter.name not in runtime_parameters
-        ]
-        if missing:
-            names = ", ".join(sorted(missing))
-            raise WorkflowAgentPluginToolsBuildError(
-                "agent_tool_runtime_parameter_missing",
-                f"Dify Plugin Tool {tool_runtime.entity.identity.name!r} is missing runtime parameters: {names}.",
-            )
-        return runtime_parameters
-
-    @staticmethod
-    def _normalize_credentials(
-        credentials: Mapping[str, Any],
-        *,
-        tool_name: str,
-    ) -> dict[str, DifyPluginCredentialValue]:
-        """Forward only scalar credential values to the Agent backend.
-
-        ``DifyPluginCredentialValue`` is ``str | int | float | bool | None``.
-        Refusing non-scalar values (lists, dicts, custom objects) is safer than
-        ``str(value)`` — stringifying a nested OAuth token blob produces a
-        Python ``repr`` that the plugin daemon cannot use, and we'd rather
-        surface a clear ``agent_tool_credential_shape_invalid`` than send junk.
-        """
-        normalized: dict[str, DifyPluginCredentialValue] = {}
-        for key, value in credentials.items():
-            if isinstance(value, str | int | float | bool) or value is None:
-                normalized[key] = value
-                continue
-            raise WorkflowAgentPluginToolsBuildError(
-                "agent_tool_credential_shape_invalid",
-                (
-                    f"Dify Plugin Tool {tool_name!r} credential {key!r} has a non-scalar value "
-                    f"({type(value).__name__}); only str/int/float/bool/None are forwarded to the daemon."
-                ),
-            )
-        return normalized

api/core/workflow/nodes/agent_v2/runtime_feature_manifest.py

@@ -11,14 +11,13 @@ SUPPORTED_AGENT_BACKEND_FEATURES = frozenset(
         "workflow_context",
         "model",
         "structured_output",
-        "tools.dify_tools",
     }
 )
 
 RESERVED_AGENT_BACKEND_FEATURES = frozenset(
     {
         "skills_files",
-        "tools.cli_tools",
+        "tools",
         "knowledge",
         "human",
         "env",
@@ -33,7 +32,7 @@ def build_runtime_feature_manifest(agent_soul: AgentSoulConfig) -> dict[str, Any
     warnings: list[dict[str, str]] = []
     soul_dump = agent_soul.model_dump(mode="json")
     for section in sorted(RESERVED_AGENT_BACKEND_FEATURES):
-        value = _get_nested(soul_dump, section)
+        value = soul_dump.get(section)
         has_value = bool(value)
         if isinstance(value, dict):
             has_value = any(bool(item) for item in value.values())
@@ -42,12 +41,11 @@ def build_runtime_feature_manifest(agent_soul: AgentSoulConfig) -> dict[str, Any
                 {
                     "section": f"agent_soul.{section}",
                     "code": "agent_backend_layer_not_available",
-                    "message": f"{section} is saved in Agent Soul but is not executed by Agent backend.",
+                    "message": f"{section} is saved in Agent Soul but is not executed by Agent backend in phase 3.",
                 }
             )
 
     reserved_status = dict.fromkeys(sorted(RESERVED_AGENT_BACKEND_FEATURES), "reserved_not_executed")
-    reserved_status["tools.dify_tools"] = "supported_when_config_valid"
 
     return {
         "supported": sorted(SUPPORTED_AGENT_BACKEND_FEATURES),
@@ -55,12 +53,3 @@ def build_runtime_feature_manifest(agent_soul: AgentSoulConfig) -> dict[str, Any
         "reserved_status": reserved_status,
         "unsupported_runtime_warnings": warnings,
     }
-
-
-def _get_nested(value: dict[str, Any], path: str) -> Any:
-    current: Any = value
-    for part in path.split("."):
-        if not isinstance(current, dict):
-            return None
-        current = current.get(part)
-    return current

api/core/workflow/nodes/agent_v2/runtime_request_builder.py

@@ -4,9 +4,7 @@ from collections.abc import Mapping, Sequence
 from dataclasses import dataclass
 from typing import Any, Literal, Protocol, cast
 
-from agenton.compositor import CompositorSessionSnapshot
-from dify_agent.layers.execution_context import DifyExecutionContextLayerConfig
-from dify_agent.protocol import CreateRunRequest
+from dify_agent.protocol import CreateRunRequest, ExecutionContext
 
 from clients.agent_backend import (
     AgentBackendModelConfig,
@@ -29,10 +27,8 @@ from models.agent_config_entities import (
 from models.agent_config_entities import (
     effective_declared_outputs as _effective_declared_outputs,
 )
-from models.provider_ids import ModelProviderID
 
 from .output_failure_orchestrator import retry_idempotency_key
-from .plugin_tools_builder import WorkflowAgentPluginToolsBuilder, WorkflowAgentPluginToolsBuildError
 from .runtime_feature_manifest import build_runtime_feature_manifest
 
 
@@ -68,7 +64,6 @@ class WorkflowAgentRuntimeBuildContext:
     # Stage 4 §7 / D-4: 0 for the first run, then incremented per retry. Drives the
     # idempotency key so the backend treats each retry as a fresh request.
     attempt: int = 0
-    session_snapshot: CompositorSessionSnapshot | None = None
 
 
 @dataclass(frozen=True, slots=True)
@@ -88,11 +83,9 @@ class WorkflowAgentRuntimeRequestBuilder:
         *,
         credentials_provider: CredentialsProvider,
         request_builder: AgentBackendRunRequestBuilder | None = None,
-        plugin_tools_builder: WorkflowAgentPluginToolsBuilder | None = None,
     ) -> None:
         self._credentials_provider = credentials_provider
         self._request_builder = request_builder or AgentBackendRunRequestBuilder()
-        self._plugin_tools_builder = plugin_tools_builder or WorkflowAgentPluginToolsBuilder()
 
     def build(self, context: WorkflowAgentRuntimeBuildContext) -> WorkflowAgentRuntimeRequest:
         agent_soul = AgentSoulConfig.model_validate(context.snapshot.config_snapshot_dict)
@@ -108,47 +101,20 @@ class WorkflowAgentRuntimeRequestBuilder:
         workflow_job_prompt = node_job.workflow_prompt.strip() or "Run this workflow Agent Node for the current run."
         user_prompt = workflow_context_prompt.strip() or "Use the current workflow context."
         credentials = self._credentials_provider.fetch(agent_soul.model.model_provider, agent_soul.model.model)
-        try:
-            tools_layer = self._plugin_tools_builder.build(
-                tenant_id=context.dify_context.tenant_id,
-                app_id=context.dify_context.app_id,
-                user_id=context.dify_context.user_id,
-                tools=agent_soul.tools,
-                # Thread the *real* runtime invocation source through to
-                # ToolManager so credential quotas, rate limits, and audit
-                # trails match the actual call site (DEBUGGER for draft test
-                # run, SERVICE_API / WEB_APP for published run).
-                invoke_from=context.dify_context.invoke_from,
-            )
-        except WorkflowAgentPluginToolsBuildError as error:
-            raise WorkflowAgentRuntimeRequestBuildError(error.error_code, str(error)) from error
-        if tools_layer is not None:
-            metadata["agent_tools"] = {
-                "dify_tool_count": len(tools_layer.tools),
-                "dify_tool_names": [tool.name or tool.tool_name for tool in tools_layer.tools],
-                "cli_tool_count": len(agent_soul.tools.cli_tools),
-            }
 
         request = self._request_builder.build_for_workflow_node(
             AgentBackendWorkflowNodeRunInput(
                 model=AgentBackendModelConfig(
-                    plugin_id=self._plugin_daemon_plugin_id(
-                        plugin_id=agent_soul.model.plugin_id,
-                        model_provider=agent_soul.model.model_provider,
-                    ),
-                    model_provider=self._plugin_daemon_provider_name(agent_soul.model.model_provider),
-                    model=agent_soul.model.model,
-                    credentials=self._normalize_credentials(credentials),
-                    model_settings=agent_soul.model.model_settings,
-                ),
-                # The execution-context layer is now the only public protocol
-                # carrier for Dify tenant/user/run identifiers. ``user_id`` must
-                # be forwarded here because downstream plugin-daemon provider and
-                # tool clients read it from this layer rather than from any
-                # parallel top-level request field.
-                execution_context=DifyExecutionContextLayerConfig(
                     tenant_id=context.dify_context.tenant_id,
+                    plugin_id=agent_soul.model.plugin_id,
+                    model_provider=agent_soul.model.model_provider,
+                    model=agent_soul.model.model,
                     user_id=context.dify_context.user_id,
+                    credentials=self._normalize_credentials(credentials),
+                    model_settings=cast(dict[str, Any], agent_soul.model.model_settings),
+                ),
+                execution_context=ExecutionContext(
+                    tenant_id=context.dify_context.tenant_id,
                     app_id=context.dify_context.app_id,
                     workflow_id=context.workflow_id,
                     workflow_run_id=context.workflow_run_id,
@@ -163,8 +129,6 @@ class WorkflowAgentRuntimeRequestBuilder:
                 workflow_node_job_prompt=workflow_job_prompt,
                 user_prompt=user_prompt,
                 output=self._build_output_config(node_job.declared_outputs),
-                tools=tools_layer,
-                session_snapshot=context.session_snapshot,
                 idempotency_key=self._idempotency_key(context),
                 metadata=metadata,
             )
@@ -184,20 +148,6 @@ class WorkflowAgentRuntimeRequestBuilder:
             return "single_step"
         return "workflow_run"
 
-    @staticmethod
-    def _plugin_daemon_plugin_id(*, plugin_id: str, model_provider: str) -> str:
-        """Return the transport plugin id expected by plugin-daemon headers."""
-        if plugin_id.count("/") == 1:
-            return plugin_id
-        if plugin_id:
-            return ModelProviderID(plugin_id).plugin_id
-        return ModelProviderID(model_provider).plugin_id
-
-    @staticmethod
-    def _plugin_daemon_provider_name(model_provider: str) -> str:
-        """Return the provider name expected by plugin-daemon dispatch payloads."""
-        return ModelProviderID(model_provider).provider_name
-
     @staticmethod
     def _idempotency_key(context: WorkflowAgentRuntimeBuildContext) -> str:
         # Stage 4 §7 / D-4: retries get distinct keys (``...:retry-{attempt}``) so

api/core/workflow/nodes/agent_v2/session_cleanup_layer.py

@@ -1,247 +0,0 @@
-from __future__ import annotations
-
-import logging
-from typing import override
-
-from clients.agent_backend import AgentBackendError, AgentBackendRunClient, AgentBackendRunRequestBuilder
-from clients.agent_backend.factory import create_agent_backend_run_client
-from configs import dify_config
-from core.workflow.system_variables import SystemVariableKey, get_system_text
-from graphon.graph_engine.layers import GraphEngineLayer
-from graphon.graph_events import (
-    GraphEngineEvent,
-    GraphRunAbortedEvent,
-    GraphRunFailedEvent,
-    GraphRunPartialSucceededEvent,
-    GraphRunSucceededEvent,
-)
-
-from .session_store import StoredWorkflowAgentSession, WorkflowAgentRuntimeSessionStore
-
-logger = logging.getLogger(__name__)
-
-
-# Upper bound on how long a cleanup-only run is allowed to settle before the
-# layer gives up and leaves the row ACTIVE so it can be retried later. Cleanup
-# work is mostly local agent-backend bookkeeping (no LLM inference), so 30s is
-# generous; a hung backend should never block workflow termination beyond this.
-_CLEANUP_WAIT_TIMEOUT_SECONDS = 30.0
-
-
-class WorkflowAgentSessionCleanupLayer(GraphEngineLayer):
-    """Retires workflow Agent session snapshots when a workflow reaches a terminal state.
-
-    Implementation notes — there are two failure modes the cleanup path has to
-    avoid simultaneously:
-
-    1. The agenton compositor on the agent-backend side validates the cleanup
-       request's session snapshot against the replayed composition before
-       running any lifecycle hook. If the snapshot's layer names diverge from
-       the composition, the run fails asynchronously with ``run_failed`` — but
-       the initial ``POST /runs`` already returned 202, so the API side has no
-       visibility of the failure unless it waits for terminal status. The
-       ``composition_layer_specs`` persistence in A.1–A.4 plus the
-       ``_filter_snapshot_to_specs`` shape in ``build_cleanup_request`` keeps
-       the two name lists in sync.
-
-    2. The current agent backend's ``runner.py::_run_agent`` always invokes
-       ``run.get_layer("llm")`` and the structured-output / history validators
-       before exiting any slot — there is no ``purpose: "cleanup"`` branch
-       yet. A truly cleanup-only request (no LLM layer) therefore still
-       crashes inside the runner with ``Layer 'llm' is not defined in this
-       compositor run.``. Until the backend grows a cleanup-only purpose,
-       this layer **does not issue an HTTP cleanup run**: it simply retires
-       the local snapshot row so stale state cannot be re-resumed, and lets
-       the agent backend's own retention TTL release the suspended layers.
-
-    The HTTP-cleanup machinery (``build_cleanup_request`` + ``wait_run``) is
-    intentionally still wired into the request builder + integration tests so
-    that when the agent backend supports cleanup runs we can flip the switch
-    here with a one-line change (see ``_HTTP_CLEANUP_SUPPORTED``).
-    """
-
-    # Flip to True once dify-agent's runner has a ``purpose=cleanup`` branch
-    # that skips the LLM/output/user-prompt invariants. Until then we only
-    # update the local row; the spec list is still persisted so the future
-    # HTTP cleanup path has everything it needs.
-    _HTTP_CLEANUP_SUPPORTED: bool = False
-
-    _TERMINAL_EVENTS = (
-        GraphRunSucceededEvent,
-        GraphRunPartialSucceededEvent,
-        GraphRunFailedEvent,
-        GraphRunAbortedEvent,
-    )
-
-    def __init__(
-        self,
-        *,
-        session_store: WorkflowAgentRuntimeSessionStore,
-        request_builder: AgentBackendRunRequestBuilder,
-        agent_backend_client: AgentBackendRunClient | None,
-        cleanup_wait_timeout_seconds: float = _CLEANUP_WAIT_TIMEOUT_SECONDS,
-    ) -> None:
-        super().__init__()
-        self._session_store = session_store
-        self._request_builder = request_builder
-        self._agent_backend_client = agent_backend_client
-        self._cleanup_wait_timeout_seconds = cleanup_wait_timeout_seconds
-
-    @override
-    def on_graph_start(self) -> None:
-        return
-
-    @override
-    def on_event(self, event: GraphEngineEvent) -> None:
-        if not isinstance(event, self._TERMINAL_EVENTS):
-            return
-        workflow_run_id = get_system_text(
-            self.graph_runtime_state.variable_pool,
-            SystemVariableKey.WORKFLOW_EXECUTION_ID,
-        )
-        if not workflow_run_id:
-            logger.warning("Skipping workflow Agent session cleanup: workflow_run_id is missing.")
-            return
-
-        for stored_session in self._session_store.list_active_sessions(workflow_run_id=workflow_run_id):
-            self._cleanup_session(stored_session)
-
-    @override
-    def on_graph_end(self, error: Exception | None) -> None:
-        return
-
-    def _cleanup_session(self, stored_session: StoredWorkflowAgentSession) -> None:
-        scope = stored_session.scope
-        if not self._HTTP_CLEANUP_SUPPORTED:
-            # Agent backend has no cleanup-only run mode yet (see class
-            # docstring). Retire the local row so future re-entries do not
-            # resume from stale state, and let the backend's retention TTL
-            # release the suspended layers on its own schedule.
-            logger.info(
-                "Workflow Agent session retired locally; HTTP cleanup is disabled "
-                "until the agent backend supports a cleanup-only run mode. "
-                "workflow_run_id=%s node_id=%s binding_id=%s agent_id=%s previous_run_id=%s",
-                scope.workflow_run_id,
-                scope.node_id,
-                scope.binding_id,
-                scope.agent_id,
-                stored_session.backend_run_id,
-            )
-            self._session_store.mark_cleaned(scope=scope, backend_run_id=stored_session.backend_run_id)
-            return
-
-        if self._agent_backend_client is None:
-            # HTTP cleanup was enabled by the caller but no client was wired
-            # in (e.g. the API runs without AGENT_BACKEND_BASE_URL configured).
-            # Leave the row ACTIVE so an operator restart with proper config
-            # can drive the cleanup; do not silently retire it.
-            logger.warning(
-                "Skipping Agent backend cleanup: HTTP cleanup is enabled but no agent "
-                "backend client is wired in. workflow_run_id=%s node_id=%s agent_id=%s",
-                scope.workflow_run_id,
-                scope.node_id,
-                scope.agent_id,
-            )
-            return
-
-        if not stored_session.composition_layer_specs:
-            # Sessions persisted before A.1 landed do not carry the spec list,
-            # so we cannot replay a valid cleanup composition. Leave the row
-            # ACTIVE and warn so the absence shows up in observability rather
-            # than being silently swallowed by a doomed cleanup run.
-            logger.warning(
-                "Skipping Agent backend cleanup: no composition_layer_specs persisted. "
-                "workflow_run_id=%s node_id=%s agent_id=%s",
-                scope.workflow_run_id,
-                scope.node_id,
-                scope.agent_id,
-            )
-            return
-
-        request = self._request_builder.build_cleanup_request(
-            session_snapshot=stored_session.session_snapshot,
-            composition_layer_specs=stored_session.composition_layer_specs,
-            idempotency_key=f"{scope.workflow_run_id}:{scope.node_id}:{scope.binding_id}:agent-session-cleanup",
-            metadata={
-                "tenant_id": scope.tenant_id,
-                "app_id": scope.app_id,
-                "workflow_id": scope.workflow_id,
-                "workflow_run_id": scope.workflow_run_id,
-                "node_id": scope.node_id,
-                "node_execution_id": scope.node_execution_id,
-                "binding_id": scope.binding_id,
-                "agent_id": scope.agent_id,
-                "agent_config_snapshot_id": scope.agent_config_snapshot_id,
-                "previous_agent_backend_run_id": stored_session.backend_run_id,
-            },
-        )
-        try:
-            response = self._agent_backend_client.create_run(request)
-        except AgentBackendError:
-            logger.warning(
-                "Agent backend session cleanup request failed: workflow_run_id=%s node_id=%s agent_id=%s",
-                scope.workflow_run_id,
-                scope.node_id,
-                scope.agent_id,
-                exc_info=True,
-            )
-            return
-
-        try:
-            status_response = self._agent_backend_client.wait_run(
-                response.run_id, timeout_seconds=self._cleanup_wait_timeout_seconds
-            )
-        except AgentBackendError:
-            logger.warning(
-                "Agent backend session cleanup wait_run failed: "
-                "workflow_run_id=%s node_id=%s agent_id=%s cleanup_run_id=%s",
-                scope.workflow_run_id,
-                scope.node_id,
-                scope.agent_id,
-                response.run_id,
-                exc_info=True,
-            )
-            return
-
-        if status_response.status != "succeeded":
-            logger.warning(
-                "Agent backend session cleanup did not succeed: status=%s error=%s "
-                "workflow_run_id=%s node_id=%s agent_id=%s cleanup_run_id=%s",
-                status_response.status,
-                status_response.error,
-                scope.workflow_run_id,
-                scope.node_id,
-                scope.agent_id,
-                response.run_id,
-            )
-            return
-
-        self._session_store.mark_cleaned(scope=scope, backend_run_id=response.run_id)
-
-
-def build_workflow_agent_session_cleanup_layer() -> WorkflowAgentSessionCleanupLayer:
-    """Wire the cleanup layer with the standard production dependencies.
-
-    The agent backend client is constructed only when ``AGENT_BACKEND_BASE_URL``
-    is configured (or the deterministic fake is explicitly enabled). When
-    neither is set — for example unit tests that bring up the workflow runner
-    without an Agent node — we pass ``None`` so the layer stays harmless. With
-    ``_HTTP_CLEANUP_SUPPORTED = False`` the local-retire branch never touches
-    the client anyway, but keeping it ``None`` avoids importing httpx and lets
-    test harnesses skip backend configuration.
-    """
-    agent_backend_client: AgentBackendRunClient | None
-    if dify_config.AGENT_BACKEND_USE_FAKE or dify_config.AGENT_BACKEND_BASE_URL:
-        agent_backend_client = create_agent_backend_run_client(
-            base_url=dify_config.AGENT_BACKEND_BASE_URL,
-            use_fake=dify_config.AGENT_BACKEND_USE_FAKE,
-            fake_scenario=dify_config.AGENT_BACKEND_FAKE_SCENARIO,
-        )
-    else:
-        agent_backend_client = None
-
-    return WorkflowAgentSessionCleanupLayer(
-        session_store=WorkflowAgentRuntimeSessionStore(),
-        request_builder=AgentBackendRunRequestBuilder(),
-        agent_backend_client=agent_backend_client,
-    )

api/core/workflow/nodes/agent_v2/session_store.py

@@ -1,179 +0,0 @@
-from __future__ import annotations
-
-from dataclasses import dataclass, field
-
-from agenton.compositor import CompositorSessionSnapshot
-from pydantic import TypeAdapter
-from sqlalchemy import select
-
-from clients.agent_backend.request_builder import CleanupLayerSpec
-from core.db.session_factory import session_factory
-from libs.datetime_utils import naive_utc_now
-from models.agent import (
-    WorkflowAgentRuntimeSession,
-    WorkflowAgentRuntimeSessionStatus,
-)
-
-_SPECS_ADAPTER: TypeAdapter[list[CleanupLayerSpec]] = TypeAdapter(list[CleanupLayerSpec])
-
-
-def _serialize_specs(specs: list[CleanupLayerSpec]) -> str:
-    return _SPECS_ADAPTER.dump_json(specs).decode()
-
-
-def _deserialize_specs(value: str | None) -> list[CleanupLayerSpec]:
-    if not value:
-        return []
-    return _SPECS_ADAPTER.validate_json(value)
-
-
-@dataclass(frozen=True, slots=True)
-class WorkflowAgentSessionScope:
-    tenant_id: str
-    app_id: str
-    workflow_id: str
-    workflow_run_id: str | None
-    node_id: str
-    node_execution_id: str
-    binding_id: str
-    agent_id: str
-    agent_config_snapshot_id: str
-
-
-@dataclass(frozen=True, slots=True)
-class StoredWorkflowAgentSession:
-    scope: WorkflowAgentSessionScope
-    session_snapshot: CompositorSessionSnapshot
-    backend_run_id: str | None
-    composition_layer_specs: list[CleanupLayerSpec] = field(default_factory=list)
-
-
-class WorkflowAgentRuntimeSessionStore:
-    """Stores Agent backend session snapshots for workflow Agent node re-entry."""
-
-    def load_active_snapshot(self, scope: WorkflowAgentSessionScope) -> CompositorSessionSnapshot | None:
-        if scope.workflow_run_id is None:
-            return None
-
-        with session_factory.create_session() as session:
-            row = session.scalar(
-                select(WorkflowAgentRuntimeSession).where(
-                    WorkflowAgentRuntimeSession.tenant_id == scope.tenant_id,
-                    WorkflowAgentRuntimeSession.workflow_run_id == scope.workflow_run_id,
-                    WorkflowAgentRuntimeSession.node_id == scope.node_id,
-                    WorkflowAgentRuntimeSession.binding_id == scope.binding_id,
-                    WorkflowAgentRuntimeSession.agent_id == scope.agent_id,
-                    WorkflowAgentRuntimeSession.status == WorkflowAgentRuntimeSessionStatus.ACTIVE,
-                )
-            )
-            if row is None:
-                return None
-            return CompositorSessionSnapshot.model_validate_json(row.session_snapshot)
-
-    def list_active_sessions(self, *, workflow_run_id: str) -> list[StoredWorkflowAgentSession]:
-        with session_factory.create_session() as session:
-            rows = session.scalars(
-                select(WorkflowAgentRuntimeSession).where(
-                    WorkflowAgentRuntimeSession.workflow_run_id == workflow_run_id,
-                    WorkflowAgentRuntimeSession.status == WorkflowAgentRuntimeSessionStatus.ACTIVE,
-                )
-            ).all()
-            return [
-                StoredWorkflowAgentSession(
-                    scope=WorkflowAgentSessionScope(
-                        tenant_id=row.tenant_id,
-                        app_id=row.app_id,
-                        workflow_id=row.workflow_id,
-                        workflow_run_id=row.workflow_run_id,
-                        node_id=row.node_id,
-                        node_execution_id=row.node_execution_id or "",
-                        binding_id=row.binding_id,
-                        agent_id=row.agent_id,
-                        agent_config_snapshot_id=row.agent_config_snapshot_id,
-                    ),
-                    session_snapshot=CompositorSessionSnapshot.model_validate_json(row.session_snapshot),
-                    backend_run_id=row.backend_run_id,
-                    composition_layer_specs=_deserialize_specs(row.composition_layer_specs),
-                )
-                for row in rows
-            ]
-
-    def save_active_snapshot(
-        self,
-        *,
-        scope: WorkflowAgentSessionScope,
-        backend_run_id: str,
-        snapshot: CompositorSessionSnapshot | None,
-        composition_layer_specs: list[CleanupLayerSpec],
-    ) -> None:
-        if scope.workflow_run_id is None or snapshot is None:
-            return
-
-        snapshot_json = snapshot.model_dump_json()
-        specs_json = _serialize_specs(composition_layer_specs)
-        with session_factory.create_session() as session:
-            row = session.scalar(
-                select(WorkflowAgentRuntimeSession).where(
-                    WorkflowAgentRuntimeSession.tenant_id == scope.tenant_id,
-                    WorkflowAgentRuntimeSession.workflow_run_id == scope.workflow_run_id,
-                    WorkflowAgentRuntimeSession.node_id == scope.node_id,
-                    WorkflowAgentRuntimeSession.binding_id == scope.binding_id,
-                    WorkflowAgentRuntimeSession.agent_id == scope.agent_id,
-                )
-            )
-            if row is None:
-                row = WorkflowAgentRuntimeSession(
-                    tenant_id=scope.tenant_id,
-                    app_id=scope.app_id,
-                    workflow_id=scope.workflow_id,
-                    workflow_run_id=scope.workflow_run_id,
-                    node_id=scope.node_id,
-                    node_execution_id=scope.node_execution_id,
-                    binding_id=scope.binding_id,
-                    agent_id=scope.agent_id,
-                    agent_config_snapshot_id=scope.agent_config_snapshot_id,
-                    backend_run_id=backend_run_id,
-                    session_snapshot=snapshot_json,
-                    composition_layer_specs=specs_json,
-                    status=WorkflowAgentRuntimeSessionStatus.ACTIVE,
-                )
-                session.add(row)
-            else:
-                row.node_execution_id = scope.node_execution_id
-                row.agent_config_snapshot_id = scope.agent_config_snapshot_id
-                row.backend_run_id = backend_run_id
-                row.session_snapshot = snapshot_json
-                row.composition_layer_specs = specs_json
-                row.status = WorkflowAgentRuntimeSessionStatus.ACTIVE
-                row.cleaned_at = None
-            session.commit()
-
-    def mark_cleaned(self, *, scope: WorkflowAgentSessionScope, backend_run_id: str | None = None) -> None:
-        if scope.workflow_run_id is None:
-            return
-
-        with session_factory.create_session() as session:
-            row = session.scalar(
-                select(WorkflowAgentRuntimeSession).where(
-                    WorkflowAgentRuntimeSession.tenant_id == scope.tenant_id,
-                    WorkflowAgentRuntimeSession.workflow_run_id == scope.workflow_run_id,
-                    WorkflowAgentRuntimeSession.node_id == scope.node_id,
-                    WorkflowAgentRuntimeSession.binding_id == scope.binding_id,
-                    WorkflowAgentRuntimeSession.agent_id == scope.agent_id,
-                    WorkflowAgentRuntimeSession.status == WorkflowAgentRuntimeSessionStatus.ACTIVE,
-                )
-            )
-            if row is None:
-                return
-            if backend_run_id is not None:
-                row.backend_run_id = backend_run_id
-            row.status = WorkflowAgentRuntimeSessionStatus.CLEANED
-            row.cleaned_at = naive_utc_now()
-            session.commit()
-
-
-__all__ = [
-    "StoredWorkflowAgentSession",
-    "WorkflowAgentRuntimeSessionStore",
-    "WorkflowAgentSessionScope",
-]

api/core/workflow/nodes/agent_v2/validators.py

@@ -126,7 +126,6 @@ class WorkflowAgentNodeValidator:
             raise WorkflowAgentNodeValidationError(
                 f"Workflow Agent node {binding.node_id} requires Agent Soul model config."
             )
-        cls._validate_agent_soul_tools(binding=binding, agent_soul=agent_soul)
         node_job = WorkflowNodeJobConfig.model_validate(binding.node_job_config_dict)
         cls.validate_node_job(session=session, binding=binding, node_job=node_job, topology=topology)
 
@@ -281,26 +280,6 @@ class WorkflowAgentNodeValidator:
                 f"Workflow Agent node {binding.node_id} references unsupported human contact channel {channel}."
             )
 
-    @classmethod
-    def _validate_agent_soul_tools(
-        cls,
-        *,
-        binding: WorkflowAgentNodeBinding,
-        agent_soul: AgentSoulConfig,
-    ) -> None:
-        exposed_names: set[str] = set()
-        for tool in agent_soul.tools.dify_tools:
-            if not tool.enabled:
-                continue
-            exposed_name = tool.tool_name
-            if exposed_name in exposed_names:
-                raise WorkflowAgentNodeValidationError(
-                    f"Workflow Agent node {binding.node_id} has duplicate Dify Plugin Tool name {exposed_name}."
-                )
-            exposed_names.add(exposed_name)
-        # CLI tools remain saved-but-not-executed. They are allowed at publish
-        # time so existing Agent Soul drafts are not blocked by a reserved field.
-
     @staticmethod
     def _validate_file_ref(
         *,

api/fields/hit_testing_fields.py

@@ -1,96 +1,62 @@
-from datetime import datetime
-from typing import Any
+from flask_restx import fields
 
-from pydantic import field_validator
+from libs.helper import TimestampField
 
-from fields.base import ResponseModel
-from libs.helper import to_timestamp
+document_fields = {
+    "id": fields.String,
+    "data_source_type": fields.String,
+    "name": fields.String,
+    "doc_type": fields.String,
+    "doc_metadata": fields.Raw,
+}
 
+segment_fields = {
+    "id": fields.String,
+    "position": fields.Integer,
+    "document_id": fields.String,
+    "content": fields.String,
+    "sign_content": fields.String,
+    "answer": fields.String,
+    "word_count": fields.Integer,
+    "tokens": fields.Integer,
+    "keywords": fields.List(fields.String),
+    "index_node_id": fields.String,
+    "index_node_hash": fields.String,
+    "hit_count": fields.Integer,
+    "enabled": fields.Boolean,
+    "disabled_at": TimestampField,
+    "disabled_by": fields.String,
+    "status": fields.String,
+    "created_by": fields.String,
+    "created_at": TimestampField,
+    "indexing_at": TimestampField,
+    "completed_at": TimestampField,
+    "error": fields.String,
+    "stopped_at": TimestampField,
+    "document": fields.Nested(document_fields),
+}
 
-class HitTestingQuery(ResponseModel):
-    content: str
+child_chunk_fields = {
+    "id": fields.String,
+    "content": fields.String,
+    "position": fields.Integer,
+    "score": fields.Float,
+}
 
+files_fields = {
+    "id": fields.String,
+    "name": fields.String,
+    "size": fields.Integer,
+    "extension": fields.String,
+    "mime_type": fields.String,
+    "source_url": fields.String,
+}
 
-class HitTestingDocument(ResponseModel):
-    id: str
-    data_source_type: str
-    name: str
-    doc_type: str | None
-    doc_metadata: Any | None
-
-    @field_validator("data_source_type", "doc_type", mode="before")
-    @classmethod
-    def _normalize_enum_fields(cls, value: Any) -> Any:
-        return _normalize_enum(value)
-
-
-class HitTestingSegment(ResponseModel):
-    id: str
-    position: int
-    document_id: str
-    content: str
-    sign_content: str | None
-    answer: str | None
-    word_count: int
-    tokens: int
-    keywords: list[str]
-    index_node_id: str | None
-    index_node_hash: str | None
-    hit_count: int
-    enabled: bool
-    disabled_at: int | None
-    disabled_by: str | None
-    status: str
-    created_by: str
-    created_at: int
-    indexing_at: int | None
-    completed_at: int | None
-    error: str | None
-    stopped_at: int | None
-    document: HitTestingDocument
-
-    @field_validator("disabled_at", "created_at", "indexing_at", "completed_at", "stopped_at", mode="before")
-    @classmethod
-    def _normalize_timestamp(cls, value: datetime | int | None) -> int | None:
-        return to_timestamp(value)
-
-    @field_validator("status", mode="before")
-    @classmethod
-    def _normalize_enum_fields(cls, value: Any) -> Any:
-        return _normalize_enum(value)
-
-
-class HitTestingChildChunk(ResponseModel):
-    id: str
-    content: str
-    position: int
-    score: float
-
-
-class HitTestingFile(ResponseModel):
-    id: str
-    name: str
-    size: int
-    extension: str
-    mime_type: str
-    source_url: str
-
-
-class HitTestingRecord(ResponseModel):
-    segment: HitTestingSegment
-    child_chunks: list[HitTestingChildChunk]
-    score: float | None
-    tsne_position: Any | None
-    files: list[HitTestingFile]
-    summary: str | None
-
-
-class HitTestingResponse(ResponseModel):
-    query: HitTestingQuery
-    records: list[HitTestingRecord]
-
-
-def _normalize_enum(value: Any) -> Any:
-    if isinstance(value, str) or value is None:
-        return value
-    return getattr(value, "value", value)
+hit_testing_record_fields = {
+    "segment": fields.Nested(segment_fields),
+    "child_chunks": fields.List(fields.Nested(child_chunk_fields)),
+    "score": fields.Float,
+    "tsne_position": fields.Raw,
+    "files": fields.List(fields.Nested(files_fields)),
+    "summary": fields.String,  # Summary content if retrieved via summary index
+}

api/libs/oauth_bearer.py

@@ -43,11 +43,6 @@ class SubjectType(StrEnum):
     EXTERNAL_SSO = "external_sso"
 
 
-class TokenType(StrEnum):
-    OAUTH_ACCOUNT = "oauth_account"
-    OAUTH_EXTERNAL_SSO = "oauth_external_sso"
-
-
 class Scope(StrEnum):
     """Catalog of bearer scopes recognised by the openapi surface.
 
@@ -60,8 +55,6 @@ class Scope(StrEnum):
     APPS_READ = "apps:read"
     APPS_READ_PERMITTED_EXTERNAL = "apps:read:permitted-external"
     APPS_RUN = "apps:run"
-    WORKSPACE_READ = "workspace:read"
-    WORKSPACE_WRITE = "workspace:write"
 
 
 class Accepts(StrEnum):
@@ -84,7 +77,7 @@ _SUBJECT_TO_ACCEPT: dict[SubjectType, Accepts] = {
 class AuthContext:
     """Per-request identity published via :data:`_auth_ctx_var`
     (see :func:`set_auth_ctx` / :func:`get_auth_ctx`). ``scopes`` /
-    ``subject_type`` / ``token_type`` come from the TokenKind, not the DB —
+    ``subject_type`` / ``source`` come from the TokenKind, not the DB —
     corrupt rows can't elevate scope.
 
     `verified_tenants` is a snapshot of the Layer-0 verdict cache at
@@ -99,7 +92,7 @@ class AuthContext:
     client_id: str | None
     scopes: frozenset[Scope]
     token_id: uuid.UUID
-    token_type: TokenType
+    source: str
     expires_at: datetime | None
     token_hash: str
     verified_tenants: dict[str, bool] = field(default_factory=dict)
@@ -187,7 +180,7 @@ class TokenKind:
     prefix: str
     subject_type: SubjectType
     scopes: frozenset[Scope]
-    token_type: TokenType
+    source: str
     resolver: Resolver
 
     def matches(self, token: str) -> bool:
@@ -298,7 +291,7 @@ class BearerAuthenticator:
             client_id=row.client_id,
             scopes=kind.scopes,
             token_id=row.token_id,
-            token_type=kind.token_type,
+            source=kind.source,
             expires_at=row.expires_at,
             token_hash=token_hash,
             verified_tenants=dict(row.verified_tenants),
@@ -490,7 +483,7 @@ def check_workspace_membership(
     account_id: uuid.UUID | str,
     tenant_id: str,
     token_hash: str,
-    membership_cache: dict[str, bool],
+    cached_verdicts: dict[str, bool],
 ) -> None:
     """Layer-0 enforcement core. Raises `Forbidden` on deny, returns on allow.
 
@@ -499,7 +492,7 @@ def check_workspace_membership(
     short-circuiting on EE / SSO subjects before invoking — this function
     runs the membership + active-status checks unconditionally.
     """
-    cached = membership_cache.get(tenant_id)
+    cached = cached_verdicts.get(tenant_id)
     if cached is True:
         return
     if cached is False:
@@ -537,7 +530,7 @@ def require_workspace_member(ctx: AuthContext, tenant_id: str) -> None:
         account_id=ctx.account_id,
         tenant_id=tenant_id,
         token_hash=ctx.token_hash,
-        membership_cache=ctx.verified_tenants,
+        cached_verdicts=ctx.verified_tenants,
     )
 
 
@@ -671,14 +664,14 @@ def build_registry(session_factory, redis_client) -> TokenKindRegistry:
                 prefix=account.prefix,
                 subject_type=account.subject_type,
                 scopes=account.scopes,
-                token_type=TokenType.OAUTH_ACCOUNT,
+                source="oauth_account",
                 resolver=oauth.for_account(),
             ),
             TokenKind(
                 prefix=external.prefix,
                 subject_type=external.subject_type,
                 scopes=external.scopes,
-                token_type=TokenType.OAUTH_EXTERNAL_SSO,
+                source="oauth_external_sso",
                 resolver=oauth.for_external_sso(),
             ),
         ]

api/libs/workspace_permission.py

@@ -58,7 +58,7 @@ def check_workspace_owner_transfer_permission(workspace_id: str) -> None:
     Raises:
         Forbidden: If either billing plan or workspace policy prohibits ownership transfer
     """
-    features = FeatureService.get_features(workspace_id, exclude_vector_space=True)
+    features = FeatureService.get_features(workspace_id)
     if not features.is_allow_transfer_workspace:
         raise Forbidden("Your current plan does not allow workspace ownership transfer")
 

api/migrations/versions/2026_05_27_0953-7885bd53f9a9_add_workflow_agent_runtime_sessions.py

@@ -1,90 +0,0 @@
-"""add workflow agent runtime sessions
-
-Revision ID: 7885bd53f9a9
-Revises: d4a5e1f3c9b7
-Create Date: 2026-05-27 09:53:54.711805
-
-"""
-
-import sqlalchemy as sa
-from alembic import op
-
-import models as models
-
-# revision identifiers, used by Alembic.
-revision = "7885bd53f9a9"
-down_revision = "d4a5e1f3c9b7"
-branch_labels = None
-depends_on = None
-
-
-def _is_pg() -> bool:
-    return op.get_bind().dialect.name == "postgresql"
-
-
-def _uuid_column(name: str, *, nullable: bool = False, primary_key: bool = False) -> sa.Column:
-    """Match the ``uuidv7()`` default that other tables on Postgres rely on,
-    while staying portable on MySQL where the ORM supplies the id."""
-    kwargs: dict[str, object] = {"nullable": nullable, "primary_key": primary_key}
-    if primary_key and _is_pg():
-        kwargs["server_default"] = sa.text("uuidv7()")
-    return sa.Column(name, models.types.StringUUID(), **kwargs)
-
-
-def upgrade() -> None:
-    op.create_table(
-        "workflow_agent_runtime_sessions",
-        _uuid_column("id", primary_key=True),
-        sa.Column("tenant_id", models.types.StringUUID(), nullable=False),
-        sa.Column("app_id", models.types.StringUUID(), nullable=False),
-        sa.Column("workflow_id", models.types.StringUUID(), nullable=False),
-        sa.Column("workflow_run_id", models.types.StringUUID(), nullable=False),
-        sa.Column("node_id", sa.String(length=255), nullable=False),
-        sa.Column("node_execution_id", sa.String(length=255), nullable=True),
-        sa.Column("binding_id", models.types.StringUUID(), nullable=False),
-        sa.Column("agent_id", models.types.StringUUID(), nullable=False),
-        sa.Column("agent_config_snapshot_id", models.types.StringUUID(), nullable=False),
-        sa.Column("backend_run_id", sa.String(length=255), nullable=True),
-        sa.Column("session_snapshot", models.types.LongText(), nullable=False),
-        # MySQL rejects ``server_default`` on TEXT/BLOB columns. The JSON
-        # payload is always populated at the ORM layer via
-        # ``WorkflowAgentRuntimeSessionStore.save_active_snapshot`` so the
-        # missing DB-level default cannot leave new rows uninitialized.
-        sa.Column("composition_layer_specs", models.types.LongText(), nullable=False),
-        sa.Column(
-            "status",
-            sa.String(length=32),
-            server_default=sa.text("'active'"),
-            nullable=False,
-        ),
-        sa.Column("cleaned_at", sa.DateTime(), nullable=True),
-        sa.Column("created_at", sa.DateTime(), server_default=sa.func.current_timestamp(), nullable=False),
-        sa.Column("updated_at", sa.DateTime(), server_default=sa.func.current_timestamp(), nullable=False),
-        sa.PrimaryKeyConstraint("id", name=op.f("workflow_agent_runtime_session_pkey")),
-        sa.UniqueConstraint(
-            "tenant_id",
-            "workflow_run_id",
-            "node_id",
-            "binding_id",
-            "agent_id",
-            name=op.f("workflow_agent_runtime_session_scope_unique"),
-        ),
-    )
-    with op.batch_alter_table("workflow_agent_runtime_sessions", schema=None) as batch_op:
-        batch_op.create_index(
-            "workflow_agent_runtime_session_lookup_idx",
-            ["tenant_id", "workflow_run_id", "node_id", "status"],
-            unique=False,
-        )
-        batch_op.create_index(
-            "workflow_agent_runtime_session_backend_run_idx",
-            ["backend_run_id"],
-            unique=False,
-        )
-
-
-def downgrade() -> None:
-    with op.batch_alter_table("workflow_agent_runtime_sessions", schema=None) as batch_op:
-        batch_op.drop_index("workflow_agent_runtime_session_backend_run_idx")
-        batch_op.drop_index("workflow_agent_runtime_session_lookup_idx")
-    op.drop_table("workflow_agent_runtime_sessions")

api/models/__init__.py

@@ -20,8 +20,6 @@ from .agent import (
     AgentStatus,
     WorkflowAgentBindingType,
     WorkflowAgentNodeBinding,
-    WorkflowAgentRuntimeSession,
-    WorkflowAgentRuntimeSessionStatus,
 )
 from .api_based_extension import APIBasedExtension, APIBasedExtensionPoint
 from .comment import (
@@ -237,8 +235,6 @@ __all__ = [
     "Workflow",
     "WorkflowAgentBindingType",
     "WorkflowAgentNodeBinding",
-    "WorkflowAgentRuntimeSession",
-    "WorkflowAgentRuntimeSessionStatus",
     "WorkflowAppLog",
     "WorkflowAppLogCreatedFrom",
     "WorkflowArchiveLog",

api/models/agent.py

@@ -92,15 +92,6 @@ class WorkflowAgentBindingType(StrEnum):
     INLINE_AGENT = "inline_agent"
 
 
-class WorkflowAgentRuntimeSessionStatus(StrEnum):
-    """Lifecycle state of an Agent backend session snapshot owned by a workflow run."""
-
-    # Snapshot can be reused by a later Agent run in the same workflow run.
-    ACTIVE = "active"
-    # Snapshot has been retired and must not be submitted to Agent backend again.
-    CLEANED = "cleaned"
-
-
 class Agent(DefaultFieldsMixin, Base):
     """Workspace-scoped Agent identity used by Agent Roster and workflow-only agents."""
 
@@ -282,56 +273,3 @@ class WorkflowAgentNodeBinding(DefaultFieldsMixin, Base):
         if isinstance(self.node_job_config, str):
             return json.loads(self.node_job_config)
         return dict(self.node_job_config)
-
-
-class WorkflowAgentRuntimeSession(DefaultFieldsMixin, Base):
-    """Persisted Agent backend session snapshot for one workflow Agent node execution scope.
-
-    The snapshot is runtime state returned by Agent backend. It is intentionally
-    separate from Agent Soul snapshots and workflow node-job config.
-    """
-
-    __tablename__ = "workflow_agent_runtime_sessions"
-    __table_args__ = (
-        sa.PrimaryKeyConstraint("id", name="workflow_agent_runtime_session_pkey"),
-        UniqueConstraint(
-            "tenant_id",
-            "workflow_run_id",
-            "node_id",
-            "binding_id",
-            "agent_id",
-            name="workflow_agent_runtime_session_scope_unique",
-        ),
-        Index(
-            "workflow_agent_runtime_session_lookup_idx",
-            "tenant_id",
-            "workflow_run_id",
-            "node_id",
-            "status",
-        ),
-        Index("workflow_agent_runtime_session_backend_run_idx", "backend_run_id"),
-    )
-
-    tenant_id: Mapped[str] = mapped_column(StringUUID, nullable=False)
-    app_id: Mapped[str] = mapped_column(StringUUID, nullable=False)
-    workflow_id: Mapped[str] = mapped_column(StringUUID, nullable=False)
-    workflow_run_id: Mapped[str] = mapped_column(StringUUID, nullable=False)
-    node_id: Mapped[str] = mapped_column(String(255), nullable=False)
-    node_execution_id: Mapped[str | None] = mapped_column(String(255), nullable=True)
-    binding_id: Mapped[str] = mapped_column(StringUUID, nullable=False)
-    agent_id: Mapped[str] = mapped_column(StringUUID, nullable=False)
-    agent_config_snapshot_id: Mapped[str] = mapped_column(StringUUID, nullable=False)
-    backend_run_id: Mapped[str | None] = mapped_column(String(255), nullable=True)
-    session_snapshot: Mapped[str] = mapped_column(LongText, nullable=False)
-    # JSON-encoded list of ``WorkflowAgentSessionLayerSpec`` ({name, type, deps,
-    # config}). Drives Agent backend cleanup-only runs: the agenton compositor
-    # rejects a session snapshot whose layer names do not match the cleanup
-    # composition, so we must replay the same layer graph (minus credential-
-    # bearing plugin layers) when issuing the cleanup request.
-    composition_layer_specs: Mapped[str] = mapped_column(LongText, nullable=False, server_default="[]")
-    status: Mapped[WorkflowAgentRuntimeSessionStatus] = mapped_column(
-        EnumText(WorkflowAgentRuntimeSessionStatus, length=32),
-        nullable=False,
-        default=WorkflowAgentRuntimeSessionStatus.ACTIVE,
-    )
-    cleaned_at: Mapped[datetime | None] = mapped_column(DateTime, nullable=True)

api/models/agent_config_entities.py

@@ -1,6 +1,6 @@
 import re
 from enum import StrEnum
-from typing import Any, Final, Literal
+from typing import Any, Final
 
 from pydantic import BaseModel, ConfigDict, Field, field_validator, model_validator
 
@@ -50,90 +50,8 @@ class AgentSoulSkillsFilesConfig(BaseModel):
     skills: list[dict[str, Any]] = Field(default_factory=list)
 
 
-class AgentSoulDifyToolCredentialRef(BaseModel):
-    """Reference to a stored Dify Plugin Tool credential.
-
-    Secret values are resolved only at runtime. The legacy ``credential_id``
-    field is accepted by :class:`AgentSoulDifyToolConfig` and normalized here so
-    old Agent tool payloads can be read while new payloads stay explicit.
-    """
-
-    model_config = ConfigDict(extra="ignore")
-
-    type: Literal["provider", "tool"] = "tool"
-    id: str | None = Field(default=None, max_length=255)
-    provider: str | None = Field(default=None, max_length=255)
-
-
-class AgentSoulDifyToolConfig(BaseModel):
-    """One Dify Plugin Tool configured on Agent Soul.
-
-    The API backend prepares this persisted product shape into
-    ``DifyPluginToolConfig`` before sending a run request to Agent backend.
-    ``provider_id`` keeps compatibility with existing Agent tool config payloads;
-    new callers should send ``plugin_id`` + ``provider`` when available.
-    """
-
-    # ``extra="ignore"`` (not ``"allow"``) so historical Agent Soul payloads
-    # with unknown fields still load — but the extra keys are dropped instead
-    # of silently riding along into ``model_dump``. New callers should send the
-    # explicit schema fields below.
-    model_config = ConfigDict(extra="ignore")
-
-    enabled: bool = True
-    # Dify Plugin Tools live behind the ``PLUGIN`` provider type. ``BUILT_IN`` /
-    # ``WORKFLOW`` / ``API`` providers are not exposed to the Agent backend in
-    # this layer — keep the default narrow so a missing field surfaces as
-    # ``agent_tool_declaration_not_found`` against the correct provider table.
-    provider_type: str = "plugin"
-    provider_id: str | None = Field(default=None, max_length=255)
-    plugin_id: str | None = Field(default=None, max_length=255)
-    provider: str | None = Field(default=None, max_length=255)
-    tool_name: str = Field(min_length=1, max_length=255)
-    credential_type: Literal["api-key", "oauth2", "unauthorized"] = "api-key"
-    credential_ref: AgentSoulDifyToolCredentialRef | None = None
-    # Reserved for a future user-rename UX. Accepted but currently rejected at
-    # validation time so frontend cannot silently believe a rename took effect
-    # (see :meth:`_validate_provider_and_credentials`).
-    name: str | None = Field(default=None, max_length=255)
-    description: str | None = None
-    runtime_parameters: dict[str, Any] = Field(default_factory=dict)
-
-    @model_validator(mode="before")
-    @classmethod
-    def _normalize_legacy_payload(cls, value: Any) -> Any:
-        if not isinstance(value, dict):
-            return value
-        normalized = dict(value)
-        if normalized.get("provider_id") is None and isinstance(normalized.get("provider_name"), str):
-            normalized["provider_id"] = normalized["provider_name"]
-        if normalized.get("runtime_parameters") is None and isinstance(normalized.get("tool_parameters"), dict):
-            normalized["runtime_parameters"] = normalized["tool_parameters"]
-        if normalized.get("credential_ref") is None and normalized.get("credential_id"):
-            normalized["credential_ref"] = {
-                "type": "tool",
-                "id": normalized.get("credential_id"),
-                "provider": normalized.get("provider_id") or normalized.get("provider"),
-            }
-        return normalized
-
-    @model_validator(mode="after")
-    def _validate_provider_and_credentials(self) -> "AgentSoulDifyToolConfig":
-        if not self.provider_id and not (self.plugin_id and self.provider):
-            raise ValueError("Dify tool requires provider_id or plugin_id + provider")
-        if self.credential_type != "unauthorized" and (self.credential_ref is None or not self.credential_ref.id):
-            raise ValueError("credential_ref.id is required for credentialed Dify tools")
-        # ``name`` is reserved for a future user-rename UX. Until that lands
-        # the model-visible name is forced to match ``tool_name``; reject
-        # explicit values so a frontend bug surfaces immediately instead of
-        # producing a silently-ignored override.
-        if self.name is not None and self.name != self.tool_name:
-            raise ValueError("name override is not yet supported; omit ``name`` or set it equal to ``tool_name``.")
-        return self
-
-
 class AgentSoulToolsConfig(BaseModel):
-    dify_tools: list[AgentSoulDifyToolConfig] = Field(default_factory=list)
+    dify_tools: list[dict[str, Any]] = Field(default_factory=list)
     cli_tools: list[dict[str, Any]] = Field(default_factory=list)