test(cli/e2e): add member management E2E suite (get/create/delete/set member)

28 tests covering all four member commands: get member (10 tests) - list contains created member - required column headers (ID/NAME/EMAIL/ROLE/STATUS) - authenticated account appears as owner/active - JSON shape: data array with id/email/role/status fields - no ANSI codes in non-TTY output - pipe-friendly JSON output (ends with newline) - -o yaml returns valid YAML - -w flag overrides workspace - unauthenticated → exit 4 set member (7 tests) - promote normal → admin, verify via get member - demote admin → normal, verify via get member - --role owner rejected client-side (exit 2) - missing --role → usage error - missing member-id → usage error - non-existent UUID → server error - unauthenticated → exit 4 create member error paths (5 tests) - invalid role (superadmin) rejected client-side (exit 2) - --role owner rejected client-side (exit 2) - missing --email → usage error - missing --role → usage error - unauthenticated → exit 4 delete member (6 tests) - success: member removed from list - cannot delete self → server error - missing member-id → usage error - non-existent UUID → server error - -o json on error → structured error envelope - unauthenticated → exit 4 Data lifecycle: beforeAll invites two auto_test+<ts>@dify.ai members; afterAll cleans them up. No extra env vars required.
test(cli/e2e): remove 5.70f — test premise was incorrect
2026-06-21 06:57:58 +08:00 · 2026-06-18 17:39:11 +08:00 · 2026-06-17 11:59:56 +08:00 · 2026-06-17 10:42:37 +08:00 · 2026-06-16 18:09:19 +08:00 · 2026-06-16 17:19:19 +08:00
1787 changed files with 15808 additions and 132702 deletions
--- a/.agents/skills/component-refactoring/SKILL.md
+++ b/.agents/skills/component-refactoring/SKILL.md
@ -0,0 +1,440 @@
+---
+name: component-refactoring
+description: Refactor high-complexity React components in Dify frontend. Use when `pnpm analyze-component --json` shows complexity > 50 or lineCount > 300, when the user asks for code splitting, hook extraction, or complexity reduction, or when `pnpm analyze-component` warns to refactor before testing; avoid for simple/well-structured components, third-party wrappers, or when the user explicitly wants testing without refactoring.
+---
+
+# Dify Component Refactoring Skill
+
+Refactor high-complexity React components in the Dify frontend codebase with the patterns and workflow below.
+
+> **Complexity Threshold**: Components with complexity > 50 (measured by `pnpm analyze-component`) should be refactored before testing.
+
+## Quick Reference
+
+### Commands (run from `web/`)
+
+Use paths relative to `web/` (e.g., `app/components/...`).
+Use `refactor-component` for refactoring prompts and `analyze-component` for testing prompts and metrics.
+
+```bash
+cd web
+
+# Generate refactoring prompt
+pnpm refactor-component <path>
+
+# Output refactoring analysis as JSON
+pnpm refactor-component <path> --json
+
+# Generate testing prompt (after refactoring)
+pnpm analyze-component <path>
+
+# Output testing analysis as JSON
+pnpm analyze-component <path> --json
+```
+
+### Complexity Analysis
+
+```bash
+# Analyze component complexity
+pnpm analyze-component <path> --json
+
+# Key metrics to check:
+# - complexity: normalized score 0-100 (target < 50)
+# - maxComplexity: highest single function complexity
+# - lineCount: total lines (target < 300)
+```
+
+### Complexity Score Interpretation
+
+| Score | Level | Action |
+|-------|-------|--------|
+| 0-25 | 🟢 Simple | Ready for testing |
+| 26-50 | 🟡 Medium | Consider minor refactoring |
+| 51-75 | 🟠 Complex | **Refactor before testing** |
+| 76-100 | 🔴 Very Complex | **Must refactor** |
+
+## Core Refactoring Patterns
+
+### Pattern 1: Extract Custom Hooks
+
+**When**: Component has complex state management, multiple `useState`/`useEffect`, or business logic mixed with UI.
+
+**Dify Convention**: Place hooks in a `hooks/` subdirectory or alongside the component as `use-<feature>.ts`.
+
+```typescript
+// ❌ Before: Complex state logic in component
+function Configuration() {
+  const [modelConfig, setModelConfig] = useState<ModelConfig>(...)
+  const [datasetConfigs, setDatasetConfigs] = useState<DatasetConfigs>(...)
+  const [completionParams, setCompletionParams] = useState<FormValue>({})
+  
+  // 50+ lines of state management logic...
+  
+  return <div>...</div>
+}
+
+// ✅ After: Extract to custom hook
+// hooks/use-model-config.ts
+export const useModelConfig = (appId: string) => {
+  const [modelConfig, setModelConfig] = useState<ModelConfig>(...)
+  const [completionParams, setCompletionParams] = useState<FormValue>({})
+  
+  // Related state management logic here
+  
+  return { modelConfig, setModelConfig, completionParams, setCompletionParams }
+}
+
+// Component becomes cleaner
+function Configuration() {
+  const { modelConfig, setModelConfig } = useModelConfig(appId)
+  return <div>...</div>
+}
+```
+
+**Dify Examples**:
+- `web/app/components/app/configuration/hooks/use-advanced-prompt-config.ts`
+- `web/app/components/app/configuration/debug/hooks.tsx`
+- `web/app/components/workflow/hooks/use-workflow.ts`
+
+### Pattern 2: Extract Sub-Components
+
+**When**: Single component has multiple UI sections, conditional rendering blocks, or repeated patterns.
+
+**Dify Convention**: Place sub-components in subdirectories or as separate files in the same directory.
+
+```typescript
+// ❌ Before: Monolithic JSX with multiple sections
+const AppInfo = () => {
+  return (
+    <div>
+      {/* 100 lines of header UI */}
+      {/* 100 lines of operations UI */}
+      {/* 100 lines of modals */}
+    </div>
+  )
+}
+
+// ✅ After: Split into focused components
+// app-info/
+//   ├── index.tsx           (orchestration only)
+//   ├── app-header.tsx      (header UI)
+//   ├── app-operations.tsx  (operations UI)
+//   └── app-modals.tsx      (modal management)
+
+const AppInfo = () => {
+  const { showModal, setShowModal } = useAppInfoModals()
+  
+  return (
+    <div>
+      <AppHeader appDetail={appDetail} />
+      <AppOperations onAction={handleAction} />
+      <AppModals show={showModal} onClose={() => setShowModal(null)} />
+    </div>
+  )
+}
+```
+
+**Dify Examples**:
+- `web/app/components/app/configuration/` directory structure
+- `web/app/components/workflow/nodes/` per-node organization
+
+### Pattern 3: Simplify Conditional Logic
+
+**When**: Deep nesting (> 3 levels), complex ternaries, or multiple `if/else` chains.
+
+```typescript
+// ❌ Before: Deeply nested conditionals
+const Template = useMemo(() => {
+  if (appDetail?.mode === AppModeEnum.CHAT) {
+    switch (locale) {
+      case LanguagesSupported[1]:
+        return <TemplateChatZh />
+      case LanguagesSupported[7]:
+        return <TemplateChatJa />
+      default:
+        return <TemplateChatEn />
+    }
+  }
+  if (appDetail?.mode === AppModeEnum.ADVANCED_CHAT) {
+    // Another 15 lines...
+  }
+  // More conditions...
+}, [appDetail, locale])
+
+// ✅ After: Use lookup tables + early returns
+const TEMPLATE_MAP = {
+  [AppModeEnum.CHAT]: {
+    [LanguagesSupported[1]]: TemplateChatZh,
+    [LanguagesSupported[7]]: TemplateChatJa,
+    default: TemplateChatEn,
+  },
+  [AppModeEnum.ADVANCED_CHAT]: {
+    [LanguagesSupported[1]]: TemplateAdvancedChatZh,
+    // ...
+  },
+}
+
+const Template = useMemo(() => {
+  const modeTemplates = TEMPLATE_MAP[appDetail?.mode]
+  if (!modeTemplates) return null
+  
+  const TemplateComponent = modeTemplates[locale] || modeTemplates.default
+  return <TemplateComponent appDetail={appDetail} />
+}, [appDetail, locale])
+```
+
+### Pattern 4: Extract API/Data Logic
+
+**When**: Component directly handles API calls, data transformation, or complex async operations.
+
+**Dify Convention**:
+- This skill is for component decomposition, not query/mutation design.
+- Do not introduce deprecated `useInvalid` / `useReset`.
+- Do not add thin passthrough `useQuery` wrappers during refactoring; only extract a custom hook when it truly orchestrates multiple queries/mutations or shared derived state.
+
+**Dify Examples**:
+- `web/service/use-workflow.ts`
+- `web/service/use-common.ts`
+- `web/service/knowledge/use-dataset.ts`
+- `web/service/knowledge/use-document.ts`
+
+### Pattern 5: Extract Modal/Dialog Management
+
+**When**: Component manages multiple modals with complex open/close states.
+
+**Dify Convention**: Modals should be extracted with their state management.
+
+```typescript
+// ❌ Before: Multiple modal states in component
+const AppInfo = () => {
+  const [showEditModal, setShowEditModal] = useState(false)
+  const [showDuplicateModal, setShowDuplicateModal] = useState(false)
+  const [showConfirmDelete, setShowConfirmDelete] = useState(false)
+  const [showSwitchModal, setShowSwitchModal] = useState(false)
+  const [showImportDSLModal, setShowImportDSLModal] = useState(false)
+  // 5+ more modal states...
+}
+
+// ✅ After: Extract to modal management hook
+type ModalType = 'edit' | 'duplicate' | 'delete' | 'switch' | 'import' | null
+
+const useAppInfoModals = () => {
+  const [activeModal, setActiveModal] = useState<ModalType>(null)
+  
+  const openModal = useCallback((type: ModalType) => setActiveModal(type), [])
+  const closeModal = useCallback(() => setActiveModal(null), [])
+  
+  return {
+    activeModal,
+    openModal,
+    closeModal,
+    isOpen: (type: ModalType) => activeModal === type,
+  }
+}
+```
+
+### Pattern 6: Extract Form Logic
+
+**When**: Complex form validation, submission handling, or field transformation.
+
+**Dify Convention**: Use `@tanstack/react-form` patterns from `web/app/components/base/form/`.
+
+```typescript
+// ✅ Use existing form infrastructure
+import { useAppForm } from '@/app/components/base/form'
+
+const ConfigForm = () => {
+  const form = useAppForm({
+    defaultValues: { name: '', description: '' },
+    onSubmit: handleSubmit,
+  })
+  
+  return <form.Provider>...</form.Provider>
+}
+```
+
+## Dify-Specific Refactoring Guidelines
+
+### 1. Context Provider Extraction
+
+**When**: Component provides complex context values with multiple states.
+
+```typescript
+// ❌ Before: Large context value object
+const value = {
+  appId, isAPIKeySet, isTrailFinished, mode, modelModeType,
+  promptMode, isAdvancedMode, isAgent, isOpenAI, isFunctionCall,
+  // 50+ more properties...
+}
+return <ConfigContext.Provider value={value}>...</ConfigContext.Provider>
+
+// ✅ After: Split into domain-specific contexts
+<ModelConfigProvider value={modelConfigValue}>
+  <DatasetConfigProvider value={datasetConfigValue}>
+    <UIConfigProvider value={uiConfigValue}>
+      {children}
+    </UIConfigProvider>
+  </DatasetConfigProvider>
+</ModelConfigProvider>
+```
+
+**Dify Reference**: `web/context/` directory structure
+
+### 2. Workflow Node Components
+
+**When**: Refactoring workflow node components (`web/app/components/workflow/nodes/`).
+
+**Conventions**:
+- Keep node logic in `use-interactions.ts`
+- Extract panel UI to separate files
+- Use `_base` components for common patterns
+
+```
+nodes/<node-type>/
+  ├── index.tsx              # Node registration
+  ├── node.tsx               # Node visual component
+  ├── panel.tsx              # Configuration panel
+  ├── use-interactions.ts    # Node-specific hooks
+  └── types.ts               # Type definitions
+```
+
+### 3. Configuration Components
+
+**When**: Refactoring app configuration components.
+
+**Conventions**:
+- Separate config sections into subdirectories
+- Use existing patterns from `web/app/components/app/configuration/`
+- Keep feature toggles in dedicated components
+
+### 4. Tool/Plugin Components
+
+**When**: Refactoring tool-related components (`web/app/components/tools/`).
+
+**Conventions**:
+- Follow existing modal patterns
+- Use service hooks from `web/service/use-tools.ts`
+- Keep provider-specific logic isolated
+
+## Refactoring Workflow
+
+### Step 1: Generate Refactoring Prompt
+
+```bash
+pnpm refactor-component <path>
+```
+
+This command will:
+- Analyze component complexity and features
+- Identify specific refactoring actions needed
+- Generate a prompt for AI assistant (auto-copied to clipboard on macOS)
+- Provide detailed requirements based on detected patterns
+
+### Step 2: Analyze Details
+
+```bash
+pnpm analyze-component <path> --json
+```
+
+Identify:
+- Total complexity score
+- Max function complexity
+- Line count
+- Features detected (state, effects, API, etc.)
+
+### Step 3: Plan
+
+Create a refactoring plan based on detected features:
+
+| Detected Feature | Refactoring Action |
+|------------------|-------------------|
+| `hasState: true` + `hasEffects: true` | Extract custom hook |
+| `hasAPI: true` | Extract data/service hook |
+| `hasEvents: true` (many) | Extract event handlers |
+| `lineCount > 300` | Split into sub-components |
+| `maxComplexity > 50` | Simplify conditional logic |
+
+### Step 4: Execute Incrementally
+
+1. **Extract one piece at a time**
+2. **Run lint, type-check, and tests after each extraction**
+3. **Verify functionality before next step**
+
+```
+For each extraction:
+  ┌────────────────────────────────────────┐
+  │ 1. Extract code                        │
+  │ 2. Run: pnpm lint:fix                  │
+  │ 3. Run: pnpm type-check                │
+  │ 4. Run: pnpm test                      │
+  │ 5. Test functionality manually         │
+  │ 6. PASS? → Next extraction             │
+  │    FAIL? → Fix before continuing       │
+  └────────────────────────────────────────┘
+```
+
+### Step 5: Verify
+
+After refactoring:
+
+```bash
+# Re-run refactor command to verify improvements
+pnpm refactor-component <path>
+
+# If complexity < 25 and lines < 200, you'll see:
+# ✅ COMPONENT IS WELL-STRUCTURED
+
+# For detailed metrics:
+pnpm analyze-component <path> --json
+
+# Target metrics:
+# - complexity < 50
+# - lineCount < 300
+# - maxComplexity < 30
+```
+
+## Common Mistakes to Avoid
+
+### ❌ Over-Engineering
+
+```typescript
+// ❌ Too many tiny hooks
+const useButtonText = () => useState('Click')
+const useButtonDisabled = () => useState(false)
+const useButtonLoading = () => useState(false)
+
+// ✅ Cohesive hook with related state
+const useButtonState = () => {
+  const [text, setText] = useState('Click')
+  const [disabled, setDisabled] = useState(false)
+  const [loading, setLoading] = useState(false)
+  return { text, setText, disabled, setDisabled, loading, setLoading }
+}
+```
+
+### ❌ Breaking Existing Patterns
+
+- Follow existing directory structures
+- Maintain naming conventions
+- Preserve export patterns for compatibility
+
+### ❌ Premature Abstraction
+
+- Only extract when there's clear complexity benefit
+- Don't create abstractions for single-use code
+- Keep refactored code in the same domain area
+
+## References
+
+### Dify Codebase Examples
+
+- **Hook extraction**: `web/app/components/app/configuration/hooks/`
+- **Component splitting**: `web/app/components/app/configuration/`
+- **Service hooks**: `web/service/use-*.ts`
+- **Workflow patterns**: `web/app/components/workflow/hooks/`
+- **Form patterns**: `web/app/components/base/form/`
+
+### Related Skills
+
+- `frontend-testing` - For testing refactored components
+- `web/docs/test.md` - Testing specification
--- a/.agents/skills/component-refactoring/references/complexity-patterns.md
+++ b/.agents/skills/component-refactoring/references/complexity-patterns.md
@ -0,0 +1,495 @@
+# Complexity Reduction Patterns
+
+This document provides patterns for reducing cognitive complexity in Dify React components.
+
+## Understanding Complexity
+
+### SonarJS Cognitive Complexity
+
+The `pnpm analyze-component` tool uses SonarJS cognitive complexity metrics:
+
+- **Total Complexity**: Sum of all functions' complexity in the file
+- **Max Complexity**: Highest single function complexity
+
+### What Increases Complexity
+
+| Pattern | Complexity Impact |
+|---------|-------------------|
+| `if/else` | +1 per branch |
+| Nested conditions | +1 per nesting level |
+| `switch/case` | +1 per case |
+| `for/while/do` | +1 per loop |
+| `&&`/`||` chains | +1 per operator |
+| Nested callbacks | +1 per nesting level |
+| `try/catch` | +1 per catch |
+| Ternary expressions | +1 per nesting |
+
+## Pattern 1: Replace Conditionals with Lookup Tables
+
+**Before** (complexity: ~15):
+
+```typescript
+const Template = useMemo(() => {
+  if (appDetail?.mode === AppModeEnum.CHAT) {
+    switch (locale) {
+      case LanguagesSupported[1]:
+        return <TemplateChatZh appDetail={appDetail} />
+      case LanguagesSupported[7]:
+        return <TemplateChatJa appDetail={appDetail} />
+      default:
+        return <TemplateChatEn appDetail={appDetail} />
+    }
+  }
+  if (appDetail?.mode === AppModeEnum.ADVANCED_CHAT) {
+    switch (locale) {
+      case LanguagesSupported[1]:
+        return <TemplateAdvancedChatZh appDetail={appDetail} />
+      case LanguagesSupported[7]:
+        return <TemplateAdvancedChatJa appDetail={appDetail} />
+      default:
+        return <TemplateAdvancedChatEn appDetail={appDetail} />
+    }
+  }
+  if (appDetail?.mode === AppModeEnum.WORKFLOW) {
+    // Similar pattern...
+  }
+  return null
+}, [appDetail, locale])
+```
+
+**After** (complexity: ~3):
+
+```typescript
+import type { ComponentType } from 'react'
+
+// Define lookup table outside component
+const TEMPLATE_MAP: Record<AppModeEnum, Record<string, ComponentType<TemplateProps>>> = {
+  [AppModeEnum.CHAT]: {
+    [LanguagesSupported[1]]: TemplateChatZh,
+    [LanguagesSupported[7]]: TemplateChatJa,
+    default: TemplateChatEn,
+  },
+  [AppModeEnum.ADVANCED_CHAT]: {
+    [LanguagesSupported[1]]: TemplateAdvancedChatZh,
+    [LanguagesSupported[7]]: TemplateAdvancedChatJa,
+    default: TemplateAdvancedChatEn,
+  },
+  [AppModeEnum.WORKFLOW]: {
+    [LanguagesSupported[1]]: TemplateWorkflowZh,
+    [LanguagesSupported[7]]: TemplateWorkflowJa,
+    default: TemplateWorkflowEn,
+  },
+  // ...
+}
+
+// Clean component logic
+const Template = useMemo(() => {
+  if (!appDetail?.mode) return null
+  
+  const templates = TEMPLATE_MAP[appDetail.mode]
+  if (!templates) return null
+  
+  const TemplateComponent = templates[locale] ?? templates.default
+  return <TemplateComponent appDetail={appDetail} />
+}, [appDetail, locale])
+```
+
+## Pattern 2: Use Early Returns
+
+**Before** (complexity: ~10):
+
+```typescript
+const handleSubmit = () => {
+  if (isValid) {
+    if (hasChanges) {
+      if (isConnected) {
+        submitData()
+      } else {
+        showConnectionError()
+      }
+    } else {
+      showNoChangesMessage()
+    }
+  } else {
+    showValidationError()
+  }
+}
+```
+
+**After** (complexity: ~4):
+
+```typescript
+const handleSubmit = () => {
+  if (!isValid) {
+    showValidationError()
+    return
+  }
+  
+  if (!hasChanges) {
+    showNoChangesMessage()
+    return
+  }
+  
+  if (!isConnected) {
+    showConnectionError()
+    return
+  }
+  
+  submitData()
+}
+```
+
+## Pattern 3: Extract Complex Conditions
+
+**Before** (complexity: high):
+
+```typescript
+const canPublish = (() => {
+  if (mode !== AppModeEnum.COMPLETION) {
+    if (!isAdvancedMode)
+      return true
+
+    if (modelModeType === ModelModeType.completion) {
+      if (!hasSetBlockStatus.history || !hasSetBlockStatus.query)
+        return false
+      return true
+    }
+    return true
+  }
+  return !promptEmpty
+})()
+```
+
+**After** (complexity: lower):
+
+```typescript
+// Extract to named functions
+const canPublishInCompletionMode = () => !promptEmpty
+
+const canPublishInChatMode = () => {
+  if (!isAdvancedMode) return true
+  if (modelModeType !== ModelModeType.completion) return true
+  return hasSetBlockStatus.history && hasSetBlockStatus.query
+}
+
+// Clean main logic
+const canPublish = mode === AppModeEnum.COMPLETION
+  ? canPublishInCompletionMode()
+  : canPublishInChatMode()
+```
+
+## Pattern 4: Replace Chained Ternaries
+
+**Before** (complexity: ~5):
+
+```typescript
+const statusText = serverActivated
+  ? t('status.running')
+  : serverPublished
+    ? t('status.inactive')
+    : appUnpublished
+      ? t('status.unpublished')
+      : t('status.notConfigured')
+```
+
+**After** (complexity: ~2):
+
+```typescript
+const getStatusText = () => {
+  if (serverActivated) return t('status.running')
+  if (serverPublished) return t('status.inactive')
+  if (appUnpublished) return t('status.unpublished')
+  return t('status.notConfigured')
+}
+
+const statusText = getStatusText()
+```
+
+Or use lookup:
+
+```typescript
+const STATUS_TEXT_MAP = {
+  running: 'status.running',
+  inactive: 'status.inactive',
+  unpublished: 'status.unpublished',
+  notConfigured: 'status.notConfigured',
+} as const
+
+const getStatusKey = (): keyof typeof STATUS_TEXT_MAP => {
+  if (serverActivated) return 'running'
+  if (serverPublished) return 'inactive'
+  if (appUnpublished) return 'unpublished'
+  return 'notConfigured'
+}
+
+const statusText = t(STATUS_TEXT_MAP[getStatusKey()])
+```
+
+## Pattern 5: Flatten Nested Loops
+
+**Before** (complexity: high):
+
+```typescript
+const processData = (items: Item[]) => {
+  const results: ProcessedItem[] = []
+  
+  for (const item of items) {
+    if (item.isValid) {
+      for (const child of item.children) {
+        if (child.isActive) {
+          for (const prop of child.properties) {
+            if (prop.value !== null) {
+              results.push({
+                itemId: item.id,
+                childId: child.id,
+                propValue: prop.value,
+              })
+            }
+          }
+        }
+      }
+    }
+  }
+  
+  return results
+}
+```
+
+**After** (complexity: lower):
+
+```typescript
+// Use functional approach
+const processData = (items: Item[]) => {
+  return items
+    .filter(item => item.isValid)
+    .flatMap(item =>
+      item.children
+        .filter(child => child.isActive)
+        .flatMap(child =>
+          child.properties
+            .filter(prop => prop.value !== null)
+            .map(prop => ({
+              itemId: item.id,
+              childId: child.id,
+              propValue: prop.value,
+            }))
+        )
+    )
+}
+```
+
+## Pattern 6: Extract Event Handler Logic
+
+**Before** (complexity: high in component):
+
+```typescript
+const Component = () => {
+  const handleSelect = (data: DataSet[]) => {
+    if (isEqual(data.map(item => item.id), dataSets.map(item => item.id))) {
+      hideSelectDataSet()
+      return
+    }
+
+    formattingChangedDispatcher()
+    let newDatasets = data
+    if (data.find(item => !item.name)) {
+      const newSelected = produce(data, (draft) => {
+        data.forEach((item, index) => {
+          if (!item.name) {
+            const newItem = dataSets.find(i => i.id === item.id)
+            if (newItem)
+              draft[index] = newItem
+          }
+        })
+      })
+      setDataSets(newSelected)
+      newDatasets = newSelected
+    }
+    else {
+      setDataSets(data)
+    }
+    hideSelectDataSet()
+    
+    // 40 more lines of logic...
+  }
+  
+  return <div>...</div>
+}
+```
+
+**After** (complexity: lower):
+
+```typescript
+// Extract to hook or utility
+const useDatasetSelection = (dataSets: DataSet[], setDataSets: SetState<DataSet[]>) => {
+  const normalizeSelection = (data: DataSet[]) => {
+    const hasUnloadedItem = data.some(item => !item.name)
+    if (!hasUnloadedItem) return data
+    
+    return produce(data, (draft) => {
+      data.forEach((item, index) => {
+        if (!item.name) {
+          const existing = dataSets.find(i => i.id === item.id)
+          if (existing) draft[index] = existing
+        }
+      })
+    })
+  }
+  
+  const hasSelectionChanged = (newData: DataSet[]) => {
+    return !isEqual(
+      newData.map(item => item.id),
+      dataSets.map(item => item.id)
+    )
+  }
+  
+  return { normalizeSelection, hasSelectionChanged }
+}
+
+// Component becomes cleaner
+const Component = () => {
+  const { normalizeSelection, hasSelectionChanged } = useDatasetSelection(dataSets, setDataSets)
+  
+  const handleSelect = (data: DataSet[]) => {
+    if (!hasSelectionChanged(data)) {
+      hideSelectDataSet()
+      return
+    }
+    
+    formattingChangedDispatcher()
+    const normalized = normalizeSelection(data)
+    setDataSets(normalized)
+    hideSelectDataSet()
+  }
+  
+  return <div>...</div>
+}
+```
+
+## Pattern 7: Reduce Boolean Logic Complexity
+
+**Before** (complexity: ~8):
+
+```typescript
+const toggleDisabled = hasInsufficientPermissions
+  || appUnpublished
+  || missingStartNode
+  || triggerModeDisabled
+  || (isAdvancedApp && !currentWorkflow?.graph)
+  || (isBasicApp && !basicAppConfig.updated_at)
+```
+
+**After** (complexity: ~3):
+
+```typescript
+// Extract meaningful boolean functions
+const isAppReady = () => {
+  if (isAdvancedApp) return !!currentWorkflow?.graph
+  return !!basicAppConfig.updated_at
+}
+
+const hasRequiredPermissions = () => {
+  return isCurrentWorkspaceEditor && !hasInsufficientPermissions
+}
+
+const canToggle = () => {
+  if (!hasRequiredPermissions()) return false
+  if (!isAppReady()) return false
+  if (missingStartNode) return false
+  if (triggerModeDisabled) return false
+  return true
+}
+
+const toggleDisabled = !canToggle()
+```
+
+## Pattern 8: Simplify useMemo/useCallback Dependencies
+
+**Before** (complexity: multiple recalculations):
+
+```typescript
+const payload = useMemo(() => {
+  let parameters: Parameter[] = []
+  let outputParameters: OutputParameter[] = []
+
+  if (!published) {
+    parameters = (inputs || []).map((item) => ({
+      name: item.variable,
+      description: '',
+      form: 'llm',
+      required: item.required,
+      type: item.type,
+    }))
+    outputParameters = (outputs || []).map((item) => ({
+      name: item.variable,
+      description: '',
+      type: item.value_type,
+    }))
+  }
+  else if (detail && detail.tool) {
+    parameters = (inputs || []).map((item) => ({
+      // Complex transformation...
+    }))
+    outputParameters = (outputs || []).map((item) => ({
+      // Complex transformation...
+    }))
+  }
+  
+  return {
+    icon: detail?.icon || icon,
+    label: detail?.label || name,
+    // ...more fields
+  }
+}, [detail, published, workflowAppId, icon, name, description, inputs, outputs])
+```
+
+**After** (complexity: separated concerns):
+
+```typescript
+// Separate transformations
+const useParameterTransform = (inputs: InputVar[], detail?: ToolDetail, published?: boolean) => {
+  return useMemo(() => {
+    if (!published) {
+      return inputs.map(item => ({
+        name: item.variable,
+        description: '',
+        form: 'llm',
+        required: item.required,
+        type: item.type,
+      }))
+    }
+    
+    if (!detail?.tool) return []
+    
+    return inputs.map(item => ({
+      name: item.variable,
+      required: item.required,
+      type: item.type === 'paragraph' ? 'string' : item.type,
+      description: detail.tool.parameters.find(p => p.name === item.variable)?.llm_description || '',
+      form: detail.tool.parameters.find(p => p.name === item.variable)?.form || 'llm',
+    }))
+  }, [inputs, detail, published])
+}
+
+// Component uses hook
+const parameters = useParameterTransform(inputs, detail, published)
+const outputParameters = useOutputTransform(outputs, detail, published)
+
+const payload = useMemo(() => ({
+  icon: detail?.icon || icon,
+  label: detail?.label || name,
+  parameters,
+  outputParameters,
+  // ...
+}), [detail, icon, name, parameters, outputParameters])
+```
+
+## Target Metrics After Refactoring
+
+| Metric | Target |
+|--------|--------|
+| Total Complexity | < 50 |
+| Max Function Complexity | < 30 |
+| Function Length | < 30 lines |
+| Nesting Depth | ≤ 3 levels |
+| Conditional Chains | ≤ 3 conditions |
--- a/.agents/skills/component-refactoring/references/component-splitting.md
+++ b/.agents/skills/component-refactoring/references/component-splitting.md
@ -0,0 +1,477 @@
+# Component Splitting Patterns
+
+This document provides detailed guidance on splitting large components into smaller, focused components in Dify.
+
+## When to Split Components
+
+Split a component when you identify:
+
+1. **Multiple UI sections** - Distinct visual areas with minimal coupling that can be composed independently
+1. **Conditional rendering blocks** - Large `{condition && <JSX />}` blocks
+1. **Repeated patterns** - Similar UI structures used multiple times
+1. **300+ lines** - Component exceeds manageable size
+1. **Modal clusters** - Multiple modals rendered in one component
+
+## Splitting Strategies
+
+### Strategy 1: Section-Based Splitting
+
+Identify visual sections and extract each as a component.
+
+```typescript
+// ❌ Before: Monolithic component (500+ lines)
+const ConfigurationPage = () => {
+  return (
+    <div>
+      {/* Header Section - 50 lines */}
+      <div className="header">
+        <h1>{t('configuration.title')}</h1>
+        <div className="actions">
+          {isAdvancedMode && <Badge>Advanced</Badge>}
+          <ModelParameterModal ... />
+          <AppPublisher ... />
+        </div>
+      </div>
+      
+      {/* Config Section - 200 lines */}
+      <div className="config">
+        <Config />
+      </div>
+      
+      {/* Debug Section - 150 lines */}
+      <div className="debug">
+        <Debug ... />
+      </div>
+      
+      {/* Modals Section - 100 lines */}
+      {showSelectDataSet && <SelectDataSet ... />}
+      {showHistoryModal && <EditHistoryModal ... />}
+      {showUseGPT4Confirm && <Confirm ... />}
+    </div>
+  )
+}
+
+// ✅ After: Split into focused components
+// configuration/
+//   ├── index.tsx              (orchestration)
+//   ├── configuration-header.tsx
+//   ├── configuration-content.tsx
+//   ├── configuration-debug.tsx
+//   └── configuration-modals.tsx
+
+// configuration-header.tsx
+interface ConfigurationHeaderProps {
+  isAdvancedMode: boolean
+  onPublish: () => void
+}
+
+function ConfigurationHeader({
+  isAdvancedMode,
+  onPublish,
+}: ConfigurationHeaderProps) {
+  const { t } = useTranslation()
+  
+  return (
+    <div className="header">
+      <h1>{t('configuration.title')}</h1>
+      <div className="actions">
+        {isAdvancedMode && <Badge>Advanced</Badge>}
+        <ModelParameterModal ... />
+        <AppPublisher onPublish={onPublish} />
+      </div>
+    </div>
+  )
+}
+
+// index.tsx (orchestration only)
+const ConfigurationPage = () => {
+  const { modelConfig, setModelConfig } = useModelConfig()
+  const { activeModal, openModal, closeModal } = useModalState()
+  
+  return (
+    <div>
+      <ConfigurationHeader
+        isAdvancedMode={isAdvancedMode}
+        onPublish={handlePublish}
+      />
+      <ConfigurationContent
+        modelConfig={modelConfig}
+        onConfigChange={setModelConfig}
+      />
+      {!isMobile && (
+        <ConfigurationDebug
+          inputs={inputs}
+          onSetting={handleSetting}
+        />
+      )}
+      <ConfigurationModals
+        activeModal={activeModal}
+        onClose={closeModal}
+      />
+    </div>
+  )
+}
+```
+
+### Strategy 2: Conditional Block Extraction
+
+Extract large conditional rendering blocks.
+
+```typescript
+// ❌ Before: Large conditional blocks
+const AppInfo = () => {
+  return (
+    <div>
+      {expand ? (
+        <div className="expanded">
+          {/* 100 lines of expanded view */}
+        </div>
+      ) : (
+        <div className="collapsed">
+          {/* 50 lines of collapsed view */}
+        </div>
+      )}
+    </div>
+  )
+}
+
+// ✅ After: Separate view components
+function AppInfoExpanded({ appDetail, onAction }: AppInfoViewProps) {
+  return (
+    <div className="expanded">
+      {/* Clean, focused expanded view */}
+    </div>
+  )
+}
+
+function AppInfoCollapsed({ appDetail, onAction }: AppInfoViewProps) {
+  return (
+    <div className="collapsed">
+      {/* Clean, focused collapsed view */}
+    </div>
+  )
+}
+
+const AppInfo = () => {
+  return (
+    <div>
+      {expand
+        ? <AppInfoExpanded appDetail={appDetail} onAction={handleAction} />
+        : <AppInfoCollapsed appDetail={appDetail} onAction={handleAction} />
+      }
+    </div>
+  )
+}
+```
+
+### Strategy 3: Modal Extraction
+
+Extract modals with their trigger logic.
+
+```typescript
+// ❌ Before: Multiple modals in one component
+const AppInfo = () => {
+  const [showEdit, setShowEdit] = useState(false)
+  const [showDuplicate, setShowDuplicate] = useState(false)
+  const [showDelete, setShowDelete] = useState(false)
+  const [showSwitch, setShowSwitch] = useState(false)
+  
+  const onEdit = async (data) => { /* 20 lines */ }
+  const onDuplicate = async (data) => { /* 20 lines */ }
+  const onDelete = async () => { /* 15 lines */ }
+  
+  return (
+    <div>
+      {/* Main content */}
+      
+      {showEdit && <EditModal onConfirm={onEdit} onClose={() => setShowEdit(false)} />}
+      {showDuplicate && <DuplicateModal onConfirm={onDuplicate} onClose={() => setShowDuplicate(false)} />}
+      {showDelete && <DeleteConfirm onConfirm={onDelete} onClose={() => setShowDelete(false)} />}
+      {showSwitch && <SwitchModal ... />}
+    </div>
+  )
+}
+
+// ✅ After: Modal manager component
+// app-info-modals.tsx
+type ModalType = 'edit' | 'duplicate' | 'delete' | 'switch' | null
+
+interface AppInfoModalsProps {
+  appDetail: AppDetail
+  activeModal: ModalType
+  onClose: () => void
+  onSuccess: () => void
+}
+
+function AppInfoModals({
+  appDetail,
+  activeModal,
+  onClose,
+  onSuccess,
+}: AppInfoModalsProps) {
+  const handleEdit = async (data) => { /* logic */ }
+  const handleDuplicate = async (data) => { /* logic */ }
+  const handleDelete = async () => { /* logic */ }
+
+  return (
+    <>
+      {activeModal === 'edit' && (
+        <EditModal
+          appDetail={appDetail}
+          onConfirm={handleEdit}
+          onClose={onClose}
+        />
+      )}
+      {activeModal === 'duplicate' && (
+        <DuplicateModal
+          appDetail={appDetail}
+          onConfirm={handleDuplicate}
+          onClose={onClose}
+        />
+      )}
+      {activeModal === 'delete' && (
+        <DeleteConfirm
+          onConfirm={handleDelete}
+          onClose={onClose}
+        />
+      )}
+      {activeModal === 'switch' && (
+        <SwitchModal
+          appDetail={appDetail}
+          onClose={onClose}
+        />
+      )}
+    </>
+  )
+}
+
+// Parent component
+const AppInfo = () => {
+  const { activeModal, openModal, closeModal } = useModalState()
+  
+  return (
+    <div>
+      {/* Main content with openModal triggers */}
+      <Button onClick={() => openModal('edit')}>Edit</Button>
+      
+      <AppInfoModals
+        appDetail={appDetail}
+        activeModal={activeModal}
+        onClose={closeModal}
+        onSuccess={handleSuccess}
+      />
+    </div>
+  )
+}
+```
+
+### Strategy 4: List Item Extraction
+
+Extract repeated item rendering.
+
+```typescript
+// ❌ Before: Inline item rendering
+const OperationsList = () => {
+  return (
+    <div>
+      {operations.map(op => (
+        <div key={op.id} className="operation-item">
+          <span className="icon">{op.icon}</span>
+          <span className="title">{op.title}</span>
+          <span className="description">{op.description}</span>
+          <button onClick={() => op.onClick()}>
+            {op.actionLabel}
+          </button>
+          {op.badge && <Badge>{op.badge}</Badge>}
+          {/* More complex rendering... */}
+        </div>
+      ))}
+    </div>
+  )
+}
+
+// ✅ After: Extracted item component
+interface OperationItemProps {
+  operation: Operation
+  onAction: (id: string) => void
+}
+
+function OperationItem({ operation, onAction }: OperationItemProps) {
+  return (
+    <div className="operation-item">
+      <span className="icon">{operation.icon}</span>
+      <span className="title">{operation.title}</span>
+      <span className="description">{operation.description}</span>
+      <button onClick={() => onAction(operation.id)}>
+        {operation.actionLabel}
+      </button>
+      {operation.badge && <Badge>{operation.badge}</Badge>}
+    </div>
+  )
+}
+
+const OperationsList = () => {
+  const handleAction = useCallback((id: string) => {
+    const op = operations.find(o => o.id === id)
+    op?.onClick()
+  }, [operations])
+
+  return (
+    <div>
+      {operations.map(op => (
+        <OperationItem
+          key={op.id}
+          operation={op}
+          onAction={handleAction}
+        />
+      ))}
+    </div>
+  )
+}
+```
+
+## Directory Structure Patterns
+
+### Pattern A: Flat Structure (Simple Components)
+
+For components with 2-3 sub-components:
+
+```
+component-name/
+  ├── index.tsx           # Main component
+  ├── sub-component-a.tsx
+  ├── sub-component-b.tsx
+  └── types.ts            # Shared types
+```
+
+### Pattern B: Nested Structure (Complex Components)
+
+For components with many sub-components:
+
+```
+component-name/
+  ├── index.tsx           # Main orchestration
+  ├── types.ts            # Shared types
+  ├── hooks/
+  │   ├── use-feature-a.ts
+  │   └── use-feature-b.ts
+  ├── components/
+  │   ├── header/
+  │   │   └── index.tsx
+  │   ├── content/
+  │   │   └── index.tsx
+  │   └── modals/
+  │       └── index.tsx
+  └── utils/
+      └── helpers.ts
+```
+
+### Pattern C: Feature-Based Structure (Dify Standard)
+
+Following Dify's existing patterns:
+
+```
+configuration/
+  ├── index.tsx           # Main page component
+  ├── base/               # Base/shared components
+  │   ├── feature-panel/
+  │   ├── group-name/
+  │   └── operation-btn/
+  ├── config/             # Config section
+  │   ├── index.tsx
+  │   ├── agent/
+  │   └── automatic/
+  ├── dataset-config/     # Dataset section
+  │   ├── index.tsx
+  │   ├── card-item/
+  │   └── params-config/
+  ├── debug/              # Debug section
+  │   ├── index.tsx
+  │   └── hooks.tsx
+  └── hooks/              # Shared hooks
+      └── use-advanced-prompt-config.ts
+```
+
+## Props Design
+
+### Minimal Props Principle
+
+Pass only what's needed:
+
+```typescript
+// ❌ Bad: Passing entire objects when only some fields needed
+<ConfigHeader appDetail={appDetail} modelConfig={modelConfig} />
+
+// ✅ Good: Destructure to minimum required
+<ConfigHeader
+  appName={appDetail.name}
+  isAdvancedMode={modelConfig.isAdvanced}
+  onPublish={handlePublish}
+/>
+```
+
+### Callback Props Pattern
+
+Use callbacks for child-to-parent communication:
+
+```typescript
+// Parent
+const Parent = () => {
+  const [value, setValue] = useState('')
+  
+  return (
+    <Child
+      value={value}
+      onChange={setValue}
+      onSubmit={handleSubmit}
+    />
+  )
+}
+
+// Child
+interface ChildProps {
+  value: string
+  onChange: (value: string) => void
+  onSubmit: () => void
+}
+
+function Child({ value, onChange, onSubmit }: ChildProps) {
+  return (
+    <div>
+      <input value={value} onChange={e => onChange(e.target.value)} />
+      <button onClick={onSubmit}>Submit</button>
+    </div>
+  )
+}
+```
+
+### Render Props for Flexibility
+
+When sub-components need parent context:
+
+```typescript
+interface ListProps<T> {
+  items: T[]
+  renderItem: (item: T, index: number) => React.ReactNode
+  renderEmpty?: () => React.ReactNode
+}
+
+function List<T>({ items, renderItem, renderEmpty }: ListProps<T>) {
+  if (items.length === 0 && renderEmpty) {
+    return <>{renderEmpty()}</>
+  }
+  
+  return (
+    <div>
+      {items.map((item, index) => renderItem(item, index))}
+    </div>
+  )
+}
+
+// Usage
+<List
+  items={operations}
+  renderItem={(op, i) => <OperationItem key={i} operation={op} />}
+  renderEmpty={() => <EmptyState message="No operations" />}
+/>
+```
--- a/.agents/skills/component-refactoring/references/hook-extraction.md
+++ b/.agents/skills/component-refactoring/references/hook-extraction.md
@ -0,0 +1,281 @@
+# Hook Extraction Patterns
+
+This document provides detailed guidance on extracting custom hooks from complex components in Dify.
+
+## When to Extract Hooks
+
+Extract a custom hook when you identify:
+
+1. **Coupled state groups** - Multiple `useState` hooks that are always used together
+1. **Complex effects** - `useEffect` with multiple dependencies or cleanup logic
+1. **Business logic** - Data transformations, validations, or calculations
+1. **Reusable patterns** - Logic that appears in multiple components
+
+## Extraction Process
+
+### Step 1: Identify State Groups
+
+Look for state variables that are logically related:
+
+```typescript
+// ❌ These belong together - extract to hook
+const [modelConfig, setModelConfig] = useState<ModelConfig>(...)
+const [completionParams, setCompletionParams] = useState<FormValue>({})
+const [modelModeType, setModelModeType] = useState<ModelModeType>(...)
+
+// These are model-related state that should be in useModelConfig()
+```
+
+### Step 2: Identify Related Effects
+
+Find effects that modify the grouped state:
+
+```typescript
+// ❌ These effects belong with the state above
+useEffect(() => {
+  if (hasFetchedDetail && !modelModeType) {
+    const mode = currModel?.model_properties.mode
+    if (mode) {
+      const newModelConfig = produce(modelConfig, (draft) => {
+        draft.mode = mode
+      })
+      setModelConfig(newModelConfig)
+    }
+  }
+}, [textGenerationModelList, hasFetchedDetail, modelModeType, currModel])
+```
+
+### Step 3: Create the Hook
+
+```typescript
+// hooks/use-model-config.ts
+import type { FormValue } from '@/app/components/header/account-setting/model-provider-page/declarations'
+import type { ModelConfig } from '@/models/debug'
+import { produce } from 'immer'
+import { useEffect, useState } from 'react'
+import { ModelModeType } from '@/types/app'
+
+interface UseModelConfigParams {
+  initialConfig?: Partial<ModelConfig>
+  currModel?: { model_properties?: { mode?: ModelModeType } }
+  hasFetchedDetail: boolean
+}
+
+interface UseModelConfigReturn {
+  modelConfig: ModelConfig
+  setModelConfig: (config: ModelConfig) => void
+  completionParams: FormValue
+  setCompletionParams: (params: FormValue) => void
+  modelModeType: ModelModeType
+}
+
+export const useModelConfig = ({
+  initialConfig,
+  currModel,
+  hasFetchedDetail,
+}: UseModelConfigParams): UseModelConfigReturn => {
+  const [modelConfig, setModelConfig] = useState<ModelConfig>({
+    provider: 'langgenius/openai/openai',
+    model_id: 'gpt-3.5-turbo',
+    mode: ModelModeType.unset,
+    // ... default values
+    ...initialConfig,
+  })
+  
+  const [completionParams, setCompletionParams] = useState<FormValue>({})
+  
+  const modelModeType = modelConfig.mode
+
+  // Fill old app data missing model mode
+  useEffect(() => {
+    if (hasFetchedDetail && !modelModeType) {
+      const mode = currModel?.model_properties?.mode
+      if (mode) {
+        setModelConfig(produce(modelConfig, (draft) => {
+          draft.mode = mode
+        }))
+      }
+    }
+  }, [hasFetchedDetail, modelModeType, currModel])
+
+  return {
+    modelConfig,
+    setModelConfig,
+    completionParams,
+    setCompletionParams,
+    modelModeType,
+  }
+}
+```
+
+### Step 4: Update Component
+
+```typescript
+// Before: 50+ lines of state management
+function Configuration() {
+  const [modelConfig, setModelConfig] = useState<ModelConfig>(...)
+  // ... lots of related state and effects
+}
+
+// After: Clean component
+function Configuration() {
+  const {
+    modelConfig,
+    setModelConfig,
+    completionParams,
+    setCompletionParams,
+    modelModeType,
+  } = useModelConfig({
+    currModel,
+    hasFetchedDetail,
+  })
+  
+  // Component now focuses on UI
+}
+```
+
+## Naming Conventions
+
+### Hook Names
+
+- Use `use` prefix: `useModelConfig`, `useDatasetConfig`
+- Be specific: `useAdvancedPromptConfig` not `usePrompt`
+- Include domain: `useWorkflowVariables`, `useMCPServer`
+
+### File Names
+
+- Kebab-case: `use-model-config.ts`
+- Place in `hooks/` subdirectory when multiple hooks exist
+- Place alongside component for single-use hooks
+
+### Return Type Names
+
+- Suffix with `Return`: `UseModelConfigReturn`
+- Suffix params with `Params`: `UseModelConfigParams`
+
+## Common Hook Patterns in Dify
+
+### 1. Data Fetching / Mutation Hooks
+
+When hook extraction touches query or mutation code, do not use this reference as the source of truth for data-layer patterns.
+
+- Do not introduce deprecated `useInvalid` / `useReset`.
+- Do not extract thin passthrough `useQuery` hooks; only extract orchestration hooks.
+
+### 2. Form State Hook
+
+```typescript
+// Pattern: Form state + validation + submission
+export const useConfigForm = (initialValues: ConfigFormValues) => {
+  const [values, setValues] = useState(initialValues)
+  const [errors, setErrors] = useState<Record<string, string>>({})
+  const [isSubmitting, setIsSubmitting] = useState(false)
+
+  const validate = useCallback(() => {
+    const newErrors: Record<string, string> = {}
+    if (!values.name) newErrors.name = 'Name is required'
+    setErrors(newErrors)
+    return Object.keys(newErrors).length === 0
+  }, [values])
+
+  const handleChange = useCallback((field: string, value: any) => {
+    setValues(prev => ({ ...prev, [field]: value }))
+  }, [])
+
+  const handleSubmit = useCallback(async (onSubmit: (values: ConfigFormValues) => Promise<void>) => {
+    if (!validate()) return
+    setIsSubmitting(true)
+    try {
+      await onSubmit(values)
+    } finally {
+      setIsSubmitting(false)
+    }
+  }, [values, validate])
+
+  return { values, errors, isSubmitting, handleChange, handleSubmit }
+}
+```
+
+### 3. Modal State Hook
+
+```typescript
+// Pattern: Multiple modal management
+type ModalType = 'edit' | 'delete' | 'duplicate' | null
+
+export const useModalState = () => {
+  const [activeModal, setActiveModal] = useState<ModalType>(null)
+  const [modalData, setModalData] = useState<any>(null)
+
+  const openModal = useCallback((type: ModalType, data?: any) => {
+    setActiveModal(type)
+    setModalData(data)
+  }, [])
+
+  const closeModal = useCallback(() => {
+    setActiveModal(null)
+    setModalData(null)
+  }, [])
+
+  return {
+    activeModal,
+    modalData,
+    openModal,
+    closeModal,
+    isOpen: useCallback((type: ModalType) => activeModal === type, [activeModal]),
+  }
+}
+```
+
+### 4. Toggle/Boolean Hook
+
+```typescript
+// Pattern: Boolean state with convenience methods
+export const useToggle = (initialValue = false) => {
+  const [value, setValue] = useState(initialValue)
+
+  const toggle = useCallback(() => setValue(v => !v), [])
+  const setTrue = useCallback(() => setValue(true), [])
+  const setFalse = useCallback(() => setValue(false), [])
+
+  return [value, { toggle, setTrue, setFalse, set: setValue }] as const
+}
+
+// Usage
+const [isExpanded, { toggle, setTrue: expand, setFalse: collapse }] = useToggle()
+```
+
+## Testing Extracted Hooks
+
+After extraction, test hooks in isolation:
+
+```typescript
+// use-model-config.spec.ts
+import { renderHook, act } from '@testing-library/react'
+import { useModelConfig } from './use-model-config'
+
+describe('useModelConfig', () => {
+  it('should initialize with default values', () => {
+    const { result } = renderHook(() => useModelConfig({
+      hasFetchedDetail: false,
+    }))
+
+    expect(result.current.modelConfig.provider).toBe('langgenius/openai/openai')
+    expect(result.current.modelModeType).toBe(ModelModeType.unset)
+  })
+
+  it('should update model config', () => {
+    const { result } = renderHook(() => useModelConfig({
+      hasFetchedDetail: true,
+    }))
+
+    act(() => {
+      result.current.setModelConfig({
+        ...result.current.modelConfig,
+        model_id: 'gpt-4',
+      })
+    })
+
+    expect(result.current.modelConfig.model_id).toBe('gpt-4')
+  })
+})
+```
--- a/.agents/skills/how-to-write-component/SKILL.md
+++ b/.agents/skills/how-to-write-component/SKILL.md
@ -1,6 +1,6 @@
 ---
 name: how-to-write-component
-description: React/TypeScript component style guide. Use when writing, refactoring, or reviewing React components, especially around abstraction choices, props typing, state boundaries, shared local state with Jotai atoms, API types, query/mutation contracts, navigation, memoization, wrappers, and empty-state handling.
+description: React/TypeScript component style guide. Use when writing, refactoring, or reviewing React components, especially around props typing, state boundaries, shared local state with Jotai atoms, API types, query/mutation contracts, navigation, memoization, wrappers, and empty-state handling.
 ---

 # How To Write A Component
@ -12,79 +12,26 @@ Use this as the decision guide for React/TypeScript component structure. Existin
 - Search before adding UI, hooks, helpers, or styling patterns. Reuse existing base components, feature components, hooks, utilities, and design styles when they fit.
 - Group code by feature workflow, route, or ownership area: components, hooks, local types, query helpers, atoms, constants, and small utilities should live near the code that changes with them.
 - Promote code to shared only when multiple verticals need the same stable primitive. Otherwise keep it local and compose shared primitives inside the owning feature.
- Prefer local code and purpose-named helpers over catch-all utility modules; do not group workflow-specific defaults, validation, payload shaping, or metadata merging in a generic utils file just because they share a DTO.
- Keep source/default selection, validation, and payload shaping close to the workflow that owns the behavior. Do not extract a shared helper just because two flows read the same DTO when their priority order, fallback behavior, or submit semantics differ.
- Prefer direct, readable conditionals at the use site for small branch-specific decisions, especially form source selection and request payload assembly. Extract only when the helper name captures a stable domain rule and removes repeated complexity without hiding flow-specific behavior.
- When fixing an invalid pattern, scan the touched feature or branch for equivalent patterns and fix them together.
 - Follow Dify's CSS-first Tailwind v4 contract from `packages/dify-ui/README.md` and `packages/dify-ui/AGENTS.md`. Prefer design-system tokens, utilities, and radius mappings over generic Tailwind guidance.

-## Feature Workflow Layout
-
- State-heavy wizards, drawers, modals, and secondary workflows work best as a small feature surface with route/entry files, a single feature-local state file, and feature-local UI.
- Keep `ui/` shallow with owner files that map to the workflow's real composition boundaries and major visual regions.
- Owner files contain the section components, field components, skeletons, and one-off helper components that belong to their visual region.
- Folders represent groups of related files with a shared owner and a stable reason to change together.
- The entry file handles route integration, provider wiring, close behavior, and feature surface mounting. The composition owner handles high-level workflow branching, and the closest visual owner handles section branching.
-
 ## Ownership

 - Put local state, queries, mutations, handlers, and derived UI data in the lowest component that uses them. Extract a purpose-built owner component only when the logic has no natural home.
 - Repeated TanStack query calls in sibling components are acceptable when each component independently consumes the data. Do not hoist a query only because it is duplicated; TanStack Query handles deduplication and cache sharing.
 - Hoist state, queries, or callbacks to a parent only when the parent consumes the data, coordinates shared loading/error/empty UI, needs one consistent snapshot, or owns a workflow spanning children.
- Pass stable domain identity across boundaries; avoid forwarding derived presentation state when the receiver can derive it from its own data source. A component that owns a visual surface should also own the data access, loading, empty, and error states for content rendered inside it unless a parent truly coordinates that state.
- Loading states for visual surfaces should use skeleton placeholders scoped to the content that is actually loading, with shape, density, and dimensions close to the final UI. Avoid generic loading text or centered spinners for page sections, cards, lists, tables, forms, and drawers; reserve spinners for small inline busy indicators such as an in-progress status icon.
 - Avoid prop drilling. One pass-through layer is acceptable; repeated forwarding means ownership should move down or into feature-scoped Jotai UI state. Keep server/cache state in query and API data flow.
- Do not replace prop drilling with one top-level hook that returns a large view model and then thread that object through section props. Move each hook, query, derived value, and handler to the concrete section that consumes it, or use feature-scoped Jotai atoms for simple shared form/UI state when siblings need the same source of truth.
- When using feature-scoped Jotai state for a form, drawer, or other secondary surface, scope the store to that surface instance when stale cross-instance state is possible. Initialize stable config at the owning boundary, then let descendants read only the atoms or purpose-named hooks they actually need.
 - Keep callbacks in a parent only for workflow coordination such as form submission, shared selection, batch behavior, or navigation. Otherwise let the child or row own its action.
 - Prefer uncontrolled DOM state and CSS variables before adding controlled props.

-## Feature-Scoped Jotai State
-
- A module's feature-local state lives in one state file for Jotai-backed features: primitive atoms, query atoms, derived atoms, write-only action atoms, mutation atoms, submission orchestration, provider exports, and optional scope configuration.
- Atom order in the state file follows the dependency graph: types/constants, editable primitives, query atoms, query-data derived atoms, readiness/business derived atoms, write actions, mutation atoms, submission orchestration, provider exports.
- Derived atom names read as business facts. Write atom names read as user or workflow commands.
- UI components read and write the exact atom they use with `useAtomValue` or `useSetAtom`. Repeated workflow semantics live in named derived atoms or write atoms.
- Non-query derived atoms return a narrow value with a clear domain name. Query atoms expose the TanStack Query result object so loading, error, fetch, and pagination state stay attached to the query contract.
- Write-only atoms own state transitions that update multiple primitives, reset dependent state, guard stale async work, or advance the workflow.
- `jotai-tanstack-query` atoms use the same QueryClient as the React Query provider. Query atoms belong in feature state when atoms are the feature's local state surface.
- Jotai scope is an optional instance-isolation tool for secondary surfaces with independent local state. Query atoms keep shared cache behavior through the shared QueryClient.
-
 ## Components, Props, And Types

 - Type component signatures directly; do not use `FC` or `React.FC`.
 - Prefer `function` for top-level components and module helpers. Use arrow functions for local callbacks, handlers, and lambda-style APIs.
 - Prefer named exports. Use default exports only where the framework requires them, such as Next.js route files.
 - Type simple one-off props inline. Use a named `Props` type only when reused, exported, complex, or clearer.
- Use API-generated or API-returned types at component boundaries. Keep small UI conversion helpers and one-off UI extensions beside the component that needs them.
- Do not create type aliases that only rename another type. Use an alias only when it encodes a real UI concept, refinement, or reusable local contract.
- Name values by their domain role and backend API contract, and keep that name stable across the call chain, especially persistent IDs and route params. Normalize framework or route params at the boundary.
- Keep fallback and invariant checks at the lowest component that already handles that state; avoid defensive fallbacks that mask impossible states.
- Do not extract fallback helpers whose only behavior is hiding missing display data. The component that renders the surface owns the empty, disabled, hidden, or placeholder state.
-
-## Generated API Contracts
-
- Treat generated contracts as authoritative at API, query, mutation, cache, and service boundaries. For enterprise APIs, use `packages/contracts/generated/enterprise/*`.
- Do not hand-write local request/response/reply/page/cache-data types that mirror generated DTOs. Import or infer the generated type.
- Do not widen generated fields or enums for compatibility. Normalize legacy input at the boundary, then return the generated field type.
- Do not repair generated or API-returned contract fields in components unless the API contract or product requirement says they need normalization. Treat enums, statuses, and presence flags as exact contract values.
- Use generated enum objects and union types directly in props, comparisons, status logic, and i18n keys. Do not add local enum constants or parallel frontend enum/status layers unless they model real product state not represented by the API. Presentation-only tone maps should be keyed by the generated enum.
- Normalize or coerce only at a real boundary, such as user-entered forms, search, URL/query params, file names, DOM IDs, or legacy adapters. Preserve user-entered values when whitespace or formatting can be meaningful.
- Do not coerce nullable or optional API strings to `''` in query, derived model, or payload-building code. Keep `undefined` or `null` until the final boundary that requires a string.
- Local UI models are fine for presentation, form state, select options, or guarded required-field refinements. Name them as UI concepts, not generated DTO mirrors.
- Required-value refinements are allowed only after same-branch filtering or early return. Prefer nullable-tolerant props for render-only data.
- When a component needs a stricter shape than a generated DTO, refine once at the API/query-to-UI boundary into a purpose-named UI type instead of hiding missing fields with generic fallback or coercion helpers.
-
-## Nullable API Data
-
- Prefer nullable-tolerant call boundaries. Pass API-returned types through for render-only rows, and let the component render fallback, disabled state, or nothing.
- Narrow only where a real value is required, such as mutation params, route hrefs, select values, or query input. Build that target model with `flatMap`, a local loop, or an early return so the required value is captured in the same branch.
- If design says a field is the display value, use that field. Only the final component should decide whether a nullable display value renders a placeholder, hides content, or disables an action.
- Do not wrap required arrays or fields in null-fallback helpers. Use empty collection fallbacks only for not-yet-loaded query data or genuinely nullable collections at the owning render boundary.
- Do not drop rows only to satisfy props or React keys; use a stable fallback key when possible.
- Use conditional spreads or explicit pushes for conditional array items instead of `undefined` placeholders followed by a narrowing filter.
- Avoid truthiness type guards, `filter(Boolean)`, `filter(item => item.id)`, and `!` after those filters.
- Use type guards only for meaningful domain or runtime validation, such as enum membership, object shape, or a reusable business invariant.
+- Use API-generated or API-returned types at component boundaries. Keep small UI conversion helpers beside the component that needs them.
+- Name values by their domain role and backend API contract, and keep that name stable across the call chain, especially IDs like `appInstanceId`. Normalize framework or route params at the boundary.
+- Keep fallback and invariant checks at the lowest component that already handles that state; callers should pass raw values through instead of duplicating checks.

 ## Queries And Mutations

@ -92,8 +39,7 @@ Use this as the decision guide for React/TypeScript component structure. Existin
 - Consume queries directly with `useQuery(consoleQuery.xxx.queryOptions(...))` or `useQuery(marketplaceQuery.xxx.queryOptions(...))`.
 - Avoid pass-through hooks and thin `web/service/use-*` wrappers that only rename `queryOptions()` or `mutationOptions()`. Extract a small `queryOptions` helper only when repeated call-site options justify it.
 - Keep feature hooks for real orchestration, workflow state, or shared domain behavior.
- For TanStack cache data, use generated or query-derived types; do not create local wrappers for `getQueryData` or `getQueriesData`.
- For generated oRPC `queryOptions()` / `infiniteOptions()`, do not pass `skipToken` as `input`; keep a valid placeholder input shape and use `enabled` to gate missing required params because the OpenAPI codec encodes input eagerly.
+- For missing required query input, use `input: skipToken`; use `enabled` only for extra business gating after the input is valid.
 - Consume mutations directly with `useMutation(consoleQuery.xxx.mutationOptions(...))` or `useMutation(marketplaceQuery.xxx.mutationOptions(...))`; use oRPC clients as `mutationFn` only for custom flows.
 - Put shared cache behavior in `createTanstackQueryUtils(...experimental_defaults...)`; components may add UI feedback callbacks, but should not own shared invalidation rules.
 - Do not use deprecated `useInvalid` or `useReset`.
@ -102,13 +48,12 @@ Use this as the decision guide for React/TypeScript component structure. Existin
 ## Component Boundaries

 - Use the first level below a page or tab to organize independent page sections when it adds real structure. This layer is layout/semantic first, not automatically the data owner.
- Treat component names, semantic roles, and user- or design-marked visual regions as boundary constraints. Do not expand a child component's responsibility just because its data is useful nearby; keep adjacent UI as a sibling owner or introduce a correctly named broader owner.
 - Split deeper components by the data and state each layer actually needs. Each component should access only necessary data, and ownership should stay at the lowest consumer.
 - Keep cohesive forms, menu bodies, and one-off helpers local unless they need their own state, reuse, or semantic boundary.
 - Separate hidden secondary surfaces from the trigger's main flow. For dialogs, dropdowns, popovers, and similar branches, extract a small local component that owns the trigger, open state, and hidden content when it would obscure the parent flow.
 - Preserve composability by separating behavior ownership from layout ownership. A dropdown action may own its trigger, open state, and menu content; the caller owns placement such as slots, offsets, and alignment.
 - Avoid unnecessary DOM hierarchy. Do not add wrapper elements unless they provide layout, semantics, accessibility, state ownership, or integration with a library API; prefer fragments or styling an existing element when possible.
- Avoid shallow wrappers, hook-to-props adapter components, layout-only render-prop wrappers, and prop renaming unless the wrapper adds validation, orchestration, error handling, state ownership, or a real semantic boundary. If a component only calls a hook and forwards every returned field to one child, move the hook into that child or make the wrapper own a real surface.
+- Avoid shallow wrappers and prop renaming unless the wrapper adds validation, orchestration, error handling, state ownership, or a real semantic boundary.

 ## You Might Not Need An Effect

@ -123,6 +68,4 @@ Use this as the decision guide for React/TypeScript component structure. Existin
 ## Navigation And Performance

 - Prefer `Link` for normal navigation. Use router APIs only for command-flow side effects such as mutation success, guarded redirects, or form submission.
- Before reaching for `memo`, first try moving changing state down to the smallest component that actually uses it so unrelated sibling trees stay untouched.
- If changing state must wrap other content, lift the unchanged content up and pass it as `children` so the stateful wrapper can update without React visiting that subtree.
 - Avoid `memo`, `useMemo`, and `useCallback` unless there is a clear performance reason.
--- a/.github/workflows/api-tests.yml
+++ b/.github/workflows/api-tests.yml
@ -29,13 +29,13 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Setup UV and Python
-        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
        with:
          enable-cache: true
          python-version: ${{ matrix.python-version }}
@ -91,13 +91,13 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Setup UV and Python
-        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
        with:
          enable-cache: true
          python-version: ${{ matrix.python-version }}
@ -142,13 +142,13 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Setup UV and Python
-        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
        with:
          enable-cache: true
          python-version: "3.12"
@ -195,7 +195,7 @@ jobs:

      - name: Report coverage
        if: ${{ env.CODECOV_TOKEN != '' }}
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
        with:
          files: ./coverage.xml
          disable_search: true
--- a/.github/workflows/autofix.yml
+++ b/.github/workflows/autofix.yml
@ -20,7 +20,7 @@ jobs:
        run: echo "autofix.ci updates pull request branches, not merge group refs."

      - if: github.event_name != 'merge_group'
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Check Docker Compose inputs
        if: github.event_name != 'merge_group'
@ -66,7 +66,7 @@ jobs:
          python-version: "3.11"

      - if: github.event_name != 'merge_group'
-        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0

      - name: Generate Docker Compose
        if: github.event_name != 'merge_group' && steps.docker-compose-changes.outputs.any_changed == 'true'
--- a/.github/workflows/build-push.yml
+++ b/.github/workflows/build-push.yml
@ -9,7 +9,6 @@ on:
      - "release/e-*"
      - "hotfix/**"
      - "feat/hitl-backend"
-      - "feat/rbac"
    tags:
      - "*"

@ -22,7 +21,6 @@ env:
  DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
  DIFY_WEB_IMAGE_NAME: ${{ vars.DIFY_WEB_IMAGE_NAME || 'langgenius/dify-web' }}
  DIFY_API_IMAGE_NAME: ${{ vars.DIFY_API_IMAGE_NAME || 'langgenius/dify-api' }}
-  DIFY_AGENT_IMAGE_NAME: ${{ vars.DIFY_AGENT_IMAGE_NAME || 'langgenius/dify-agent-backend' }}

 jobs:
  build:
@ -62,20 +60,6 @@ jobs:
            file: "web/Dockerfile"
            platform: linux/arm64
            runs_on: depot-ubuntu-24.04-4
-          - service_name: "build-agent-amd64"
-            image_name_env: "DIFY_AGENT_IMAGE_NAME"
-            artifact_context: "agent"
-            build_context: "{{defaultContext}}"
-            file: "dify-agent/Dockerfile"
-            platform: linux/amd64
-            runs_on: depot-ubuntu-24.04-4
-          - service_name: "build-agent-arm64"
-            image_name_env: "DIFY_AGENT_IMAGE_NAME"
-            artifact_context: "agent"
-            build_context: "{{defaultContext}}"
-            file: "dify-agent/Dockerfile"
-            platform: linux/arm64
-            runs_on: depot-ubuntu-24.04-4

    steps:
      - name: Prepare
@ -84,7 +68,7 @@ jobs:
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV

      - name: Login to Docker Hub
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ env.DOCKERHUB_USER }}
          password: ${{ env.DOCKERHUB_TOKEN }}
@ -94,13 +78,13 @@ jobs:

      - name: Extract metadata for Docker
        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
        with:
          images: ${{ env[matrix.image_name_env] }}

      - name: Build Docker image
        id: build
-        uses: depot/build-push-action@98e78adca7817480b8185f474a400b451d74e287 # v1.18.0
+        uses: depot/build-push-action@5f3b3c2e5a00f0093de47f657aeaefcedff27d18 # v1.17.0
        with:
          project: ${{ vars.DEPOT_PROJECT_ID }}
          context: ${{ matrix.build_context }}
@ -138,15 +122,12 @@ jobs:
          - service_name: "validate-web-amd64"
            build_context: "{{defaultContext}}"
            file: "web/Dockerfile"
-          - service_name: "validate-agent-amd64"
-            build_context: "{{defaultContext}}"
-            file: "dify-agent/Dockerfile"
    steps:
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

      - name: Validate Docker image
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          push: false
          context: ${{ matrix.build_context }}
@ -166,9 +147,6 @@ jobs:
          - service_name: "merge-web-images"
            image_name_env: "DIFY_WEB_IMAGE_NAME"
            context: "web"
-          - service_name: "merge-agent-images"
-            image_name_env: "DIFY_AGENT_IMAGE_NAME"
-            context: "agent"
    steps:
      - name: Download digests
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
@ -178,14 +156,14 @@ jobs:
          merge-multiple: true

      - name: Login to Docker Hub
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ env.DOCKERHUB_USER }}
          password: ${{ env.DOCKERHUB_TOKEN }}

      - name: Extract metadata for Docker
        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
        with:
          images: ${{ env[matrix.image_name_env] }}
          tags: |
--- a/.github/workflows/cli-e2e.yml
+++ b/.github/workflows/cli-e2e.yml
@ -79,7 +79,7 @@ jobs:
      ws2_app_id:                 ${{ steps.out.outputs.DIFY_E2E_WS2_APP_ID }}

    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
        with:
          ref: ${{ inputs.cli_ref || github.ref }}
          persist-credentials: false
@ -88,7 +88,7 @@ jobs:
        with:
          bun-version: latest

-      - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
+      - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
        with:
          package_json_field: packageManager
          run_install: false
@ -123,7 +123,7 @@ jobs:
        shell: bash

    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
        with:
          ref: ${{ inputs.cli_ref || github.ref }}
          persist-credentials: false
@ -131,7 +131,7 @@ jobs:
      - uses: ./.github/actions/setup-web
      - uses: oven-sh/setup-bun@v2
        with: { bun-version: latest }
-      - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
+      - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
        with: { package_json_field: packageManager, run_install: false }
      - run: pnpm install --frozen-lockfile
      - run: pnpm tree:gen
@ -170,7 +170,7 @@ jobs:
        shell: bash

    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
        with:
          ref: ${{ inputs.cli_ref || github.ref }}
          persist-credentials: false
@ -178,7 +178,7 @@ jobs:
      - uses: ./.github/actions/setup-web
      - uses: oven-sh/setup-bun@v2
        with: { bun-version: latest }
-      - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
+      - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
        with: { package_json_field: packageManager, run_install: false }
      - run: pnpm install --frozen-lockfile
      - run: pnpm tree:gen
@ -233,7 +233,7 @@ jobs:
        shell: bash

    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
        with:
          ref: ${{ inputs.cli_ref || github.ref }}
          persist-credentials: false
@ -241,7 +241,7 @@ jobs:
      - uses: ./.github/actions/setup-web
      - uses: oven-sh/setup-bun@v2
        with: { bun-version: latest }
-      - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
+      - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
        with: { package_json_field: packageManager, run_install: false }
      - run: pnpm install --frozen-lockfile
      - run: pnpm tree:gen
@ -274,7 +274,7 @@ jobs:

      - name: Upload results on failure
        if: failure()
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v4
        with:
          name: e2e-run-${{ matrix.name }}-${{ github.run_id }}
          path: cli/test-results/
@ -295,7 +295,7 @@ jobs:
        shell: bash

    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
        with:
          ref: ${{ inputs.cli_ref || github.ref }}
          persist-credentials: false
@ -303,7 +303,7 @@ jobs:
      - uses: ./.github/actions/setup-web
      - uses: oven-sh/setup-bun@v2
        with: { bun-version: latest }
-      - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
+      - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
        with: { package_json_field: packageManager, run_install: false }
      - run: pnpm install --frozen-lockfile
      - run: pnpm tree:gen
@ -351,7 +351,7 @@ jobs:
        shell: bash

    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
        with:
          ref: ${{ inputs.cli_ref || github.ref }}
          persist-credentials: false
@ -359,7 +359,7 @@ jobs:
      - uses: ./.github/actions/setup-web
      - uses: oven-sh/setup-bun@v2
        with: { bun-version: latest }
-      - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
+      - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
        with: { package_json_field: packageManager, run_install: false }
      - run: pnpm install --frozen-lockfile
      - run: pnpm tree:gen
@ -408,7 +408,7 @@ jobs:

      - name: Upload results on failure
        if: failure()
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v4
        with:
          name: e2e-last-${{ github.run_id }}
          path: cli/test-results/
--- a/.github/workflows/cli-edge.yml
+++ b/.github/workflows/cli-edge.yml
@ -23,7 +23,7 @@ jobs:
        working-directory: ./cli
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          fetch-depth: 0
--- a/.github/workflows/cli-release.yml
+++ b/.github/workflows/cli-release.yml
@ -35,7 +35,7 @@ jobs:
      dify_tag: ${{ steps.resolve.outputs.dify_tag }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@ -98,7 +98,7 @@ jobs:
      DIFY_TAG: ${{ needs.validate.outputs.dify_tag }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          fetch-depth: 1
--- a/.github/workflows/cli-smoke.yml
+++ b/.github/workflows/cli-smoke.yml
@ -24,7 +24,7 @@ jobs:
        shell: bash
    steps:
      - name: Checkout cli ref
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ inputs.cli_ref || github.ref }}
          persist-credentials: false
--- a/.github/workflows/cli-tests.yml
+++ b/.github/workflows/cli-tests.yml
@ -30,7 +30,7 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@ -51,7 +51,7 @@ jobs:

      - name: Report coverage
        if: ${{ env.CODECOV_TOKEN != '' && matrix.os == 'depot-ubuntu-24.04' }}
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
        with:
          directory: cli/coverage
          flags: cli
--- a/.github/workflows/db-migration-test.yml
+++ b/.github/workflows/db-migration-test.yml
@ -13,13 +13,13 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Setup UV and Python
-        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
        with:
          enable-cache: true
          python-version: "3.12"
@ -40,7 +40,7 @@ jobs:
          cp envs/middleware.env.example middleware.env

      - name: Set up Middlewares
-        uses: hoverkraft-tech/compose-action@11beaa1c2dae4e8ed7b1665aa074723b6cecb0e4 # v3.0.0
+        uses: hoverkraft-tech/compose-action@d2bee4f07e8ca410d6b196d00f90c12e7d48c33a # v2.6.0
        with:
          compose-file: |
            docker/docker-compose.middleware.yaml
@ -63,13 +63,13 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Setup UV and Python
-        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
        with:
          enable-cache: true
          python-version: "3.12"
@ -94,7 +94,7 @@ jobs:
          sed -i 's/DB_USERNAME=postgres/DB_USERNAME=mysql/' middleware.env

      - name: Set up Middlewares
-        uses: hoverkraft-tech/compose-action@11beaa1c2dae4e8ed7b1665aa074723b6cecb0e4 # v3.0.0
+        uses: hoverkraft-tech/compose-action@d2bee4f07e8ca410d6b196d00f90c12e7d48c33a # v2.6.0
        with:
          compose-file: |
            docker/docker-compose.middleware.yaml
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@ -53,7 +53,7 @@ jobs:
        uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1.7.1

      - name: Build Docker Image
-        uses: depot/build-push-action@98e78adca7817480b8185f474a400b451d74e287 # v1.18.0
+        uses: depot/build-push-action@5f3b3c2e5a00f0093de47f657aeaefcedff27d18 # v1.17.0
        with:
          project: ${{ vars.DEPOT_PROJECT_ID }}
          push: false
@ -77,10 +77,10 @@ jobs:
            file: "web/Dockerfile"
    steps:
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

      - name: Build Docker Image
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          push: false
          context: ${{ matrix.context }}
--- a/.github/workflows/hotfix-cherry-pick.yml
+++ b/.github/workflows/hotfix-cherry-pick.yml
@ -24,7 +24,7 @@ jobs:
    name: Require cherry-pick provenance
    runs-on: depot-ubuntu-24.04
    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0

--- a/.github/workflows/main-ci.yml
+++ b/.github/workflows/main-ci.yml
@ -48,7 +48,7 @@ jobs:
      vdb-changed: ${{ steps.changes.outputs.vdb }}
      migration-changed: ${{ steps.changes.outputs.migration }}
    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
        id: changes
        with:
--- a/.github/workflows/pyrefly-diff.yml
+++ b/.github/workflows/pyrefly-diff.yml
@ -17,12 +17,12 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout PR branch
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0

      - name: Setup Python & UV
-        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
        with:
          enable-cache: true

--- a/.github/workflows/pyrefly-type-coverage-comment.yml
+++ b/.github/workflows/pyrefly-type-coverage-comment.yml
@ -21,10 +21,10 @@ jobs:
    if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.pull_requests[0].head.repo.full_name != github.repository }}
    steps:
      - name: Checkout default branch (trusted code)
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Setup Python & UV
-        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
        with:
          enable-cache: true

--- a/.github/workflows/pyrefly-type-coverage.yml
+++ b/.github/workflows/pyrefly-type-coverage.yml
@ -17,12 +17,12 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout PR branch
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0

      - name: Setup Python & UV
-        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
        with:
          enable-cache: true

--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -18,7 +18,7 @@ jobs:
      pull-requests: write

    steps:
-      - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
        with:
          days-before-issue-stale: 15
          days-before-issue-close: 3
--- a/.github/workflows/style.yml
+++ b/.github/workflows/style.yml
@ -19,7 +19,7 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@ -33,7 +33,7 @@ jobs:

      - name: Setup UV and Python
        if: steps.changed-files.outputs.any_changed == 'true'
-        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
        with:
          enable-cache: false
          python-version: "3.12"
@ -71,7 +71,7 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@ -114,7 +114,7 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@ -171,7 +171,7 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false
--- a/.github/workflows/tool-test-sdks.yaml
+++ b/.github/workflows/tool-test-sdks.yaml
@ -24,7 +24,7 @@ jobs:
        working-directory: sdks/nodejs-client

    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

--- a/.github/workflows/translate-i18n-claude.yml
+++ b/.github/workflows/translate-i18n-claude.yml
@ -40,7 +40,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
@ -158,7 +158,7 @@ jobs:

      - name: Run Claude Code for Translation Sync
        if: steps.context.outputs.CHANGED_FILES != ''
-        uses: anthropics/claude-code-action@806af32823ef69c8ef357086c573a902af641307 # v1.0.151
+        uses: anthropics/claude-code-action@1dc994ee7a008f0ecc866d9ac23ef036b7229f84 # v1.0.127
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          github_token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/trigger-i18n-sync.yml
+++ b/.github/workflows/trigger-i18n-sync.yml
@ -21,7 +21,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0

--- a/.github/workflows/vdb-tests-full.yml
+++ b/.github/workflows/vdb-tests-full.yml
@ -24,7 +24,7 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@ -36,7 +36,7 @@ jobs:
          remove_tool_cache: true

      - name: Setup UV and Python
-        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
        with:
          enable-cache: true
          python-version: ${{ matrix.python-version }}
--- a/.github/workflows/vdb-tests.yml
+++ b/.github/workflows/vdb-tests.yml
@ -21,7 +21,7 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@ -33,7 +33,7 @@ jobs:
          remove_tool_cache: true

      - name: Setup UV and Python
-        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
        with:
          enable-cache: true
          python-version: ${{ matrix.python-version }}
--- a/.github/workflows/web-e2e.yml
+++ b/.github/workflows/web-e2e.yml
@ -20,7 +20,7 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@ -28,7 +28,7 @@ jobs:
        uses: ./.github/actions/setup-web

      - name: Setup UV and Python
-        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
        with:
          enable-cache: true
          python-version: "3.12"
--- a/.github/workflows/web-tests.yml
+++ b/.github/workflows/web-tests.yml
@ -31,7 +31,7 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@ -64,7 +64,7 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@ -83,7 +83,7 @@ jobs:

      - name: Report coverage
        if: ${{ env.CODECOV_TOKEN != '' }}
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
        with:
          directory: web/coverage
          flags: web
@ -102,7 +102,7 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@ -117,7 +117,7 @@ jobs:

      - name: Report coverage
        if: ${{ env.CODECOV_TOKEN != '' }}
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
        with:
          directory: packages/dify-ui/coverage
          flags: dify-ui
@ -134,7 +134,7 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

--- a/api/clients/agent_backend/init.py
+++ b/api/clients/agent_backend/init.py
@ -33,7 +33,6 @@ from clients.agent_backend.fake_client import FakeAgentBackendRunClient, FakeAge
 from clients.agent_backend.request_builder import (
    AGENT_SOUL_PROMPT_LAYER_ID,
    DIFY_EXECUTION_CONTEXT_LAYER_ID,
-    DIFY_KNOWLEDGE_BASE_LAYER_ID,
    DIFY_PLUGIN_TOOLS_LAYER_ID,
    WORKFLOW_NODE_JOB_PROMPT_LAYER_ID,
    WORKFLOW_USER_PROMPT_LAYER_ID,
@ -48,7 +47,6 @@ from clients.agent_backend.request_builder import (
 __all__ = [
    "AGENT_SOUL_PROMPT_LAYER_ID",
    "DIFY_EXECUTION_CONTEXT_LAYER_ID",
-    "DIFY_KNOWLEDGE_BASE_LAYER_ID",
    "DIFY_PLUGIN_TOOLS_LAYER_ID",
    "WORKFLOW_NODE_JOB_PROMPT_LAYER_ID",
    "WORKFLOW_USER_PROMPT_LAYER_ID",
--- a/api/clients/agent_backend/request_builder.py
+++ b/api/clients/agent_backend/request_builder.py
@ -32,7 +32,6 @@ from dify_agent.layers.execution_context import (
    DIFY_EXECUTION_CONTEXT_LAYER_TYPE_ID,
    DifyExecutionContextLayerConfig,
 )
-from dify_agent.layers.knowledge import DIFY_KNOWLEDGE_BASE_LAYER_TYPE_ID, DifyKnowledgeBaseLayerConfig
 from dify_agent.layers.output import DIFY_OUTPUT_LAYER_TYPE_ID, DifyOutputLayerConfig
 from dify_agent.layers.shell import DIFY_SHELL_LAYER_TYPE_ID, DifyShellLayerConfig
 from dify_agent.protocol import (
@ -56,7 +55,6 @@ AGENT_APP_USER_PROMPT_LAYER_ID = "agent_app_user_prompt"
 DIFY_EXECUTION_CONTEXT_LAYER_ID = "execution_context"
 DIFY_DRIVE_LAYER_ID = "drive"
 DIFY_PLUGIN_TOOLS_LAYER_ID = "tools"
-DIFY_KNOWLEDGE_BASE_LAYER_ID = "knowledge"
 DIFY_ASK_HUMAN_LAYER_ID = "ask_human"
 DIFY_SHELL_LAYER_ID = "shell"

@ -141,7 +139,6 @@ class AgentBackendWorkflowNodeRunInput(BaseModel):
    idempotency_key: str | None = None
    output: AgentBackendOutputConfig | None = None
    tools: DifyPluginToolsLayerConfig | None = None
-    knowledge: DifyKnowledgeBaseLayerConfig | None = None
    # Drive Skills & Files declaration (dify.drive) — an index the agent pulls
    # through the back proxy, never inline content; see AGENT_DRIVE_MANIFEST_ENABLED.
    drive_config: DifyDriveLayerConfig | None = None
@ -188,7 +185,6 @@ class AgentBackendAgentAppRunInput(BaseModel):
    idempotency_key: str | None = None
    output: AgentBackendOutputConfig | None = None
    tools: DifyPluginToolsLayerConfig | None = None
-    knowledge: DifyKnowledgeBaseLayerConfig | None = None
    # Drive Skills & Files declaration (dify.drive) — an index the agent pulls
    # through the back proxy, never inline content; see AGENT_DRIVE_MANIFEST_ENABLED.
    drive_config: DifyDriveLayerConfig | None = None
@ -225,7 +221,7 @@ class AgentBackendRunRequestBuilder:

        Layer graph: optional Agent Soul system prompt → user prompt →
        execution context → optional history (multi-turn) → LLM → optional
-        plugin tools / knowledge search → optional structured output. Mirrors the workflow-node
+        plugin tools → optional structured output. Mirrors the workflow-node
        layer ordering minus the workflow-job / previous-node prompt.
        """
        layers: list[RunLayerSpec] = []
@ -304,17 +300,6 @@ class AgentBackendRunRequestBuilder:
                )
            )

-        if run_input.knowledge is not None and run_input.knowledge.dataset_ids:
-            layers.append(
-                RunLayerSpec(
-                    name=DIFY_KNOWLEDGE_BASE_LAYER_ID,
-                    type=DIFY_KNOWLEDGE_BASE_LAYER_TYPE_ID,
-                    deps={"execution_context": DIFY_EXECUTION_CONTEXT_LAYER_ID},
-                    metadata=run_input.metadata,
-                    config=run_input.knowledge,
-                )
-            )
-
        if run_input.ask_human_config is not None:
            # Human-in-the-loop ask_human deferred tool (dify.ask_human). A call ends
            # the run with a deferred_tool_call; the caller pauses (workflow HITL) and
@ -413,12 +398,7 @@ class AgentBackendRunRequestBuilder:
        )

    def build_for_workflow_node(self, run_input: AgentBackendWorkflowNodeRunInput) -> CreateRunRequest:
-        """Build a workflow Agent Node run request without defining another wire schema.
-
-        Layer graph mirrors the workflow surface: prompts → execution context →
-        optional drive/history → LLM → optional plugin tools / knowledge search
-        → optional auxiliary layers such as ask_human, shell, and structured output.
-        """
+        """Build a workflow Agent Node run request without defining another wire schema."""
        layers: list[RunLayerSpec] = []
        if run_input.agent_soul_prompt:
            layers.append(
@ -503,17 +483,6 @@ class AgentBackendRunRequestBuilder:
                )
            )

-        if run_input.knowledge is not None and run_input.knowledge.dataset_ids:
-            layers.append(
-                RunLayerSpec(
-                    name=DIFY_KNOWLEDGE_BASE_LAYER_ID,
-                    type=DIFY_KNOWLEDGE_BASE_LAYER_TYPE_ID,
-                    deps={"execution_context": DIFY_EXECUTION_CONTEXT_LAYER_ID},
-                    metadata=run_input.metadata,
-                    config=run_input.knowledge,
-                )
-            )
-
        if run_input.ask_human_config is not None:
            # Human-in-the-loop ask_human deferred tool (dify.ask_human). A call ends
            # the run with a deferred_tool_call; the caller pauses (workflow HITL) and
--- a/api/commands/init.py
+++ b/api/commands/init.py
@ -22,7 +22,6 @@ from .plugin import (
    setup_system_trigger_oauth_client,
    transform_datasource_credentials,
 )
-from .rbac import migrate_member_roles_to_rbac
 from .retention import (
    archive_workflow_runs,
    clean_expired_messages,
@ -75,7 +74,6 @@ __all__ = [
    "migrate_annotation_vector_database",
    "migrate_data_for_plugin",
    "migrate_knowledge_vector_database",
-    "migrate_member_roles_to_rbac",
    "migrate_oss",
    "migration_data_wizard",
    "old_metadata_migration",
--- a/api/commands/rbac.py
+++ b/api/commands/rbac.py
@ -1,112 +0,0 @@
-from __future__ import annotations
-
-import click
-from sqlalchemy import select
-
-from core.db.session_factory import session_factory
-from models import TenantAccountJoin, TenantAccountRole
-from services.enterprise.rbac_service import ListOption, RBACService
-
-
-def _resolve_builtin_role_id(tenant_id: str, operator_account_id: str, legacy_role: str) -> str:
-    """Resolve a legacy workspace role to the current tenant's builtin RBAC role id.
-
-    The migration replays the old `TenantAccountJoin.role` values onto the
-    RBAC member-role binding API. Builtin RBAC roles are tenant-scoped and
-    identified by runtime ids, so the command must look them up per tenant.
-    """
-    expected_builtin_tag = {
-        TenantAccountRole.OWNER.value: "owner",
-        TenantAccountRole.ADMIN.value: "admin",
-        TenantAccountRole.EDITOR.value: "editor",
-        TenantAccountRole.NORMAL.value: "normal",
-        TenantAccountRole.DATASET_OPERATOR.value: "dataset_operator",
-    }.get(legacy_role)
-    if not expected_builtin_tag:
-        raise ValueError(f"Unsupported legacy workspace role: {legacy_role}")
-
-    roles = RBACService.Roles.list(
-        tenant_id=tenant_id,
-        account_id=operator_account_id,
-        options=ListOption(page_number=1, results_per_page=100),
-    ).data
-    for role in roles:
-        if role.is_builtin and role.category == "global_system_default" and role.role_tag == expected_builtin_tag:
-            return str(role.id)
-
-    raise ValueError(f"Builtin RBAC role not found for tenant={tenant_id}, legacy_role={legacy_role}")
-
-
-@click.command(
-    "rbac-migrate-member-roles", help="Migrate legacy workspace member roles into RBAC member-role bindings."
-)
-@click.option("--tenant-id", help="Only migrate a single workspace.")
-@click.option("--dry-run", is_flag=True, default=False, help="Preview the migration without writing RBAC bindings.")
-def migrate_member_roles_to_rbac(tenant_id: str | None, dry_run: bool) -> None:
-    """Backfill RBAC member-role bindings from legacy `TenantAccountJoin.role` data.
-
-    This is an offline migration command for workspaces that already have
-    members in the legacy role model but need matching records in the RBAC
-    member-role binding store.
-    """
-    click.echo(click.style("Starting RBAC member-role migration.", fg="green"))
-
-    with session_factory.create_session() as session:
-        stmt = select(TenantAccountJoin).order_by(TenantAccountJoin.tenant_id.asc(), TenantAccountJoin.id.asc())
-        if tenant_id:
-            stmt = stmt.where(TenantAccountJoin.tenant_id == tenant_id)
-
-        joins = list(session.scalars(stmt).all())
-
-    if not joins:
-        click.echo(click.style("No workspace members found for migration.", fg="yellow"))
-        return
-
-    owner_account_by_tenant: dict[str, str] = {}
-    resolved_role_ids: dict[tuple[str, str], str] = {}
-    migrated_count = 0
-
-    for join in joins:
-        workspace_id = str(join.tenant_id)
-        member_account_id = str(join.account_id)
-        legacy_role = str(join.role)
-
-        if workspace_id not in owner_account_by_tenant:
-            owner_join = next(
-                (
-                    item
-                    for item in joins
-                    if str(item.tenant_id) == workspace_id and str(item.role) == TenantAccountRole.OWNER.value
-                ),
-                None,
-            )
-            if not owner_join:
-                raise ValueError(f"Workspace owner not found for tenant={workspace_id}")
-            owner_account_by_tenant[workspace_id] = str(owner_join.account_id)
-
-        operator_account_id = owner_account_by_tenant[workspace_id]
-        cache_key = (workspace_id, legacy_role)
-        if cache_key not in resolved_role_ids:
-            resolved_role_ids[cache_key] = _resolve_builtin_role_id(workspace_id, operator_account_id, legacy_role)
-
-        resolved_role_id = resolved_role_ids[cache_key]
-        click.echo(
-            f"tenant={workspace_id} member={member_account_id} "
-            f"legacy_role={legacy_role} -> rbac_role_id={resolved_role_id}"
-        )
-
-        if dry_run:
-            continue
-
-        RBACService.MemberRoles.replace(
-            tenant_id=workspace_id,
-            account_id=operator_account_id,
-            member_account_id=member_account_id,
-            role_ids=[resolved_role_id],
-        )
-        migrated_count += 1
-
-    if dry_run:
-        click.echo(click.style("Dry run completed. No RBAC bindings were written.", fg="yellow"))
-    else:
-        click.echo(click.style(f"RBAC member-role migration completed. Migrated {migrated_count} members.", fg="green"))
--- a/api/configs/enterprise/init.py
+++ b/api/configs/enterprise/init.py
@ -29,11 +29,6 @@ class EnterpriseFeatureConfig(BaseSettings):
        "This helps gain runtime performance by trading off consistency.",
    )

-    RBAC_ENABLED: bool = Field(
-        description="Enable enterprise RBAC APIs. When disabled, compatibility responses fall back to legacy roles.",
-        default=False,
-    )
-

 class EnterpriseTelemetryConfig(BaseSettings):
    """
--- a/api/controllers/common/controller_schemas.py
+++ b/api/controllers/common/controller_schemas.py
@ -1,8 +1,7 @@
-from copy import deepcopy
-from typing import Annotated, Any, Literal, override
+from typing import Any, Literal
 from uuid import UUID

-from pydantic import BaseModel, Field, GetJsonSchemaHandler, WithJsonSchema, model_validator
+from pydantic import BaseModel, Field, model_validator

 from libs.helper import UUIDStrOrEmpty

@ -10,53 +9,8 @@ from libs.helper import UUIDStrOrEmpty


 class ConversationRenamePayload(BaseModel):
-    name: str | None = Field(
-        default=None,
-        description="Conversation name. Required when `auto_generate` is `false`.",
-    )
-    auto_generate: bool = Field(
-        default=False,
-        description="Automatically generate the conversation name. When `true`, the `name` field is ignored.",
-    )
-
-    @classmethod
-    @override
-    def __get_pydantic_json_schema__(cls, core_schema: Any, handler: GetJsonSchemaHandler) -> dict[str, Any]:
-        schema = handler.resolve_ref_schema(handler(core_schema))
-        properties = schema.get("properties")
-        if not isinstance(properties, dict):
-            return schema
-
-        auto_generate_schema = deepcopy(properties.get("auto_generate", {"type": "boolean"}))
-        name_schema = deepcopy(properties.get("name", {"type": "string"}))
-        non_blank_name_schema: dict[str, Any] = {"pattern": r".*\S.*", "type": "string"}
-        if isinstance(name_schema, dict) and isinstance(name_schema.get("title"), str):
-            non_blank_name_schema["title"] = name_schema["title"]
-
-        auto_generate_true_schema = {**auto_generate_schema, "enum": [True]}
-        auto_generate_true_schema.pop("default", None)
-
-        return {
-            **schema,
-            "anyOf": [
-                {
-                    "properties": {
-                        "auto_generate": auto_generate_true_schema,
-                        "name": name_schema,
-                    },
-                    "required": ["auto_generate"],
-                    "type": "object",
-                },
-                {
-                    "properties": {
-                        "auto_generate": {**auto_generate_schema, "enum": [False]},
-                        "name": non_blank_name_schema,
-                    },
-                    "required": ["name"],
-                    "type": "object",
-                },
-            ],
-        }
+    name: str | None = None
+    auto_generate: bool = False

    @model_validator(mode="after")
    def validate_name_requirement(self):
@ -70,28 +24,14 @@ class ConversationRenamePayload(BaseModel):


 class MessageListQuery(BaseModel):
-    conversation_id: UUIDStrOrEmpty = Field(description="Conversation ID.")
-    first_id: UUIDStrOrEmpty | None = Field(
-        default=None,
-        description=(
-            "The ID of the first chat record on the current page. Omit this value to fetch the latest messages; "
-            "for subsequent pages, use the first message ID from the current list to fetch older messages."
-        ),
-    )
-    limit: int = Field(
-        default=20,
-        ge=1,
-        le=100,
-        description="Number of chat history messages to return per request.",
-    )
+    conversation_id: UUIDStrOrEmpty = Field(description="Conversation UUID")
+    first_id: UUIDStrOrEmpty | None = Field(default=None, description="First message ID for pagination")
+    limit: int = Field(default=20, ge=1, le=100, description="Number of messages to return (1-100)")


 class MessageFeedbackPayload(BaseModel):
-    rating: Literal["like", "dislike"] | None = Field(
-        default=None,
-        description="Feedback rating. Set to `null` to revoke previously submitted feedback.",
-    )
-    content: str | None = Field(default=None, description="Optional text feedback providing additional detail.")
+    rating: Literal["like", "dislike"] | None = None
+    content: str | None = None


 # --- Saved message schemas ---
@ -108,39 +48,6 @@ class SavedMessageCreatePayload(BaseModel):

 # --- Workflow schemas ---

-WORKFLOW_INPUT_FILE_ITEM_SCHEMA: dict[str, object] = {
-    "type": "object",
-    "required": ["type", "transfer_method"],
-    "properties": {
-        "type": {
-            "description": "File type.",
-            "enum": ["document", "image", "audio", "video", "custom"],
-            "type": "string",
-        },
-        "transfer_method": {
-            "description": "Transfer method: `remote_url` for file URL, `local_file` for uploaded file.",
-            "enum": ["remote_url", "local_file"],
-            "type": "string",
-        },
-        "url": {
-            "description": "File URL when `transfer_method` is `remote_url`.",
-            "format": "url",
-            "type": "string",
-        },
-        "upload_file_id": {
-            "description": (
-                "Uploaded file ID obtained from the [Upload File](/api-reference/files/upload-file) API when "
-                "`transfer_method` is `local_file`."
-            ),
-            "type": "string",
-        },
-    },
-}
-WORKFLOW_INPUT_FILE_LIST_SCHEMA: dict[str, object] = {
-    "anyOf": [{"items": WORKFLOW_INPUT_FILE_ITEM_SCHEMA, "type": "array"}, {"type": "null"}]
-}
-WorkflowInputFileList = Annotated[list[dict[str, Any]] | None, WithJsonSchema(WORKFLOW_INPUT_FILE_LIST_SCHEMA)]
-

 class DefaultBlockConfigQuery(BaseModel):
    q: str | None = None
@ -154,22 +61,8 @@ class WorkflowListQuery(BaseModel):


 class WorkflowRunPayload(BaseModel):
-    inputs: dict[str, Any] = Field(
-        description=(
-            "Key-value pairs for workflow input variables. Values for file-type variables should be arrays of "
-            "file objects with `type`, `transfer_method`, and either `url` or `upload_file_id`. Refer to the "
-            "`user_input_form` field in the [Get App Parameters](/api-reference/applications/get-app-parameters) "
-            "response to discover the variable names and types expected by your app."
-        )
-    )
-    files: WorkflowInputFileList = Field(
-        default=None,
-        description=(
-            "File list for workflow system file inputs. Available when file upload is enabled for the workflow. "
-            "To attach a local file, first upload it via [Upload File](/api-reference/files/upload-file) and use "
-            "the returned `id` as `upload_file_id` with `transfer_method: local_file`."
-        ),
-    )
+    inputs: dict[str, Any]
+    files: list[dict[str, Any]] | None = Field(default=None)


 class WorkflowUpdatePayload(BaseModel):
@ -184,49 +77,28 @@ DOCUMENT_BATCH_DOWNLOAD_ZIP_MAX_DOCS = 100


 class ChildChunkCreatePayload(BaseModel):
-    content: str = Field(description="Child chunk text content.")
+    content: str


 class ChildChunkUpdatePayload(BaseModel):
-    content: str = Field(description="Child chunk text content.")
+    content: str


 class DocumentBatchDownloadZipPayload(BaseModel):
    """Request payload for bulk downloading documents as a zip archive."""

-    document_ids: list[UUID] = Field(
-        ...,
-        min_length=1,
-        max_length=DOCUMENT_BATCH_DOWNLOAD_ZIP_MAX_DOCS,
-        description="List of document IDs to include in the ZIP download.",
-    )
+    document_ids: list[UUID] = Field(..., min_length=1, max_length=DOCUMENT_BATCH_DOWNLOAD_ZIP_MAX_DOCS)


 class MetadataUpdatePayload(BaseModel):
-    name: str = Field(description="New metadata field name.")
+    name: str


 # --- Audio schemas ---


-UUIDString = Annotated[str, WithJsonSchema({"format": "uuid", "type": "string"})]
-
-
 class TextToAudioPayload(BaseModel):
-    message_id: UUIDString | None = Field(
-        default=None,
-        description="Message ID. Takes priority over `text` when both are provided.",
-    )
-    voice: str | None = Field(
-        default=None,
-        description=(
-            "Voice to use for text-to-speech. Available voices depend on the TTS provider configured for this app. "
-            "Omit to use the app's configured voice when available; that value is exposed by "
-            "[Get App Parameters](/api-reference/applications/get-app-parameters) as `text_to_speech.voice`."
-        ),
-    )
-    text: str | None = Field(default=None, description="Speech content to convert.")
-    streaming: bool | None = Field(
-        default=None,
-        description="Reserved for compatibility; TTS response streaming is determined by the provider output.",
-    )
+    message_id: str | None = Field(default=None, description="Message ID")
+    voice: str | None = Field(default=None, description="Voice to use for TTS")
+    text: str | None = Field(default=None, description="Text to convert to audio")
+    streaming: bool | None = Field(default=None, description="Enable streaming response")
--- a/api/controllers/common/fields.py
+++ b/api/controllers/common/fields.py
@ -153,7 +153,6 @@ class ApiBaseUrlResponse(ResponseModel):

 class NewAppResponse(ResponseModel):
    new_app_id: str
-    permission_keys: list[str] = Field(default_factory=list)


 class Parameters(BaseModel):
--- a/api/controllers/common/human_input.py
+++ b/api/controllers/common/human_input.py
@ -35,23 +35,17 @@ class HumanInputFormSubmitPayload(BaseModel):
        ),
        examples=[HUMAN_INPUT_FORM_INPUT_EXAMPLE],
    )
-    action: str = Field(
-        description=(
-            "ID of the action button the recipient selected. Must match one of the `id` values from the form's "
-            "`user_actions` list."
-        )
-    )
+    action: str


 def stringify_form_default_values(values: dict[str, object]) -> dict[str, str]:
    """Serialize default values into strings expected by human-input form clients."""
    result: dict[str, str] = {}
    for key, value in values.items():
-        match value:
-            case None:
-                result[key] = ""
-            case dict() | list():
-                result[key] = json.dumps(value, ensure_ascii=False)
-            case _:
-                result[key] = str(value)
+        if value is None:
+            result[key] = ""
+        elif isinstance(value, (dict, list)):
+            result[key] = json.dumps(value, ensure_ascii=False)
+        else:
+            result[key] = str(value)
    return result
--- a/api/controllers/common/wraps.py
+++ b/api/controllers/common/wraps.py
@ -1,36 +1,7 @@
-"""Shared decorator utilities for Dify controller layers.
-
-This module provides decorators that are not tied to any single API group (e.g.
-console, inner, service).  Currently it exposes the RBAC permission gate, which
-can be applied to any blueprint.
-
-Key exports
-----------
-``rbac_permission_required`` – decorator that enforces enterprise RBAC access
-    control.  When ``RBAC_ENABLED`` is ``False`` it is a no-op.
-
-``RBACPermission``, ``RBACResourceScope`` – re-exported from ``core.rbac`` so
-    callers only need a single import site.
-
-Private helpers
---------------
-``_extract_resource_id``, ``_is_resource_owned_by_current_user`` – kept module-
-    private but accessible via the module namespace for unit-test patching.
-"""
-
 from collections.abc import Callable
 from functools import wraps

-from sqlalchemy import select
-from werkzeug.exceptions import Forbidden, NotFound
-
-from configs import dify_config
 from core.rbac import RBACPermission, RBACResourceScope
-from extensions.ext_database import db
-from libs.login import current_account_with_tenant
-from models.dataset import Dataset
-from models.model import App
-from services.enterprise.rbac_service import RBACService

 __all__ = ["RBACPermission", "RBACResourceScope", "rbac_permission_required"]

@ -43,105 +14,17 @@ def rbac_permission_required[**P, R](
 ) -> Callable[[Callable[P, R]], Callable[P, R]]:
    """Check enterprise RBAC permissions for the current user.

-    When ``RBAC_ENABLED`` is ``False`` the decorator is a no-op and the
-    request passes through unchanged. When enabled it extracts the resource ID
-    from ``request.view_args`` for resource-scoped checks, calls the RBAC
-    service ``check-access`` endpoint, and raises ``Forbidden`` if the access
-    is denied. For workspace-level checks, set ``resource_required=False`` so
-    the RBAC request omits ``resource_id``.
-
    Args:
        resource_type: The :class:`RBACResourceScope` member (app/dataset/workspace).
-        scene: The :class:`RBACPermission` permission point, e.g. ``RBACPermission.APP_DELETE``.
+        scene: The :class:`RBACPermission` permission point.
        resource_required: Whether a concrete resource ID is required.
    """

    def decorator(view: Callable[P, R]) -> Callable[P, R]:
        @wraps(view)
        def decorated(*args: P.args, **kwargs: P.kwargs) -> R:
-            if not dify_config.RBAC_ENABLED:
-                return view(*args, **kwargs)
-
-            current_user, current_tenant_id = current_account_with_tenant()
-            check_resource_type = None if resource_type == RBACResourceScope.WORKSPACE else resource_type
-            resource_id = None
-            if resource_required and check_resource_type:
-                resource_id = _extract_resource_id(resource_type, kwargs)
-                if _is_resource_owned_by_current_user(current_tenant_id, current_user.id, resource_type, resource_id):
-                    return view(*args, **kwargs)
-            allowed = RBACService.CheckAccess.check(
-                current_tenant_id,
-                current_user.id,
-                scene=scene,
-                resource_type=check_resource_type,
-                resource_id=resource_id,
-            )
-
-            if not allowed:
-                raise Forbidden()
-
            return view(*args, **kwargs)

        return decorated

    return decorator
-
-
-def _is_resource_owned_by_current_user(
-    tenant_id: str, account_id: str, resource_type: RBACResourceScope, resource_id: str
-) -> bool:
-    if resource_type == RBACResourceScope.APP:
-        maintainer = db.session.scalar(
-            select(App.maintainer).where(
-                App.id == resource_id,
-                App.tenant_id == tenant_id,
-                App.status == "normal",
-            )
-        )
-        return maintainer == account_id
-
-    if resource_type == RBACResourceScope.DATASET:
-        maintainer = db.session.scalar(
-            select(Dataset.maintainer).where(
-                Dataset.id == resource_id,
-                Dataset.tenant_id == tenant_id,
-            )
-        )
-        return maintainer == account_id
-
-    return False
-
-
-def _extract_resource_id(resource_type: RBACResourceScope, path_args: dict[str, object] | None = None) -> str:
-    """Extract the resource ID from matched path arguments.
-
-    Some legacy route classes use neutral names such as ``resource_id`` for
-    app/dataset resources, and Agent App routes use ``agent_id`` as the app id.
-    Dataset endpoints behind a rag-pipeline route contain ``pipeline_id``
-    instead of ``dataset_id``. In that case we look up the associated
-    ``Dataset`` row via ``Dataset.pipeline_id``.
-    """
-    from flask import request
-
-    view_args = request.view_args or {}
-    matched_args = {**view_args, **(path_args or {})}
-
-    if resource_type == RBACResourceScope.APP:
-        app_id = matched_args.get("app_id") or matched_args.get("agent_id") or matched_args.get("resource_id")
-        if not app_id:
-            raise ValueError("Missing app_id in request path")
-        return str(app_id)
-
-    if resource_type == RBACResourceScope.DATASET:
-        dataset_id = matched_args.get("dataset_id") or matched_args.get("resource_id")
-        if dataset_id:
-            return str(dataset_id)
-
-        pipeline_id = matched_args.get("pipeline_id")
-        if pipeline_id:
-            dataset = db.session.scalar(select(Dataset).where(Dataset.pipeline_id == str(pipeline_id)))
-            if not dataset:
-                raise NotFound("Dataset not found for pipeline")
-            return str(dataset.id)
-        raise ValueError("Missing dataset_id or pipeline_id in request path")
-    raise ValueError(f"Unknown resource_type: {resource_type}")
--- a/api/controllers/console/init.py
+++ b/api/controllers/console/init.py
@ -139,7 +139,6 @@ from .workspace import (
    model_providers,
    models,
    plugin,
-    rbac,
    snippets,
    tool_providers,
    trigger_providers,
@ -213,7 +212,6 @@ __all__ = [
    "rag_pipeline_draft_variable",
    "rag_pipeline_import",
    "rag_pipeline_workflow",
-    "rbac",
    "recommended_app",
    "saved_message",
    "setup",
--- a/api/controllers/console/agent/composer.py
+++ b/api/controllers/console/agent/composer.py
@ -7,11 +7,8 @@ from controllers.console import console_ns
 from controllers.console.agent.app_helpers import resolve_agent_app_model
 from controllers.console.app.wraps import get_app_model
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    edit_permission_required,
-    rbac_permission_required,
    setup_required,
    with_current_tenant_id,
    with_current_user_id,
@ -73,7 +70,6 @@ class WorkflowAgentComposerApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
    @get_app_model(mode=[AppMode.WORKFLOW, AppMode.ADVANCED_CHAT])
    @with_current_user_id
    @with_current_tenant_id
@ -170,7 +166,6 @@ class WorkflowAgentComposerSaveToRosterApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
    @get_app_model(mode=[AppMode.WORKFLOW, AppMode.ADVANCED_CHAT])
    @with_current_user_id
    @with_current_tenant_id
@ -208,7 +203,6 @@ class AgentComposerApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
    @with_current_user_id
    @with_current_tenant_id
    def put(self, tenant_id: str, account_id: str, agent_id: UUID):
--- a/api/controllers/console/agent/roster.py
+++ b/api/controllers/console/agent/roster.py
@ -1,31 +1,21 @@
 from uuid import UUID

-from flask import abort, request
+from flask import request
 from flask_restx import Resource
-from pydantic import AliasChoices, BaseModel, Field, field_validator
+from pydantic import BaseModel, Field

 from controllers.common.schema import query_params_from_model, register_response_schema_models, register_schema_models
 from controllers.console import console_ns
-from controllers.console.agent.app_helpers import resolve_agent_app_model
-from controllers.console.app.app import (
-    AppDetailWithSite as GenericAppDetailWithSite,
-)
 from controllers.console.app.app import (
+    AppDetailWithSite,
    AppListQuery,
-    CopyAppPayload,
+    AppPagination,
+    UpdateAppPayload,
    _normalize_app_list_query_args,
 )
-from controllers.console.app.app import (
-    AppPagination as GenericAppPagination,
-)
-from controllers.console.app.app import (
-    AppPartial as GenericAppPartial,
-)
-from controllers.console.app.app import (
-    UpdateAppPayload as GenericUpdateAppPayload,
-)
 from controllers.console.wraps import (
    account_initialization_required,
+    cloud_edition_billing_resource_check,
    edit_permission_required,
    enterprise_license_required,
    setup_required,
@ -37,24 +27,14 @@ from fields.agent_fields import (
    AgentConfigSnapshotDetailResponse,
    AgentConfigSnapshotListResponse,
    AgentInviteOptionsResponse,
-    AgentLogListResponse,
-    AgentLogMessageListResponse,
-    AgentLogSourceListResponse,
    AgentPublishedReferenceResponse,
    AgentRosterListResponse,
-    AgentStatisticSummaryEnvelopeResponse,
 )
-from libs.datetime_utils import parse_time_range
 from libs.helper import dump_response
 from libs.login import login_required
 from models import Account
 from models.model import IconType
 from services.agent.errors import AgentNotFoundError
-from services.agent.observability_service import (
-    AgentLogQueryParams,
-    AgentObservabilityService,
-    AgentStatisticsQueryParams,
-)
 from services.agent.roster_service import AgentRosterService
 from services.app_service import AppListParams, AppService, CreateAppParams
 from services.enterprise.enterprise_service import EnterpriseService
@ -73,163 +53,35 @@ class AgentIdPath(BaseModel):
 class AgentAppCreatePayload(BaseModel):
    name: str = Field(..., min_length=1, description="Agent name")
    description: str | None = Field(default=None, description="Agent description (max 400 chars)", max_length=400)
-    role: str = Field(..., min_length=1, description="Agent role", max_length=255)
+    role: str = Field(default="", description="Agent role", max_length=255)
    icon_type: IconType | None = Field(default=None, description="Icon type")
    icon: str | None = Field(default=None, description="Icon")
    icon_background: str | None = Field(default=None, description="Icon background color")

-    @field_validator("role")
-    @classmethod
-    def validate_role(cls, value: str) -> str:
-        role = value.strip()
-        if not role:
-            raise ValueError("Agent role is required.")
-        return role

-
-# Keep agent-app roster DTOs agent-specific instead of reusing the shared
-# /apps response/request models. The roster surface needs Agent-only fields such
-# as `role`, while the generic console/apps contracts must stay unchanged.
-class AgentAppUpdatePayload(GenericUpdateAppPayload):
-    role: str = Field(..., min_length=1, description="Agent role", max_length=255)
-
-    @field_validator("role")
-    @classmethod
-    def validate_role(cls, value: str) -> str:
-        role = value.strip()
-        if not role:
-            raise ValueError("Agent role is required.")
-        return role
-
-
-class AgentAppPublishedReferenceResponse(BaseModel):
-    app_id: str
-    app_name: str
-    app_icon_type: str | None = None
-    app_icon: str | None = None
-    app_icon_background: str | None = None
-
-
-class AgentLogsQuery(BaseModel):
-    page: int = Field(default=1, ge=1, description="Page number")
-    limit: int = Field(default=20, ge=1, le=100, description="Page size")
-    keyword: str | None = Field(default=None, description="Search query, answer, or conversation name")
-    status: str | None = Field(default=None, description="Deprecated single status filter")
-    statuses: list[str] = Field(default_factory=list, description="Filter by one or more of success, failed, paused")
-    source: str | None = Field(
-        default=None,
-        description="Deprecated single source filter",
-    )
-    sources: list[str] = Field(
-        default_factory=list,
-        description=(
-            "Filter by one or more source IDs, e.g. webapp:<app_id> "
-            "or workflow:<app_id>:<workflow_id>:<version>:<node_id>"
-        ),
-    )
-    sort_by: str = Field(default="updated_at", description="Sort by created_at or updated_at")
-    sort_order: str = Field(default="desc", description="Sort order: asc or desc")
-    start: str | None = Field(default=None, description="Start date (YYYY-MM-DD HH:MM)")
-    end: str | None = Field(default=None, description="End date (YYYY-MM-DD HH:MM)")
-
-    @field_validator("keyword", "status", "source", "start", "end", mode="before")
-    @classmethod
-    def empty_string_to_none(cls, value: str | None) -> str | None:
-        if value == "":
-            return None
-        return value
-
-    @field_validator("statuses", "sources", mode="before")
-    @classmethod
-    def empty_list_values_to_list(cls, value: object) -> list[str]:
-        if value in (None, ""):
-            return []
-        if isinstance(value, str):
-            return [value]
-        if isinstance(value, list):
-            return [item for item in value if item]
-        return []
-
-    @field_validator("sort_by")
-    @classmethod
-    def validate_sort_by(cls, value: str) -> str:
-        normalized = value.strip().lower()
-        if normalized not in {"created_at", "updated_at"}:
-            raise ValueError("sort_by must be created_at or updated_at")
-        return normalized
-
-    @field_validator("sort_order")
-    @classmethod
-    def validate_sort_order(cls, value: str) -> str:
-        normalized = value.strip().lower()
-        if normalized not in {"asc", "desc"}:
-            raise ValueError("sort_order must be asc or desc")
-        return normalized
-
-
-class AgentStatisticsQuery(BaseModel):
-    source: str | None = Field(
-        default=None,
-        description="Filter by all, console/explore, api/service-api, web-app, debugger, openapi, or trigger",
-    )
-    start: str | None = Field(default=None, description="Start date (YYYY-MM-DD HH:MM)")
-    end: str | None = Field(default=None, description="End date (YYYY-MM-DD HH:MM)")
-
-    @field_validator("source", "start", "end", mode="before")
-    @classmethod
-    def empty_string_to_none(cls, value: str | None) -> str | None:
-        if value == "":
-            return None
-        return value
-
-
-class AgentAppPartial(GenericAppPartial):
-    app_id: str | None = None
-    role: str | None = None
-    active_config_is_published: bool = False
-    published_reference_count: int = 0
-    published_references: list[AgentAppPublishedReferenceResponse] = Field(default_factory=list)
-
-
-class AgentAppDetailWithSite(GenericAppDetailWithSite):
-    app_id: str | None = None
-    role: str | None = None
-    active_config_is_published: bool = False
-
-
-class AgentAppPagination(GenericAppPagination):
-    data: list[AgentAppPartial] = Field(  # type: ignore[assignment]  # pyrefly: ignore[bad-override-mutable-attribute]
-        validation_alias=AliasChoices("items", "data")
-    )
+class AgentAppUpdatePayload(UpdateAppPayload):
+    role: str | None = Field(default=None, description="Agent role", max_length=255)


 register_schema_models(
    console_ns,
    AgentAppCreatePayload,
    AgentAppUpdatePayload,
-    CopyAppPayload,
    AgentInviteOptionsQuery,
-    AgentLogsQuery,
-    AgentStatisticsQuery,
    AgentIdPath,
    AppListQuery,
+    UpdateAppPayload,
    RosterListQuery,
 )
 register_response_schema_models(
    console_ns,
-    AgentAppPagination,
-    AgentAppPublishedReferenceResponse,
-    AgentAppDetailWithSite,
-    AgentAppPartial,
+    AppDetailWithSite,
+    AppPagination,
    AgentConfigSnapshotDetailResponse,
    AgentConfigSnapshotListResponse,
    AgentInviteOptionsResponse,
-    AgentLogListResponse,
-    AgentLogMessageListResponse,
-    AgentLogSourceListResponse,
    AgentPublishedReferenceResponse,
    AgentRosterListResponse,
-    AgentStatisticSummaryEnvelopeResponse,
 )


@ -238,60 +90,29 @@ def _agent_roster_service() -> AgentRosterService:


 def _serialize_agent_app_detail(app_model) -> dict:
-    """Serialize an Agent App detail using roster-only DTOs.
-
-    `/agent` responses are roster-shaped rather than raw app-shaped: `id`
-    becomes the backing roster Agent id, `app_id` carries the underlying App
-    id, and `role` is injected from the backing roster Agent. Keeping that
-    remap in this serializer lets generated console/agent contracts expose the
-    roster persona fields without widening the shared /apps detail schema.
-    """
-
    app_model = AppService().get_app(app_model)
    if FeatureService.get_system_features().webapp_auth.enabled:
        app_setting = EnterpriseService.WebAppAuth.get_app_access_mode_by_id(app_id=str(app_model.id))
        app_model.access_mode = app_setting.access_mode  # type: ignore[attr-defined]

-    roster_service = _agent_roster_service()
-    payload = AgentAppDetailWithSite.model_validate(app_model, from_attributes=True).model_dump(mode="json")
-    agent = roster_service.get_app_backing_agent(tenant_id=app_model.tenant_id, app_id=str(app_model.id))
+    agent = _agent_roster_service().get_app_backing_agent(tenant_id=app_model.tenant_id, app_id=app_model.id)
    if not agent:
        raise AgentNotFoundError()
+    payload = AppDetailWithSite.model_validate(app_model, from_attributes=True).model_dump(mode="json")
    payload.pop("bound_agent_id", None)
    payload["app_id"] = str(app_model.id)
    payload["id"] = agent.id
    payload["role"] = agent.role or ""
-    payload["active_config_is_published"] = roster_service.active_config_is_published(
-        tenant_id=app_model.tenant_id,
-        agent=agent,
-    )
    return payload


 def _serialize_agent_app_pagination(app_pagination, *, tenant_id: str) -> dict:
-    """Serialize Agent App lists with roster-shaped items.
-
-    Each item starts from the shared App list shape, then drops
-    `bound_agent_id`, rewrites `id` to the backing roster Agent id, stores the
-    original App id in `app_id`, and injects roster-only `role` when a backing
-    Agent is present.
-    """
-
    app_ids = [str(app.id) for app in app_pagination.items]
-    roster_service = _agent_roster_service()
-    agents_by_app_id = roster_service.load_app_backing_agents_by_app_id(
+    agents_by_app_id = _agent_roster_service().load_app_backing_agents_by_app_id(
        tenant_id=tenant_id,
        app_ids=app_ids,
    )
-    active_config_is_published_by_agent_id = roster_service.load_active_config_is_published_by_agent_id(
-        tenant_id=tenant_id,
-        agents=list(agents_by_app_id.values()),
-    )
-    published_references_by_agent_id = roster_service.load_published_references_by_agent_id(
-        tenant_id=tenant_id,
-        agent_ids=[agent.id for agent in agents_by_app_id.values()],
-    )
-    payload = AgentAppPagination.model_validate(app_pagination, from_attributes=True).model_dump(mode="json")
+    payload = AppPagination.model_validate(app_pagination, from_attributes=True).model_dump(mode="json")
    for item in payload["data"]:
        app_id = item["id"]
        item.pop("bound_agent_id", None)
@ -300,57 +121,17 @@ def _serialize_agent_app_pagination(app_pagination, *, tenant_id: str) -> dict:
            item["app_id"] = app_id
            item["id"] = agent.id
            item["role"] = agent.role or ""
-            item["active_config_is_published"] = active_config_is_published_by_agent_id.get(agent.id, False)
-            published_references = published_references_by_agent_id.get(agent.id, [])
-            item["published_reference_count"] = len(published_references)
-            item["published_references"] = [
-                {
-                    "app_id": reference["app_id"],
-                    "app_name": reference["app_name"],
-                    "app_icon_type": reference["app_icon_type"],
-                    "app_icon": reference["app_icon"],
-                    "app_icon_background": reference["app_icon_background"],
-                }
-                for reference in published_references
-            ]
-    return AgentAppPagination.model_validate(payload).model_dump(
-        mode="json",
-        exclude={"data": {"__all__": {"bound_agent_id"}}},
-    )
+    return payload


 def _resolve_agent_app_model(*, tenant_id: str, agent_id: UUID):
-    return resolve_agent_app_model(tenant_id=tenant_id, agent_id=agent_id)
-
-
-def _agent_observability_service() -> AgentObservabilityService:
-    return AgentObservabilityService(db.session)
-
-
-def _parse_observability_time_range(start: str | None, end: str | None, account: Account):
-    timezone = account.timezone or "UTC"
-    try:
-        return parse_time_range(start, end, timezone)
-    except ValueError as exc:
-        abort(400, description=str(exc))
-
-
-def _multi_query_values(name: str, legacy_name: str | None = None) -> list[str]:
-    values: list[str] = []
-    for query_name in (name, f"{name}[]"):
-        values.extend(request.args.getlist(query_name))
-    if legacy_name:
-        values.extend(request.args.getlist(legacy_name))
-    parsed: list[str] = []
-    for value in values:
-        parsed.extend(item.strip() for item in value.split(",") if item.strip())
-    return parsed
+    return _agent_roster_service().get_agent_app_model(tenant_id=tenant_id, agent_id=str(agent_id))


@console_ns.route("/agent")
 class AgentAppListApi(Resource):
    @console_ns.doc(params=query_params_from_model(AppListQuery))
-    @console_ns.response(200, "Agent app list", console_ns.models[AgentAppPagination.__name__])
+    @console_ns.response(200, "Agent app list", console_ns.models[AppPagination.__name__])
    @setup_required
    @login_required
    @account_initialization_required
@ -369,20 +150,21 @@ class AgentAppListApi(Resource):
            status="normal",
        )

-        app_pagination = AppService().get_paginate_apps(current_user.id, current_tenant_id, params, db.session)
+        app_pagination = AppService().get_paginate_apps(current_user.id, current_tenant_id, params)
        if app_pagination is None:
-            empty = AgentAppPagination(page=args.page, limit=args.limit, total=0, has_more=False, data=[])
+            empty = AppPagination(page=args.page, limit=args.limit, total=0, has_more=False, data=[])
            return empty.model_dump(mode="json")

        return _serialize_agent_app_pagination(app_pagination, tenant_id=current_tenant_id)

    @console_ns.expect(console_ns.models[AgentAppCreatePayload.__name__])
-    @console_ns.response(201, "Agent app created successfully", console_ns.models[AgentAppDetailWithSite.__name__])
+    @console_ns.response(201, "Agent app created successfully", console_ns.models[AppDetailWithSite.__name__])
    @console_ns.response(403, "Insufficient permissions")
    @console_ns.response(400, "Invalid request parameters")
    @setup_required
    @login_required
    @account_initialization_required
+    @cloud_edition_billing_resource_check("apps")
    @edit_permission_required
    @with_current_user
    @with_current_tenant_id
@ -404,7 +186,7 @@ class AgentAppListApi(Resource):

@console_ns.route("/agent/<uuid:agent_id>")
 class AgentAppApi(Resource):
-    @console_ns.response(200, "Agent app detail", console_ns.models[AgentAppDetailWithSite.__name__])
+    @console_ns.response(200, "Agent app detail", console_ns.models[AppDetailWithSite.__name__])
    @setup_required
    @login_required
    @account_initialization_required
@ -415,7 +197,7 @@ class AgentAppApi(Resource):
        return _serialize_agent_app_detail(app_model)

    @console_ns.expect(console_ns.models[AgentAppUpdatePayload.__name__])
-    @console_ns.response(200, "Agent app updated successfully", console_ns.models[AgentAppDetailWithSite.__name__])
+    @console_ns.response(200, "Agent app updated successfully", console_ns.models[AppDetailWithSite.__name__])
    @console_ns.response(403, "Insufficient permissions")
    @console_ns.response(400, "Invalid request parameters")
    @setup_required
@ -452,33 +234,6 @@ class AgentAppApi(Resource):
        return "", 204


-@console_ns.route("/agent/<uuid:agent_id>/copy")
-class AgentAppCopyApi(Resource):
-    @console_ns.expect(console_ns.models[CopyAppPayload.__name__])
-    @console_ns.response(201, "Agent app copied successfully", console_ns.models[AgentAppDetailWithSite.__name__])
-    @console_ns.response(403, "Insufficient permissions")
-    @console_ns.response(400, "Invalid request parameters")
-    @setup_required
-    @login_required
-    @account_initialization_required
-    @edit_permission_required
-    @with_current_user
-    @with_current_tenant_id
-    def post(self, tenant_id: str, current_user: Account, agent_id: UUID):
-        args = CopyAppPayload.model_validate(console_ns.payload or {})
-        copied_app = _agent_roster_service().duplicate_agent_app(
-            tenant_id=tenant_id,
-            agent_id=str(agent_id),
-            account=current_user,
-            name=args.name,
-            description=args.description,
-            icon_type=args.icon_type,
-            icon=args.icon,
-            icon_background=args.icon_background,
-        )
-        return _serialize_agent_app_detail(copied_app), 201
-
-
@console_ns.route("/agent/invite-options")
 class AgentInviteOptionsApi(Resource):
    @console_ns.doc(params=query_params_from_model(AgentInviteOptionsQuery))
@ -501,124 +256,6 @@ class AgentInviteOptionsApi(Resource):
        )


-@console_ns.route("/agent/<uuid:agent_id>/logs")
-class AgentLogsApi(Resource):
-    @console_ns.doc(params=query_params_from_model(AgentLogsQuery))
-    @console_ns.response(200, "Agent logs", console_ns.models[AgentLogListResponse.__name__])
-    @setup_required
-    @login_required
-    @account_initialization_required
-    @with_current_user
-    @with_current_tenant_id
-    def get(self, tenant_id: str, current_user: Account, agent_id: UUID):
-        app_model = _resolve_agent_app_model(tenant_id=tenant_id, agent_id=agent_id)
-        query_data: dict[str, object] = dict(request.args.to_dict(flat=True))
-        query_data["sources"] = _multi_query_values("sources", "source")
-        query_data["statuses"] = _multi_query_values("statuses", "status")
-        query = AgentLogsQuery.model_validate(query_data)
-        start, end = _parse_observability_time_range(query.start, query.end, current_user)
-        try:
-            payload = _agent_observability_service().list_logs(
-                app=app_model,
-                agent_id=str(agent_id),
-                params=AgentLogQueryParams(
-                    page=query.page,
-                    limit=query.limit,
-                    keyword=query.keyword,
-                    statuses=tuple(query.statuses),
-                    sources=tuple(query.sources),
-                    sort_by=query.sort_by,
-                    sort_order=query.sort_order,
-                    start=start,
-                    end=end,
-                ),
-            )
-        except ValueError as exc:
-            abort(400, description=str(exc))
-        return dump_response(AgentLogListResponse, payload)
-
-
-@console_ns.route("/agent/<uuid:agent_id>/logs/<uuid:conversation_id>/messages")
-class AgentLogMessagesApi(Resource):
-    @console_ns.doc(params=query_params_from_model(AgentLogsQuery))
-    @console_ns.response(200, "Agent log messages", console_ns.models[AgentLogMessageListResponse.__name__])
-    @setup_required
-    @login_required
-    @account_initialization_required
-    @with_current_user
-    @with_current_tenant_id
-    def get(self, tenant_id: str, current_user: Account, agent_id: UUID, conversation_id: UUID):
-        app_model = _resolve_agent_app_model(tenant_id=tenant_id, agent_id=agent_id)
-        query_data: dict[str, object] = dict(request.args.to_dict(flat=True))
-        query_data["sources"] = _multi_query_values("sources", "source")
-        query_data["statuses"] = _multi_query_values("statuses", "status")
-        query = AgentLogsQuery.model_validate(query_data)
-        start, end = _parse_observability_time_range(query.start, query.end, current_user)
-        try:
-            payload = _agent_observability_service().list_log_messages(
-                app=app_model,
-                agent_id=str(agent_id),
-                conversation_id=str(conversation_id),
-                params=AgentLogQueryParams(
-                    page=query.page,
-                    limit=query.limit,
-                    keyword=query.keyword,
-                    statuses=tuple(query.statuses),
-                    sources=tuple(query.sources),
-                    sort_by=query.sort_by,
-                    sort_order=query.sort_order,
-                    start=start,
-                    end=end,
-                ),
-            )
-        except ValueError as exc:
-            abort(400, description=str(exc))
-        return dump_response(AgentLogMessageListResponse, payload)
-
-
-@console_ns.route("/agent/<uuid:agent_id>/log-sources")
-class AgentLogSourcesApi(Resource):
-    @console_ns.response(200, "Agent log sources", console_ns.models[AgentLogSourceListResponse.__name__])
-    @setup_required
-    @login_required
-    @account_initialization_required
-    @with_current_user
-    @with_current_tenant_id
-    def get(self, tenant_id: str, current_user: Account, agent_id: UUID):
-        app_model = _resolve_agent_app_model(tenant_id=tenant_id, agent_id=agent_id)
-        payload = _agent_observability_service().list_log_sources(app=app_model, agent_id=str(agent_id))
-        return dump_response(AgentLogSourceListResponse, payload)
-
-
-@console_ns.route("/agent/<uuid:agent_id>/statistics/summary")
-class AgentStatisticsSummaryApi(Resource):
-    @console_ns.doc(params=query_params_from_model(AgentStatisticsQuery))
-    @console_ns.response(
-        200,
-        "Agent monitoring summary and chart data",
-        console_ns.models[AgentStatisticSummaryEnvelopeResponse.__name__],
-    )
-    @setup_required
-    @login_required
-    @account_initialization_required
-    @with_current_user
-    @with_current_tenant_id
-    def get(self, tenant_id: str, current_user: Account, agent_id: UUID):
-        app_model = _resolve_agent_app_model(tenant_id=tenant_id, agent_id=agent_id)
-        query = AgentStatisticsQuery.model_validate(request.args.to_dict(flat=True))
-        timezone = current_user.timezone or "UTC"
-        start, end = _parse_observability_time_range(query.start, query.end, current_user)
-        try:
-            payload = _agent_observability_service().get_statistics_summary(
-                app=app_model,
-                agent_id=str(agent_id),
-                params=AgentStatisticsQueryParams(source=query.source, start=start, end=end, timezone=timezone),
-            )
-        except ValueError as exc:
-            abort(400, description=str(exc))
-        return dump_response(AgentStatisticSummaryEnvelopeResponse, payload)
-
-
@console_ns.route("/agent/<uuid:agent_id>/versions")
 class AgentRosterVersionsApi(Resource):
    @console_ns.response(200, "Agent versions", console_ns.models[AgentConfigSnapshotListResponse.__name__])
--- a/api/controllers/console/apikey.py
+++ b/api/controllers/console/apikey.py
@ -9,7 +9,6 @@ from sqlalchemy import delete, func, select
 from sqlalchemy.orm import sessionmaker
 from werkzeug.exceptions import Forbidden

-from configs import dify_config
 from controllers.common.schema import register_response_schema_models
 from extensions.ext_database import db
 from fields.base import ResponseModel
@ -23,11 +22,8 @@ from services.api_token_service import ApiTokenCache

 from . import console_ns
 from .wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    edit_permission_required,
-    rbac_permission_required,
    setup_required,
    with_current_tenant_id,
    with_current_user,
@ -147,7 +143,7 @@ class BaseApiKeyResource(Resource):
        assert self.resource_id_field is not None, "resource_id_field must be set"
        _get_resource(resource_id, current_tenant_id, self.resource_model)

-        if not dify_config.RBAC_ENABLED and not current_user.is_admin_or_owner:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()

        key = db.session.scalar(
@ -190,7 +186,6 @@ class AppApiKeyListResource(BaseApiKeyListResource):
    @console_ns.response(400, "Maximum keys exceeded")
    @with_current_tenant_id
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_RELEASE_AND_VERSION)
    def post(self, current_tenant_id: str, resource_id: UUID) -> tuple[dict[str, object], int]:
        """Create a new API key for an app"""
        return dump_response(ApiKeyItem, self._create_api_key(str(resource_id), current_tenant_id)), 201
@ -209,7 +204,6 @@ class AppApiKeyResource(BaseApiKeyResource):
    @console_ns.response(204, "API key deleted successfully")
    @with_current_user
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_RELEASE_AND_VERSION)
    def delete(
        self, current_tenant_id: str, current_user: Account, resource_id: UUID, api_key_id: UUID
    ) -> tuple[str, int]:
@ -240,7 +234,6 @@ class DatasetApiKeyListResource(BaseApiKeyListResource):
    @console_ns.response(400, "Maximum keys exceeded")
    @with_current_tenant_id
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_API_KEY_MANAGE)
    def post(self, current_tenant_id: str, resource_id: UUID) -> tuple[dict[str, object], int]:
        """Create a new API key for a dataset"""
        return dump_response(ApiKeyItem, self._create_api_key(str(resource_id), current_tenant_id)), 201
@ -259,7 +252,6 @@ class DatasetApiKeyResource(BaseApiKeyResource):
    @console_ns.response(204, "API key deleted successfully")
    @with_current_user
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_API_KEY_MANAGE)
    def delete(
        self, current_tenant_id: str, current_user: Account, resource_id: UUID, api_key_id: UUID
    ) -> tuple[str, int]:
--- a/api/controllers/console/app/agent.py
+++ b/api/controllers/console/app/agent.py
@ -17,10 +17,7 @@ from controllers.console import console_ns
 from controllers.console.agent.app_helpers import resolve_agent_app_model
 from controllers.console.app.wraps import get_app_model
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
-    rbac_permission_required,
    setup_required,
    with_current_tenant_id,
    with_current_user,
@ -33,7 +30,7 @@ from models import Account
 from models.agent_config_entities import AgentFileRefConfig, AgentSkillRefConfig
 from models.model import App, AppMode, UploadFile
 from services.agent.composer_service import AgentComposerService
-from services.agent.skill_package_service import SkillManifest, SkillPackageError
+from services.agent.skill_package_service import SkillManifest, SkillPackageError, SkillPackageService
 from services.agent.skill_standardize_service import SkillStandardizeService
 from services.agent.skill_tool_inference_service import (
    SkillToolInferenceError,
@ -48,18 +45,11 @@ from services.agent_drive_service import (
    normalize_drive_key,
 )
 from services.agent_service import AgentService
+from services.file_service import FileService

 logger = logging.getLogger(__name__)

 _WORKFLOW_AGENT_DRIVE_APP_MODES = [AppMode.WORKFLOW, AppMode.ADVANCED_CHAT]
-_AGENT_SKILL_UPLOAD_PARAMS = {
-    "file": {
-        "in": "formData",
-        "type": "file",
-        "required": True,
-        "description": "Skill package (.zip or .skill).",
-    }
-}


 class AgentLogQuery(BaseModel):
@ -135,6 +125,11 @@ class AgentSkillUploadResponse(ResponseModel):
    manifest: SkillManifest


+class AgentSkillStandardizeResponse(ResponseModel):
+    skill: AgentSkillRefConfig
+    manifest: SkillManifest
+
+
 class AgentDriveFileResponse(ResponseModel):
    name: str
    drive_key: str
@ -161,6 +156,7 @@ register_response_schema_models(
    AgentDriveFileCommitResponse,
    AgentDriveFileResponse,
    AgentLogResponse,
+    AgentSkillStandardizeResponse,
    AgentSkillUploadResponse,
    SkillToolInferenceResult,
 )
@ -178,9 +174,30 @@ def _agent_not_bound() -> tuple[dict[str, str], int]:
    return {"code": "agent_not_bound", "message": "no agent is bound for this app/node"}, 400


-def _upload_skill_for_app(*, current_user: Account, app_model: App):
-    """Upload one skill package and commit its normalized files into the agent drive."""
+def _upload_skill_for_app(*, current_user: Account):
+    if "file" not in request.files:
+        return {"code": "no_file", "message": "no skill file uploaded"}, 400
+    if len(request.files) > 1:
+        return {"code": "too_many_files", "message": "only one skill file is allowed"}, 400

+    upload = request.files["file"]
+    content = upload.stream.read()
+    try:
+        manifest = SkillPackageService().validate_and_extract(content=content, filename=upload.filename or "")
+    except SkillPackageError as exc:
+        return {"code": exc.code, "message": exc.message}, exc.status_code
+
+    upload_file = FileService(db.engine).upload_file(
+        filename=upload.filename or "skill.zip",
+        content=content,
+        mimetype=upload.mimetype or "application/zip",
+        user=current_user,
+    )
+    skill_ref = manifest.to_skill_ref(file_id=upload_file.id)
+    return {"skill": skill_ref.model_dump(exclude_none=True), "manifest": manifest.model_dump()}, 201
+
+
+def _standardize_skill_for_app(*, current_user: Account, app_model: App):
    query = query_params_from_request(AgentDriveMutationQuery)
    agent_id = _resolve_agent_id(app_model, query.node_id)
    if not agent_id:
@ -354,7 +371,6 @@ class AgentLogApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @get_app_model(mode=[AppMode.AGENT_CHAT])
    def get(self, app_model: App):
        """Get agent logs"""
@ -366,9 +382,51 @@ class AgentLogApi(Resource):
@console_ns.route("/agent/<uuid:agent_id>/skills/upload")
 class AgentSkillUploadByAgentApi(Resource):
    @console_ns.doc("upload_agent_skill_by_agent")
-    @console_ns.doc(description="Upload + standardize a Skill into an Agent App drive")
-    @console_ns.doc(consumes=["multipart/form-data"], params={"agent_id": "Agent ID", **_AGENT_SKILL_UPLOAD_PARAMS})
-    @console_ns.response(201, "Skill uploaded into drive", console_ns.models[AgentSkillUploadResponse.__name__])
+    @console_ns.doc(description="Upload + validate a Skill package for an Agent App")
+    @console_ns.doc(params={"agent_id": "Agent ID"})
+    @console_ns.response(201, "Skill validated", console_ns.models[AgentSkillUploadResponse.__name__])
+    @console_ns.response(400, "Invalid skill package")
+    @setup_required
+    @login_required
+    @account_initialization_required
+    @with_current_user
+    @with_current_tenant_id
+    def post(self, tenant_id: str, current_user: Account, agent_id: UUID):
+        resolve_agent_app_model(tenant_id=tenant_id, agent_id=agent_id)
+        return _upload_skill_for_app(current_user=current_user)
+
+
+@console_ns.route("/apps/<uuid:app_id>/agent/skills/upload")
+class AgentSkillUploadApi(Resource):
+    @console_ns.doc("upload_agent_skill")
+    @console_ns.doc(description="Upload + validate a Skill package (.zip/.skill) and extract its manifest")
+    @console_ns.doc(params={"app_id": "Application ID"})
+    @console_ns.response(201, "Skill validated", console_ns.models[AgentSkillUploadResponse.__name__])
+    @console_ns.response(400, "Invalid skill package")
+    @setup_required
+    @login_required
+    @account_initialization_required
+    @get_app_model(mode=_WORKFLOW_AGENT_DRIVE_APP_MODES)
+    @with_current_user
+    def post(self, current_user: Account, app_model: App):
+        """Validate an uploaded Skill package and persist the archive.
+
+        Returns a validated skill ref (to bind into the Agent soul config on save)
+        plus its manifest. Standardizing into the agent drive is ENG-594.
+        """
+        return _upload_skill_for_app(current_user=current_user)
+
+
+@console_ns.route("/agent/<uuid:agent_id>/skills/standardize")
+class AgentSkillStandardizeByAgentApi(Resource):
+    @console_ns.doc("standardize_agent_skill_by_agent")
+    @console_ns.doc(description="Validate + standardize a Skill into an Agent App drive")
+    @console_ns.doc(params={"agent_id": "Agent ID"})
+    @console_ns.response(
+        201,
+        "Skill standardized into drive",
+        console_ns.models[AgentSkillStandardizeResponse.__name__],
+    )
    @console_ns.response(400, "Invalid skill package or no bound agent")
    @setup_required
    @login_required
@ -377,22 +435,19 @@ class AgentSkillUploadByAgentApi(Resource):
    @with_current_tenant_id
    def post(self, tenant_id: str, current_user: Account, agent_id: UUID):
        app_model = resolve_agent_app_model(tenant_id=tenant_id, agent_id=agent_id)
-        return _upload_skill_for_app(current_user=current_user, app_model=app_model)
+        return _standardize_skill_for_app(current_user=current_user, app_model=app_model)


-@console_ns.route("/apps/<uuid:app_id>/agent/skills/upload")
-class AgentSkillUploadApi(Resource):
-    @console_ns.doc("upload_agent_skill")
-    @console_ns.doc(description="Upload + standardize a Skill into the agent drive")
-    @console_ns.doc(
-        consumes=["multipart/form-data"],
-        params={
-            "app_id": "Application ID",
-            **query_params_from_model(AgentDriveMutationQuery),
-            **_AGENT_SKILL_UPLOAD_PARAMS,
-        },
+@console_ns.route("/apps/<uuid:app_id>/agent/skills/standardize")
+class AgentSkillStandardizeApi(Resource):
+    @console_ns.doc("standardize_agent_skill")
+    @console_ns.doc(description="Validate + standardize a Skill into the agent drive (ENG-594)")
+    @console_ns.doc(params={"app_id": "Application ID", **query_params_from_model(AgentDriveMutationQuery)})
+    @console_ns.response(
+        201,
+        "Skill standardized into drive",
+        console_ns.models[AgentSkillStandardizeResponse.__name__],
    )
-    @console_ns.response(201, "Skill uploaded into drive", console_ns.models[AgentSkillUploadResponse.__name__])
    @console_ns.response(400, "Invalid skill package or no bound agent")
    @setup_required
    @login_required
@ -400,8 +455,8 @@ class AgentSkillUploadApi(Resource):
    @get_app_model(mode=_WORKFLOW_AGENT_DRIVE_APP_MODES)
    @with_current_user
    def post(self, current_user: Account, app_model: App):
-        """Upload a Skill, validate it, and commit drive-backed skill files."""
-        return _upload_skill_for_app(current_user=current_user, app_model=app_model)
+        """Upload a Skill, validate it, and standardize it into the app agent's drive."""
+        return _standardize_skill_for_app(current_user=current_user, app_model=app_model)


@console_ns.route("/agent/<uuid:agent_id>/files")
--- a/api/controllers/console/app/agent_app_feature.py
+++ b/api/controllers/console/app/agent_app_feature.py
@ -19,11 +19,8 @@ from controllers.common.schema import register_response_schema_models, register_
 from controllers.console import console_ns
 from controllers.console.agent.app_helpers import resolve_agent_app_model
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    edit_permission_required,
-    rbac_permission_required,
    setup_required,
    with_current_tenant_id,
    with_current_user,
@ -81,7 +78,6 @@ class AgentAppFeatureConfigResource(Resource):
    @setup_required
    @login_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_CREATE_AND_MANAGEMENT)
    @account_initialization_required
    @with_current_user
    @with_current_tenant_id
--- a/api/controllers/console/app/annotation.py
+++ b/api/controllers/console/app/annotation.py
@ -9,14 +9,11 @@ from controllers.common.errors import NoFileUploadedError, TooManyFilesError
 from controllers.common.schema import query_params_from_model, register_response_schema_models, register_schema_models
 from controllers.console import console_ns
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    annotation_import_concurrency_limit,
    annotation_import_rate_limit,
    cloud_edition_billing_resource_check,
    edit_permission_required,
-    rbac_permission_required,
    setup_required,
 )
 from extensions.ext_redis import redis_client
@ -158,7 +155,6 @@ class AnnotationReplyActionApi(Resource):
    @account_initialization_required
    @cloud_edition_billing_resource_check("annotation")
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
    def post(self, app_id: UUID, action: Literal["enable", "disable"]):
        args = AnnotationReplyPayload.model_validate(console_ns.payload)
        match action:
@ -189,7 +185,6 @@ class AppAnnotationSettingDetailApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    def get(self, app_id: UUID):
        result = AppAnnotationService.get_app_annotation_setting_by_app_id(str(app_id))
        return result, 200
@ -207,7 +202,6 @@ class AppAnnotationSettingUpdateApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
    def post(self, app_id: UUID, annotation_setting_id: UUID):
        annotation_setting_id_str = str(annotation_setting_id)

@ -236,7 +230,6 @@ class AnnotationReplyActionStatusApi(Resource):
    @account_initialization_required
    @cloud_edition_billing_resource_check("annotation")
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    def get(self, app_id: UUID, job_id: UUID, action: str):
        job_id_str = str(job_id)
        app_annotation_job_key = f"{action}_app_annotation_job_{job_id_str}"
@ -265,7 +258,6 @@ class AnnotationApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    def get(self, app_id: UUID):
        args = AnnotationListQuery.model_validate(request.args.to_dict(flat=True))
        page = args.page
@ -294,7 +286,6 @@ class AnnotationApi(Resource):
    @account_initialization_required
    @cloud_edition_billing_resource_check("annotation")
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
    def post(self, app_id: UUID):
        args = CreateAnnotationPayload.model_validate(console_ns.payload)
        upsert_args: UpsertAnnotationArgs = {}
@ -313,7 +304,6 @@ class AnnotationApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_CREATE_AND_MANAGEMENT)
    @console_ns.response(204, "Annotations deleted successfully")
    def delete(self, app_id: UUID):

@ -352,7 +342,6 @@ class AnnotationExportApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    def get(self, app_id: UUID):
        annotation_list = AppAnnotationService.export_annotation_list_by_app_id(str(app_id))
        annotation_models = TypeAdapter(list[Annotation]).validate_python(annotation_list, from_attributes=True)
@ -380,7 +369,6 @@ class AnnotationUpdateDeleteApi(Resource):
    @account_initialization_required
    @cloud_edition_billing_resource_check("annotation")
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
    def post(self, app_id: UUID, annotation_id: UUID):
        args = UpdateAnnotationPayload.model_validate(console_ns.payload)
        update_args: UpdateAnnotationArgs = {}
@ -395,7 +383,6 @@ class AnnotationUpdateDeleteApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
    @console_ns.response(204, "Annotation deleted successfully")
    def delete(self, app_id: UUID, annotation_id: UUID):
        AppAnnotationService.delete_app_annotation(str(app_id), str(annotation_id))
@ -423,7 +410,6 @@ class AnnotationBatchImportApi(Resource):
    @annotation_import_rate_limit
    @annotation_import_concurrency_limit
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
    def post(self, app_id: UUID):
        from configs import dify_config

@ -476,7 +462,6 @@ class AnnotationBatchImportStatusApi(Resource):
    @account_initialization_required
    @cloud_edition_billing_resource_check("annotation")
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    def get(self, app_id: UUID, job_id: UUID):
        indexing_cache_key = f"app_annotation_batch_import_{str(job_id)}"
        cache_result = redis_client.get(indexing_cache_key)
@ -507,7 +492,6 @@ class AnnotationHitHistoryListApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    def get(self, app_id: UUID, annotation_id: UUID):
        page = request.args.get("page", default=1, type=int)
        limit = request.args.get("limit", default=20, type=int)
--- a/api/controllers/console/app/app.py
+++ b/api/controllers/console/app/app.py
@ -3,7 +3,7 @@ import re
 import uuid
 from collections.abc import Sequence
 from datetime import datetime
-from typing import Any, Literal
+from typing import Any, Literal, cast

 from flask import request
 from flask_restx import Resource
@ -11,9 +11,8 @@ from pydantic import AliasChoices, BaseModel, Field, computed_field, field_valid
 from sqlalchemy import select
 from sqlalchemy.orm import Session
 from werkzeug.datastructures import MultiDict
-from werkzeug.exceptions import BadRequest, NotFound
+from werkzeug.exceptions import BadRequest

-from configs import dify_config
 from controllers.common.fields import RedirectUrlResponse, SimpleResultResponse
 from controllers.common.helpers import FileInfo
 from controllers.common.schema import (
@ -26,14 +25,11 @@ from controllers.console import console_ns
 from controllers.console.app.wraps import get_app_model, with_session
 from controllers.console.workspace.models import LoadBalancingPayload
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    cloud_edition_billing_resource_check,
    edit_permission_required,
    enterprise_license_required,
    is_admin_or_owner_required,
-    rbac_permission_required,
    setup_required,
    with_current_tenant_id,
    with_current_user,
@ -52,7 +48,6 @@ from models import Account, App, DatasetPermissionEnum, Workflow
 from models.model import IconType
 from services.app_dsl_service import AppDslService
 from services.app_service import AppListParams, AppListSortBy, AppService, CreateAppParams, StarredAppListParams
-from services.enterprise import rbac_service as enterprise_rbac_service
 from services.enterprise.enterprise_service import EnterpriseService
 from services.entities.dsl_entities import ImportMode, ImportStatus
 from services.entities.knowledge_entities.knowledge_entities import (
@ -77,14 +72,12 @@ _logger = logging.getLogger(__name__)
 _TAG_IDS_BRACKET_PATTERN = re.compile(r"^tag_ids\[(\d+)\]$")
 _CREATOR_IDS_BRACKET_PATTERN = re.compile(r"^creator_ids\[(\d+)\]$")
 AppListMode = Literal["completion", "chat", "advanced-chat", "workflow", "agent-chat", "agent", "channel", "all"]
-DEFAULT_APP_LIST_MODE: AppListMode = "all"
-APP_LIST_PERMISSION_KEYS = frozenset({"app.preview", "app.acl.preview", "app.full_access"})


 class AppListBaseQuery(BaseModel):
    page: int = Field(default=1, ge=1, le=99999, description="Page number (1-99999)")
    limit: int = Field(default=20, ge=1, le=100, description="Page size (1-100)")
-    mode: AppListMode = Field(default=DEFAULT_APP_LIST_MODE, description="App mode filter")
+    mode: AppListMode = Field(default=cast(AppListMode, "all"), description="App mode filter")
    sort_by: AppListSortBy = Field(
        default="last_modified",
        description="Sort apps by last modified, recently created, or earliest created",
@ -167,10 +160,6 @@ def _normalize_app_list_query_args(query_args: MultiDict[str, str]) -> dict[str,
    return normalized


-def _has_app_list_permission(permission_keys: Sequence[str]) -> bool:
-    return any(permission_key in APP_LIST_PERMISSION_KEYS for permission_key in permission_keys)
-
-
 class CreateAppPayload(BaseModel):
    name: str = Field(..., min_length=1, description="App name")
    description: str | None = Field(default=None, description="App description (max 400 chars)", max_length=400)
@ -409,13 +398,12 @@ class AppPartial(ResponseModel):
    create_user_name: str | None = None
    author_name: str | None = None
    has_draft_trigger: bool | None = None
-    permission_keys: list[str] = Field(default_factory=list)
    # For Agent App type: the roster Agent backing this app (None otherwise).
    bound_agent_id: str | None = None
    # For Agent App responses exposed through /agent.
    app_id: str | None = None
+    role: str | None = None
    is_starred: bool = False
-    maintainer: str | None = None

    @computed_field(return_type=str | None)  # type: ignore
    @property
@ -451,8 +439,6 @@ class AppDetail(ResponseModel):
    updated_at: int | None = None
    access_mode: str | None = None
    tags: list[Tag] = Field(default_factory=list)
-    permission_keys: list[str] = Field(default_factory=list)
-    maintainer: str | None = None

    @field_validator("created_at", "updated_at", mode="before")
    @classmethod
@ -470,6 +456,7 @@ class AppDetailWithSite(AppDetail):
    bound_agent_id: str | None = None
    # For Agent App responses exposed through /agent.
    app_id: str | None = None
+    role: str | None = None

    @computed_field(return_type=str | None)  # type: ignore
    @property
@ -552,7 +539,10 @@ register_schema_models(
    ModelConfig,
    Site,
    DeletedTool,
+    AppPartial,
    AppDetail,
+    AppDetailWithSite,
+    AppPagination,
    AppExportResponse,
    Segmentation,
    PreProcessingRule,
@ -572,13 +562,6 @@ register_schema_models(
    LoadBalancingPayload,
 )

-register_response_schema_models(
-    console_ns,
-    AppPartial,
-    AppDetailWithSite,
-    AppPagination,
-)
-

@console_ns.route("/apps")
 class AppListApi(Resource):
@ -607,65 +590,16 @@ class AppListApi(Resource):
            is_created_by_me=args.is_created_by_me,
        )

-        permissions = enterprise_rbac_service.RBACService.MyPermissions.get(
-            str(current_tenant_id),
-            current_user_id,
-        )
-        if dify_config.RBAC_ENABLED:
-            whitelist_scope = enterprise_rbac_service.RBACService.AppAccess.whitelist_resources(
-                str(current_tenant_id),
-                current_user_id,
-            )
-            can_manage_own_apps = "app.create_and_management" in permissions.workspace.permission_keys
-            has_default_preview = _has_app_list_permission(
-                permissions.app.default_permission_keys
-            ) or _has_app_list_permission(permissions.workspace.permission_keys)
-            permission_app_ids: set[str] | None = None
-            if not has_default_preview:
-                permission_app_ids = {
-                    override.resource_id
-                    for override in permissions.app.overrides
-                    if _has_app_list_permission(override.permission_keys)
-                }
-
-            if getattr(whitelist_scope, "unrestricted", False):
-                accessible_app_ids = permission_app_ids
-            else:
-                accessible_app_ids = set(whitelist_scope.resource_ids)
-                if permission_app_ids is not None:
-                    accessible_app_ids |= permission_app_ids
-                elif has_default_preview:
-                    accessible_app_ids = None
-
-            if accessible_app_ids:
-                params.accessible_app_ids = sorted(accessible_app_ids)
-                params.include_own_apps = can_manage_own_apps
-            elif accessible_app_ids is not None and can_manage_own_apps:
-                params.is_created_by_me = True
-            elif accessible_app_ids is not None:
-                params.accessible_app_ids = []
-
        # get app list
        app_service = AppService()
-        app_pagination = app_service.get_paginate_apps(current_user_id, current_tenant_id, params, db.session)
+        app_pagination = app_service.get_paginate_apps(current_user_id, current_tenant_id, params)
        if not app_pagination:
            empty = AppPagination(page=args.page, limit=args.limit, total=0, has_more=False, data=[])
            return empty.model_dump(mode="json"), 200

-        app_ids = [str(app.id) for app in app_pagination.items]
-        permission_keys_map = permissions.app.permission_keys_by_resource_ids(app_ids)
        _enrich_app_list_items(session, apps=app_pagination.items, tenant_id=current_tenant_id)

        pagination_model = AppPagination.model_validate(app_pagination, from_attributes=True)
-        if app_pagination.items:
-            pagination_model = pagination_model.model_copy(
-                update={
-                    "data": [
-                        item.model_copy(update={"permission_keys": permission_keys_map.get(str(item.id), [])})
-                        for item in pagination_model.data
-                    ]
-                }
-            )
        return pagination_model.model_dump(mode="json"), 200

    @console_ns.doc("create_app")
@ -677,7 +611,6 @@ class AppListApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_CREATE_AND_MANAGEMENT, resource_required=False)
    @cloud_edition_billing_resource_check("apps")
    @edit_permission_required
    @with_current_user
@ -696,14 +629,7 @@ class AppListApi(Resource):

        app_service = AppService()
        app = app_service.create_app(current_tenant_id, params, current_user)
-        permission_keys_map = enterprise_rbac_service.RBACService.AppPermissions.batch_get(
-            str(current_tenant_id),
-            current_user.id,
-            [str(app.id)],
-        )
-        app_detail = AppDetailWithSite.model_validate(app, from_attributes=True).model_copy(
-            update={"permission_keys": permission_keys_map.get(str(app.id), [])}
-        )
+        app_detail = AppDetailWithSite.model_validate(app, from_attributes=True)
        return app_detail.model_dump(mode="json"), 201


@ -733,7 +659,7 @@ class StarredAppListApi(Resource):
            is_created_by_me=args.is_created_by_me,
        )

-        app_pagination = AppService().get_paginate_starred_apps(current_user_id, current_tenant_id, params, db.session)
+        app_pagination = AppService().get_paginate_starred_apps(current_user_id, current_tenant_id, params)
        if not app_pagination:
            empty = AppPagination(page=args.page, limit=args.limit, total=0, has_more=False, data=[])
            return empty.model_dump(mode="json"), 200
@ -789,11 +715,8 @@ class AppApi(Resource):
    @login_required
    @account_initialization_required
    @enterprise_license_required
-    @with_current_user
-    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @get_app_model(mode=None)
-    def get(self, current_tenant_id: str, current_user: Account, app_model: App):
+    def get(self, app_model: App):
        """Get app detail"""
        app_service = AppService()

@ -803,16 +726,7 @@ class AppApi(Resource):
            app_setting = EnterpriseService.WebAppAuth.get_app_access_mode_by_id(app_id=str(app_model.id))
            app_model.access_mode = app_setting.access_mode

-        permissions = enterprise_rbac_service.RBACService.MyPermissions.get(
-            str(current_tenant_id),
-            current_user.id,
-            app_id=str(app_model.id),
-        )
-        permission_keys_map = permissions.app.permission_keys_by_resource_ids([str(app_model.id)])
-
-        response_model = AppDetailWithSite.model_validate(app_model, from_attributes=True).model_copy(
-            update={"permission_keys": permission_keys_map.get(str(app_model.id), [])}
-        )
+        response_model = AppDetailWithSite.model_validate(app_model, from_attributes=True)
        return response_model.model_dump(mode="json")

    @console_ns.doc("update_app")
@ -825,9 +739,8 @@ class AppApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
    @get_app_model(mode=None)
+    @edit_permission_required
    def put(self, app_model: App):
        """Update app"""
        args = UpdateAppPayload.model_validate(console_ns.payload)
@ -852,12 +765,11 @@ class AppApi(Resource):
    @console_ns.doc(params={"app_id": "Application ID"})
    @console_ns.response(204, "App deleted successfully")
    @console_ns.response(403, "Insufficient permissions")
+    @get_app_model
    @setup_required
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_DELETE)
-    @get_app_model
    def delete(self, app_model: App):
        """Delete app"""
        app_service = AppService()
@ -877,12 +789,10 @@ class AppCopyApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_CREATE_AND_MANAGEMENT)
-    @with_current_user
-    @with_current_tenant_id
    @get_app_model(mode=None)
-    def post(self, current_tenant_id: str, current_user: Account, app_model: App):
+    @edit_permission_required
+    @with_current_user
+    def post(self, current_user: Account, app_model: App):
        """Copy app"""
        # The role of the current user in the ta table must be admin, owner, or editor
        args = CopyAppPayload.model_validate(console_ns.payload or {})
@ -924,17 +834,7 @@ class AppCopyApi(Resource):
            stmt = select(App).where(App.id == result.app_id)
            app = session.scalar(stmt)

-        if not app:
-            raise NotFound("App not found")
-
-        permission_keys_map = enterprise_rbac_service.RBACService.AppPermissions.batch_get(
-            str(current_tenant_id),
-            current_user.id,
-            [str(app.id)],
-        )
-        response_model = AppDetailWithSite.model_validate(app, from_attributes=True).model_copy(
-            update={"permission_keys": permission_keys_map.get(str(app.id), [])}
-        )
+        response_model = AppDetailWithSite.model_validate(app, from_attributes=True)
        return response_model.model_dump(mode="json"), 201


@ -946,12 +846,11 @@ class AppExportApi(Resource):
    @console_ns.doc(params=query_params_from_model(AppExportQuery))
    @console_ns.response(200, "App exported successfully", console_ns.models[AppExportResponse.__name__])
    @console_ns.response(403, "Insufficient permissions")
+    @get_app_model
    @setup_required
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_IMPORT_EXPORT_DSL)
-    @get_app_model
    def get(self, app_model: App):
        """Export app"""
        args = AppExportQuery.model_validate(request.args.to_dict(flat=True))
@ -972,12 +871,12 @@ class AppPublishToCreatorsPlatformApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_IMPORT_EXPORT_DSL)
-    @with_current_user_id
    @get_app_model(mode=None)
+    @edit_permission_required
+    @with_current_user_id
    def post(self, current_user_id: str, app_model: App):
        """Publish app to Creators Platform"""
+        from configs import dify_config
        from core.helper.creators import get_redirect_url, upload_dsl

        if not dify_config.CREATORS_PLATFORM_FEATURES_ENABLED:
@ -1002,9 +901,8 @@ class AppNameApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
    @get_app_model(mode=None)
+    @edit_permission_required
    def post(self, app_model: App):
        args = AppNamePayload.model_validate(console_ns.payload)

@ -1025,9 +923,8 @@ class AppIconApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
    @get_app_model(mode=None)
+    @edit_permission_required
    def post(self, app_model: App):
        args = AppIconPayload.model_validate(console_ns.payload or {})

@ -1053,9 +950,8 @@ class AppSiteStatus(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_RELEASE_AND_VERSION)
    @get_app_model(mode=None)
+    @edit_permission_required
    def post(self, app_model: App):
        args = AppSiteStatusPayload.model_validate(console_ns.payload)

@ -1077,7 +973,6 @@ class AppApiStatus(Resource):
    @login_required
    @is_admin_or_owner_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_RELEASE_AND_VERSION)
    @get_app_model(mode=None)
    def post(self, app_model: App):
        args = AppApiStatusPayload.model_validate(console_ns.payload)
@ -1102,7 +997,6 @@ class AppTraceApi(Resource):
    @login_required
    @account_initialization_required
    @with_session
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @get_app_model
    def get(self, session: Session, app_model: App):
        """Get app trace"""
@ -1124,7 +1018,6 @@ class AppTraceApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_MONITOR)
    @get_app_model
    def post(self, app_model: App):
        # add app trace
--- a/api/controllers/console/app/app_import.py
+++ b/api/controllers/console/app/app_import.py
@ -2,36 +2,25 @@ from flask_restx import Resource
 from pydantic import BaseModel, Field
 from sqlalchemy.orm import Session

-from configs import dify_config
 from controllers.common.schema import register_enum_models, register_schema_models
 from controllers.console.app.wraps import get_app_model
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    cloud_edition_billing_resource_check,
    edit_permission_required,
-    rbac_permission_required,
    setup_required,
    with_current_user,
 )
 from extensions.ext_database import db
-from extensions.ext_redis import redis_client
-from libs.login import current_account_with_tenant, login_required
+from libs.login import login_required
 from models.account import Account
 from models.model import App
-from services.app_dsl_service import (
-    IMPORT_INFO_REDIS_KEY_PREFIX,
-    AppDslService,
-    Import,
-    PendingData,
-)
+from services.app_dsl_service import AppDslService, Import
 from services.enterprise.enterprise_service import EnterpriseService
 from services.entities.dsl_entities import CheckDependenciesResult, ImportStatus
 from services.feature_service import FeatureService

 from .. import console_ns
-from .permission_keys import get_app_permission_keys


 class AppImportPayload(BaseModel):
@ -50,24 +39,6 @@ register_enum_models(console_ns, ImportStatus)
 register_schema_models(console_ns, AppImportPayload, Import, CheckDependenciesResult)


-def _current_user_and_tenant_id(current_user: Account | None) -> tuple[Account, str | None]:
-    if current_user is None:
-        account, tenant_id = current_account_with_tenant()
-        return account, str(tenant_id) if tenant_id else None
-
-    current_tenant_id = getattr(current_user, "current_tenant_id", None)
-    if current_tenant_id:
-        return current_user, str(current_tenant_id)
-
-    current_tenant = getattr(current_user, "current_tenant", None)
-    current_tenant_object_id = getattr(current_tenant, "id", None)
-    if current_tenant_object_id:
-        return current_user, str(current_tenant_object_id)
-
-    account, fallback_tenant_id = current_account_with_tenant()
-    return account, str(fallback_tenant_id) if fallback_tenant_id else None
-
-
@console_ns.route("/apps/imports")
 class AppImportApi(Resource):
    @console_ns.expect(console_ns.models[AppImportPayload.__name__])
@ -79,11 +50,10 @@ class AppImportApi(Resource):
    @account_initialization_required
    @cloud_edition_billing_resource_check("apps")
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_IMPORT_EXPORT_DSL, resource_required=False)
    @with_current_user
-    def post(self, current_user: Account | None = None):
+    def post(self, current_user: Account):
+        # Check user role first
        args = AppImportPayload.model_validate(console_ns.payload)
-        current_user = current_user if current_user is not None else _current_user_and_tenant_id(None)[0]

        # AppDslService performs internal commits for some creation paths, so use a plain
        # Session here instead of nesting it inside sessionmaker(...).begin().
@ -107,20 +77,6 @@ class AppImportApi(Resource):
                session.rollback()
            else:
                session.commit()
-
-        is_created_app = args.app_id is None and result.status in {
-            ImportStatus.COMPLETED,
-            ImportStatus.COMPLETED_WITH_WARNINGS,
-        }
-        if dify_config.RBAC_ENABLED and is_created_app and result.app_id:
-            current_user, current_tenant_id = _current_user_and_tenant_id(current_user)
-            if current_tenant_id:
-                result.permission_keys = get_app_permission_keys(
-                    current_tenant_id,
-                    current_user.id,
-                    result.app_id,
-                )
-
        if result.app_id and FeatureService.get_system_features().webapp_auth.enabled:
            # update web app setting as private
            EnterpriseService.WebAppAuth.update_app_access_mode(result.app_id, "private")
@ -143,16 +99,9 @@ class AppImportConfirmApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_IMPORT_EXPORT_DSL, resource_required=False)
    @with_current_user
-    def post(self, current_user: Account | None = None, import_id: str = ""):
-        current_user = current_user if current_user is not None else _current_user_and_tenant_id(None)[0]
-        redis_key = f"{IMPORT_INFO_REDIS_KEY_PREFIX}{import_id}"
-        pending_data_raw = redis_client.get(redis_key)
-        pending_data: PendingData | None = None
-        if pending_data_raw:
-            pending_data = PendingData.model_validate_json(pending_data_raw)
-
+    def post(self, current_user: Account, import_id: str):
+        # Check user role first
        with Session(db.engine, expire_on_commit=False) as session:
            import_service = AppDslService(session)
            # Confirm import
@ -163,24 +112,6 @@ class AppImportConfirmApi(Resource):
            else:
                session.commit()

-        is_created_app = bool(
-            pending_data
-            and pending_data.app_id is None
-            and result.status
-            in {
-                ImportStatus.COMPLETED,
-                ImportStatus.COMPLETED_WITH_WARNINGS,
-            }
-        )
-        if dify_config.RBAC_ENABLED and is_created_app and result.app_id:
-            current_user, current_tenant_id = _current_user_and_tenant_id(current_user)
-            if current_tenant_id:
-                result.permission_keys = get_app_permission_keys(
-                    current_tenant_id,
-                    current_user.id,
-                    result.app_id,
-                )
-
        # Return appropriate status code based on result
        if result.status == ImportStatus.FAILED:
            return result.model_dump(mode="json"), 400
@ -189,17 +120,12 @@ class AppImportConfirmApi(Resource):

@console_ns.route("/apps/imports/<string:app_id>/check-dependencies")
 class AppImportCheckDependenciesApi(Resource):
-    @console_ns.response(
-        200,
-        "Dependencies checked",
-        console_ns.models[CheckDependenciesResult.__name__],
-    )
+    @console_ns.response(200, "Dependencies checked", console_ns.models[CheckDependenciesResult.__name__])
    @setup_required
    @login_required
    @get_app_model
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    def get(self, app_model: App):
        with Session(db.engine, expire_on_commit=False) as session:
            import_service = AppDslService(session)
--- a/api/controllers/console/app/audio.py
+++ b/api/controllers/console/app/audio.py
@ -22,13 +22,7 @@ from controllers.console.app.error import (
    UnsupportedAudioTypeError,
 )
 from controllers.console.app.wraps import get_app_model
-from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
-    account_initialization_required,
-    rbac_permission_required,
-    setup_required,
-)
+from controllers.console.wraps import account_initialization_required, setup_required
 from core.errors.error import ModelCurrentlyNotSupportError, ProviderTokenNotInitError, QuotaExceededError
 from graphon.model_runtime.errors.invoke import InvokeError
 from libs.login import login_required
@ -132,10 +126,10 @@ class ChatMessageTextApi(Resource):
        console_ns.models[AudioBinaryResponse.__name__],
    )
    @console_ns.response(400, "Bad request - Invalid parameters")
+    @get_app_model
    @setup_required
    @login_required
    @account_initialization_required
-    @get_app_model
    def post(self, app_model: App):
        try:
            payload = TextToSpeechPayload.model_validate(console_ns.payload)
@ -186,11 +180,10 @@ class TextModesApi(Resource):
        console_ns.models[TextToSpeechVoiceListResponse.__name__],
    )
    @console_ns.response(400, "Invalid language parameter")
+    @get_app_model
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
-    @get_app_model
    def get(self, app_model: App):
        try:
            args = TextToSpeechVoiceQuery.model_validate(request.args.to_dict(flat=True))
--- a/api/controllers/console/app/completion.py
+++ b/api/controllers/console/app/completion.py
@ -22,11 +22,8 @@ from controllers.console.app.error import (
 )
 from controllers.console.app.wraps import get_app_model
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    edit_permission_required,
-    rbac_permission_required,
    setup_required,
    with_current_tenant_id,
    with_current_user,
@ -116,9 +113,8 @@ class CompletionMessageApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @with_current_user
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_TEST_AND_RUN)
    @get_app_model(mode=AppMode.COMPLETION)
+    @with_current_user
    def post(self, current_user: Account, app_model: App):
        args_model = CompletionMessagePayload.model_validate(console_ns.payload)
        args = args_model.model_dump(exclude_none=True, by_alias=True)
@ -163,8 +159,8 @@ class CompletionMessageStopApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @with_current_user_id
    @get_app_model(mode=AppMode.COMPLETION)
+    @with_current_user_id
    def post(self, current_user_id: str, app_model: App, task_id: str):

        AppTaskService.stop_task(
@ -189,10 +185,9 @@ class ChatMessageApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
+    @get_app_model(mode=[AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.AGENT])
    @edit_permission_required
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_TEST_AND_RUN)
-    @get_app_model(mode=[AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.AGENT])
    def post(self, current_user: Account, app_model: App):
        return _create_chat_message(current_user=current_user, app_model=app_model)

@ -210,7 +205,6 @@ class AgentChatMessageApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_TEST_AND_RUN)
    @with_current_user
    @with_current_tenant_id
    def post(self, current_tenant_id: str, current_user: Account, agent_id: UUID):
@ -227,8 +221,8 @@ class ChatMessageStopApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @with_current_user_id
    @get_app_model(mode=[AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT, AppMode.AGENT])
+    @with_current_user_id
    def post(self, current_user_id: str, app_model: App, task_id: str):
        return _stop_chat_message(current_user_id=current_user_id, app_model=app_model, task_id=task_id)

--- a/api/controllers/console/app/conversation.py
+++ b/api/controllers/console/app/conversation.py
@ -13,11 +13,8 @@ from controllers.common.schema import query_params_from_model, register_schema_m
 from controllers.console import console_ns
 from controllers.console.app.wraps import get_app_model
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    edit_permission_required,
-    rbac_permission_required,
    setup_required,
    with_current_user,
 )
@ -100,10 +97,9 @@ class CompletionConversationApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
+    @get_app_model(mode=AppMode.COMPLETION)
    @edit_permission_required
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
-    @get_app_model(mode=AppMode.COMPLETION)
    def get(self, current_user: Account, app_model: App):
        args = CompletionConversationQuery.model_validate(request.args.to_dict(flat=True))

@ -173,10 +169,9 @@ class CompletionConversationDetailApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
+    @get_app_model(mode=AppMode.COMPLETION)
    @edit_permission_required
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
-    @get_app_model(mode=AppMode.COMPLETION)
    def get(self, current_user: Account, app_model: App, conversation_id: UUID):
        conversation_id_str = str(conversation_id)
        return ConversationMessageDetailResponse.model_validate(
@ -192,10 +187,9 @@ class CompletionConversationDetailApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
-    @with_current_user
    @get_app_model(mode=AppMode.COMPLETION)
+    @edit_permission_required
+    @with_current_user
    def delete(self, current_user: Account, app_model: App, conversation_id: UUID):
        conversation_id_str = str(conversation_id)

@ -218,10 +212,9 @@ class ChatConversationApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
+    @get_app_model(mode=[AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT, AppMode.AGENT])
    @edit_permission_required
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
-    @get_app_model(mode=[AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT, AppMode.AGENT])
    def get(self, current_user: Account, app_model: App):
        args = ChatConversationQuery.model_validate(request.args.to_dict(flat=True))

@ -330,10 +323,9 @@ class ChatConversationDetailApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
+    @get_app_model(mode=[AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT, AppMode.AGENT])
    @edit_permission_required
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
-    @get_app_model(mode=[AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT, AppMode.AGENT])
    def get(self, current_user: Account, app_model: App, conversation_id: UUID):
        conversation_id_str = str(conversation_id)
        return ConversationDetailResponse.model_validate(
@ -348,11 +340,10 @@ class ChatConversationDetailApi(Resource):
    @console_ns.response(404, "Conversation not found")
    @setup_required
    @login_required
+    @get_app_model(mode=[AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT, AppMode.AGENT])
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
    @with_current_user
-    @get_app_model(mode=[AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT, AppMode.AGENT])
    def delete(self, current_user: Account, app_model: App, conversation_id: UUID):
        conversation_id_str = str(conversation_id)

--- a/api/controllers/console/app/conversation_variables.py
+++ b/api/controllers/console/app/conversation_variables.py
@ -12,13 +12,7 @@ from sqlalchemy.orm import sessionmaker
 from controllers.common.schema import query_params_from_model, register_schema_models
 from controllers.console import console_ns
 from controllers.console.app.wraps import get_app_model
-from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
-    account_initialization_required,
-    rbac_permission_required,
-    setup_required,
-)
+from controllers.console.wraps import account_initialization_required, setup_required
 from extensions.ext_database import db
 from fields._value_type_serializer import serialize_value_type
 from fields.base import ResponseModel
@ -99,7 +93,6 @@ class ConversationVariablesApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_CREATE_AND_MANAGEMENT)
    @get_app_model(mode=AppMode.ADVANCED_CHAT)
    def get(self, app_model: App):
        args = ConversationVariablesQuery.model_validate(request.args.to_dict(flat=True))
--- a/api/controllers/console/app/mcp_server.py
+++ b/api/controllers/console/app/mcp_server.py
@ -12,11 +12,8 @@ from controllers.common.schema import register_schema_models
 from controllers.console import console_ns
 from controllers.console.app.wraps import get_app_model
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    edit_permission_required,
-    rbac_permission_required,
    setup_required,
    with_current_tenant_id,
 )
@ -86,7 +83,6 @@ class AppMCPServerController(Resource):
    @login_required
    @account_initialization_required
    @setup_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @get_app_model
    def get(self, app_model: App):
        server = db.session.scalar(select(AppMCPServer).where(AppMCPServer.app_id == app_model.id).limit(1))
@ -103,12 +99,11 @@ class AppMCPServerController(Resource):
    )
    @console_ns.response(403, "Insufficient permissions")
    @account_initialization_required
+    @get_app_model
    @login_required
    @setup_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
    @with_current_tenant_id
-    @get_app_model
    def post(self, current_tenant_id: str, app_model: App):
        payload = MCPServerCreatePayload.model_validate(console_ns.payload or {})

@ -138,12 +133,11 @@ class AppMCPServerController(Resource):
    )
    @console_ns.response(403, "Insufficient permissions")
    @console_ns.response(404, "Server not found")
+    @get_app_model
    @login_required
    @setup_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
-    @get_app_model
    def put(self, app_model: App):
        payload = MCPServerUpdatePayload.model_validate(console_ns.payload or {})
        server = db.session.get(AppMCPServer, payload.id)
@ -180,7 +174,6 @@ class AppMCPServerRefreshController(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @with_current_tenant_id
    def get(self, current_tenant_id: str, server_id: UUID):
        server = db.session.scalar(
--- a/api/controllers/console/app/message.py
+++ b/api/controllers/console/app/message.py
@ -23,11 +23,8 @@ from controllers.console.app.error import (
 from controllers.console.app.wraps import get_app_model
 from controllers.console.explore.error import AppSuggestedQuestionsAfterAnswerDisabledError
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    edit_permission_required,
-    rbac_permission_required,
    setup_required,
    with_current_tenant_id,
    with_current_user,
@ -185,9 +182,8 @@ class ChatMessageListApi(Resource):
    @login_required
    @account_initialization_required
    @setup_required
-    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @get_app_model(mode=[AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT, AppMode.AGENT])
+    @edit_permission_required
    def get(self, app_model: App):
        return _list_chat_messages(app_model=app_model)

@ -204,7 +200,6 @@ class AgentChatMessageListApi(Resource):
    @account_initialization_required
    @setup_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @with_current_tenant_id
    def get(self, current_tenant_id: str, agent_id: UUID):
        app_model = resolve_agent_app_model(tenant_id=current_tenant_id, agent_id=agent_id)
@ -220,11 +215,11 @@ class MessageFeedbackApi(Resource):
    @console_ns.response(200, "Feedback updated successfully", console_ns.models[SimpleResultResponse.__name__])
    @console_ns.response(404, "Message not found")
    @console_ns.response(403, "Insufficient permissions")
+    @get_app_model
    @setup_required
    @login_required
    @account_initialization_required
    @with_current_user
-    @get_app_model
    def post(self, current_user: Account, app_model: App):
        return _update_message_feedback(current_user=current_user, app_model=app_model)

@ -257,11 +252,10 @@ class MessageAnnotationCountApi(Resource):
        "Annotation count retrieved successfully",
        console_ns.models[AnnotationCountResponse.__name__],
    )
+    @get_app_model
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
-    @get_app_model
    def get(self, app_model: App):
        count = db.session.scalar(
            select(func.count(MessageAnnotation.id)).where(MessageAnnotation.app_id == app_model.id)
@ -284,9 +278,8 @@ class MessageSuggestedQuestionApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @with_current_user
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @get_app_model(mode=[AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT, AppMode.AGENT])
+    @with_current_user
    def get(self, current_user: Account, app_model: App, message_id: UUID):
        return _get_message_suggested_questions(current_user=current_user, app_model=app_model, message_id=message_id)

@ -325,11 +318,10 @@ class MessageFeedbackExportApi(Resource):
    )
    @console_ns.response(400, "Invalid parameters")
    @console_ns.response(500, "Internal server error")
+    @get_app_model
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
-    @get_app_model
    def get(self, app_model: App):
        args = FeedbackExportQuery.model_validate(request.args.to_dict())

@ -364,11 +356,10 @@ class MessageApi(Resource):
    @console_ns.doc(params={"app_id": "Application ID", "message_id": "Message ID"})
    @console_ns.response(200, "Message retrieved successfully", console_ns.models[MessageDetailResponse.__name__])
    @console_ns.response(404, "Message not found")
+    @get_app_model
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
-    @get_app_model
    def get(self, app_model: App, message_id: UUID):
        return _get_message_detail(app_model=app_model, message_id=message_id)

--- a/api/controllers/console/app/model_config.py
+++ b/api/controllers/console/app/model_config.py
@ -10,11 +10,8 @@ from controllers.common.schema import register_response_schema_models, register_
 from controllers.console import console_ns
 from controllers.console.app.wraps import get_app_model
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    edit_permission_required,
-    rbac_permission_required,
    setup_required,
    with_current_tenant_id,
    with_current_user_id,
@ -89,11 +86,10 @@ class ModelConfigResource(Resource):
    @setup_required
    @login_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @account_initialization_required
+    @get_app_model(mode=[AppMode.AGENT_CHAT, AppMode.CHAT, AppMode.COMPLETION])
    @with_current_user_id
    @with_current_tenant_id
-    @get_app_model(mode=[AppMode.AGENT_CHAT, AppMode.CHAT, AppMode.COMPLETION])
    def post(self, current_tenant_id: str, current_user_id: str, app_model: App):
        """Modify app model config"""
        # validate config
--- a/api/controllers/console/app/ops_trace.py
+++ b/api/controllers/console/app/ops_trace.py
@ -9,13 +9,7 @@ from controllers.common.schema import query_params_from_model, register_response
 from controllers.console import console_ns
 from controllers.console.app.error import TracingConfigCheckError, TracingConfigIsExist, TracingConfigNotExist
 from controllers.console.app.wraps import get_app_model
-from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
-    account_initialization_required,
-    rbac_permission_required,
-    setup_required,
-)
+from controllers.console.wraps import account_initialization_required, setup_required
 from fields.base import ResponseModel
 from libs.login import login_required
 from models import App
@ -70,7 +64,6 @@ class TraceAppConfigApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_MONITOR)
    @get_app_model
    def get(self, app_model: App):
        args = TraceProviderQuery.model_validate(request.args.to_dict(flat=True))  # type: ignore
--- a/api/controllers/console/app/permission_keys.py
+++ b/api/controllers/console/app/permission_keys.py
@ -1,6 +0,0 @@
-from services.enterprise import rbac_service as enterprise_rbac_service
-
-
-def get_app_permission_keys(tenant_id: str, account_id: str | None, app_id: str) -> list[str]:
-    permission_keys_map = enterprise_rbac_service.RBACService.AppPermissions.batch_get(tenant_id, account_id, [app_id])
-    return permission_keys_map.get(app_id, [])
--- a/api/controllers/console/app/site.py
+++ b/api/controllers/console/app/site.py
@ -10,12 +10,9 @@ from controllers.common.schema import register_schema_models
 from controllers.console import console_ns
 from controllers.console.app.wraps import get_app_model
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    edit_permission_required,
    is_admin_or_owner_required,
-    rbac_permission_required,
    setup_required,
    with_current_user,
 )
@ -88,10 +85,9 @@ class AppSite(Resource):
    @setup_required
    @login_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_RELEASE_AND_VERSION)
    @account_initialization_required
-    @with_current_user
    @get_app_model
+    @with_current_user
    def post(self, current_user: Account, app_model: App):
        args = AppSiteUpdatePayload.model_validate(console_ns.payload or {})
        site = db.session.scalar(select(Site).where(Site.app_id == app_model.id).limit(1))
@ -138,10 +134,9 @@ class AppSiteAccessTokenReset(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_RELEASE_AND_VERSION)
    @account_initialization_required
-    @with_current_user
    @get_app_model
+    @with_current_user
    def post(self, current_user: Account, app_model: App):
        site = db.session.scalar(select(Site).where(Site.app_id == app_model.id).limit(1))

--- a/api/controllers/console/app/statistic.py
+++ b/api/controllers/console/app/statistic.py
@ -8,14 +8,7 @@ from pydantic import BaseModel, Field, field_validator
 from controllers.common.schema import query_params_from_model, register_response_schema_models, register_schema_models
 from controllers.console import console_ns
 from controllers.console.app.wraps import get_app_model
-from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
-    account_initialization_required,
-    rbac_permission_required,
-    setup_required,
-    with_current_user,
-)
+from controllers.console.wraps import account_initialization_required, setup_required, with_current_user
 from core.app.entities.app_invoke_entities import InvokeFrom
 from extensions.ext_database import db
 from fields.base import ResponseModel
@ -138,12 +131,11 @@ class DailyMessageStatistic(Resource):
        "Daily message statistics retrieved successfully",
        console_ns.models[DailyMessageStatisticResponse.__name__],
    )
+    @get_app_model
    @setup_required
    @login_required
    @account_initialization_required
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_MONITOR)
-    @get_app_model
    def get(self, account: Account, app_model: App):
        args = StatisticTimeRangeQuery.model_validate(request.args.to_dict(flat=True))

@ -199,12 +191,11 @@ class DailyConversationStatistic(Resource):
        "Daily conversation statistics retrieved successfully",
        console_ns.models[DailyConversationStatisticResponse.__name__],
    )
+    @get_app_model
    @setup_required
    @login_required
    @account_initialization_required
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_MONITOR)
-    @get_app_model
    def get(self, account: Account, app_model: App):
        args = StatisticTimeRangeQuery.model_validate(request.args.to_dict(flat=True))

@ -259,12 +250,11 @@ class DailyTerminalsStatistic(Resource):
        "Daily terminal statistics retrieved successfully",
        console_ns.models[DailyTerminalStatisticResponse.__name__],
    )
+    @get_app_model
    @setup_required
    @login_required
    @account_initialization_required
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_MONITOR)
-    @get_app_model
    def get(self, account: Account, app_model: App):
        args = StatisticTimeRangeQuery.model_validate(request.args.to_dict(flat=True))

@ -320,12 +310,11 @@ class DailyTokenCostStatistic(Resource):
        "Daily token cost statistics retrieved successfully",
        console_ns.models[DailyTokenCostStatisticResponse.__name__],
    )
+    @get_app_model
    @setup_required
    @login_required
    @account_initialization_required
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_MONITOR)
-    @get_app_model
    def get(self, account: Account, app_model: App):
        args = StatisticTimeRangeQuery.model_validate(request.args.to_dict(flat=True))

@ -387,9 +376,8 @@ class AverageSessionInteractionStatistic(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @with_current_user
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_MONITOR)
    @get_app_model(mode=[AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT, AppMode.AGENT])
+    @with_current_user
    def get(self, account: Account, app_model: App):
        args = StatisticTimeRangeQuery.model_validate(request.args.to_dict(flat=True))

@ -464,12 +452,11 @@ class UserSatisfactionRateStatistic(Resource):
        "User satisfaction rate statistics retrieved successfully",
        console_ns.models[UserSatisfactionRateStatisticResponse.__name__],
    )
+    @get_app_model
    @setup_required
    @login_required
    @account_initialization_required
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_MONITOR)
-    @get_app_model
    def get(self, account: Account, app_model: App):
        args = StatisticTimeRangeQuery.model_validate(request.args.to_dict(flat=True))

@ -537,9 +524,8 @@ class AverageResponseTimeStatistic(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @with_current_user
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_MONITOR)
    @get_app_model(mode=AppMode.COMPLETION)
+    @with_current_user
    def get(self, account: Account, app_model: App):
        args = StatisticTimeRangeQuery.model_validate(request.args.to_dict(flat=True))

@ -595,12 +581,11 @@ class TokensPerSecondStatistic(Resource):
        "Tokens per second statistics retrieved successfully",
        console_ns.models[TokensPerSecondStatisticResponse.__name__],
    )
+    @get_app_model
    @setup_required
    @login_required
    @account_initialization_required
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_MONITOR)
-    @get_app_model
    def get(self, account: Account, app_model: App):
        args = StatisticTimeRangeQuery.model_validate(request.args.to_dict(flat=True))

--- a/api/controllers/console/app/workflow.py
+++ b/api/controllers/console/app/workflow.py
@ -26,14 +26,10 @@ from controllers.console.app.error import (
    DraftWorkflowNotExist,
    DraftWorkflowNotSync,
 )
-from controllers.console.app.permission_keys import get_app_permission_keys
 from controllers.console.app.wraps import get_app_model
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    edit_permission_required,
-    rbac_permission_required,
    setup_required,
    with_current_tenant_id,
    with_current_user,
@ -440,9 +436,8 @@ class DraftWorkflowApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
+    @edit_permission_required
    def get(self, app_model: App):
        """
        Get draft workflow
@ -488,7 +483,6 @@ class DraftWorkflowApi(Resource):
    @console_ns.response(403, "Permission denied")
    @with_current_user
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    def post(self, current_user: Account, app_model: App):
        """
        Sync draft workflow
@ -554,7 +548,6 @@ class AdvancedChatDraftWorkflowRunApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_TEST_AND_RUN)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT])
    @with_current_user
    @edit_permission_required
@ -604,7 +597,6 @@ class AdvancedChatDraftRunIterationNodeApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_TEST_AND_RUN)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT])
    @with_current_user
    @edit_permission_required
@ -647,7 +639,6 @@ class WorkflowDraftRunIterationNodeApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_TEST_AND_RUN)
    @get_app_model(mode=[AppMode.WORKFLOW])
    @with_current_user
    @edit_permission_required
@ -686,7 +677,6 @@ class AdvancedChatDraftRunLoopNodeApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_TEST_AND_RUN)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT])
    @with_current_user
    @edit_permission_required
@ -729,7 +719,6 @@ class WorkflowDraftRunLoopNodeApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_TEST_AND_RUN)
    @get_app_model(mode=[AppMode.WORKFLOW])
    @with_current_user
    @edit_permission_required
@ -804,7 +793,6 @@ class AdvancedChatDraftHumanInputFormPreviewApi(Resource):
    @get_app_model(mode=[AppMode.ADVANCED_CHAT])
    @with_current_user
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    def post(self, current_user: Account, app_model: App, node_id: str):
        """
        Preview human input form content and placeholders
@ -836,7 +824,6 @@ class AdvancedChatDraftHumanInputFormRunApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_TEST_AND_RUN)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT])
    @with_current_user
    @edit_permission_required
@ -870,7 +857,6 @@ class WorkflowDraftHumanInputFormPreviewApi(Resource):
    @get_app_model(mode=[AppMode.WORKFLOW])
    @with_current_user
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    def post(self, current_user: Account, app_model: App, node_id: str):
        """
        Preview human input form content and placeholders
@ -902,7 +888,6 @@ class WorkflowDraftHumanInputFormRunApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_TEST_AND_RUN)
    @get_app_model(mode=[AppMode.WORKFLOW])
    @with_current_user
    @edit_permission_required
@ -936,7 +921,6 @@ class WorkflowDraftHumanInputDeliveryTestApi(Resource):
    @get_app_model(mode=[AppMode.WORKFLOW, AppMode.ADVANCED_CHAT])
    @with_current_user
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_TEST_AND_RUN)
    def post(self, current_user: Account, app_model: App, node_id: str):
        """
        Test human input delivery
@ -968,7 +952,6 @@ class DraftWorkflowRunApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_TEST_AND_RUN)
    @get_app_model(mode=[AppMode.WORKFLOW])
    @with_current_user
    @edit_permission_required
@ -1007,9 +990,8 @@ class WorkflowTaskStopApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_TEST_AND_RUN)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
+    @edit_permission_required
    def post(self, app_model: App, task_id: str):
        """
        Stop workflow task
@ -1040,7 +1022,6 @@ class DraftWorkflowNodeRunApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_TEST_AND_RUN)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
    @with_current_user
    @edit_permission_required
@ -1091,9 +1072,8 @@ class PublishedWorkflowApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
+    @edit_permission_required
    def get(self, app_model: App):
        """
        Get published workflow
@ -1113,7 +1093,6 @@ class PublishedWorkflowApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_RELEASE_AND_VERSION)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
    @with_current_user
    @edit_permission_required
@ -1162,9 +1141,8 @@ class DefaultBlockConfigsApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
+    @edit_permission_required
    def get(self, app_model: App):
        """
        Get default block config
@ -1189,9 +1167,8 @@ class DefaultBlockConfigApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
+    @edit_permission_required
    def get(self, app_model: App, block_type: str):
        """
        Get default block config
@ -1228,15 +1205,14 @@ class ConvertToWorkflowApi(Resource):
    @account_initialization_required
    @get_app_model(mode=[AppMode.CHAT, AppMode.COMPLETION])
    @with_current_user
-    @with_current_tenant_id
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
-    def post(self, current_tenant_id: str, current_user: Account, app_model: App):
+    def post(self, current_user: Account, app_model: App):
        """
        Convert basic mode of chatbot app to workflow mode
        Convert expert mode of chatbot app to workflow mode
        Convert Completion App to Workflow App
        """
+
        payload = console_ns.payload or {}
        args = ConvertToWorkflowPayload.model_validate(payload).model_dump(exclude_none=True)

@ -1247,7 +1223,6 @@ class ConvertToWorkflowApi(Resource):
        # return app id
        return {
            "new_app_id": new_app_model.id,
-            "permission_keys": get_app_permission_keys(str(current_tenant_id), current_user.id, str(new_app_model.id)),
        }


@ -1270,7 +1245,6 @@ class WorkflowFeaturesApi(Resource):
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
    @with_current_user
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    def post(self, current_user: Account, app_model: App):

        args = WorkflowFeaturesPayload.model_validate(console_ns.payload or {})
@ -1296,7 +1270,6 @@ class PublishedAllWorkflowApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
    @with_current_user
    @edit_permission_required
@ -1349,7 +1322,6 @@ class DraftWorkflowRestoreApi(Resource):
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
    @with_current_user
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_RELEASE_AND_VERSION)
    def post(self, current_user: Account, app_model: App, workflow_id: str):
        workflow_service = WorkflowService()

@ -1388,7 +1360,6 @@ class WorkflowByIdApi(Resource):
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
    @with_current_user
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
    def patch(self, current_user: Account, app_model: App, workflow_id: str):
        """
        Update workflow attributes
@ -1427,7 +1398,6 @@ class WorkflowByIdApi(Resource):
    @account_initialization_required
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
    @console_ns.response(204, "Workflow deleted successfully")
    def delete(self, app_model: App, workflow_id: str):
        """
@ -1466,7 +1436,6 @@ class DraftWorkflowNodeLastRunApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
    def get(self, app_model: App, node_id: str):
        srv = WorkflowService()
@ -1511,7 +1480,6 @@ class DraftWorkflowTriggerRunApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_TEST_AND_RUN)
    @get_app_model(mode=[AppMode.WORKFLOW])
    @with_current_user
    @edit_permission_required
@ -1580,7 +1548,6 @@ class DraftWorkflowTriggerNodeApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_TEST_AND_RUN)
    @get_app_model(mode=[AppMode.WORKFLOW])
    @with_current_user
    @edit_permission_required
@ -1664,7 +1631,6 @@ class DraftWorkflowTriggerRunAllApi(Resource):
    @get_app_model(mode=[AppMode.WORKFLOW])
    @with_current_user
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_TEST_AND_RUN)
    def post(self, current_user: Account, app_model: App):
        """
        Full workflow debug when the start node is a trigger
--- a/api/controllers/console/app/workflow_app_log.py
+++ b/api/controllers/console/app/workflow_app_log.py
@ -10,13 +10,7 @@ from sqlalchemy.orm import sessionmaker
 from controllers.common.schema import query_params_from_model, register_schema_models
 from controllers.console import console_ns
 from controllers.console.app.wraps import get_app_model
-from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
-    account_initialization_required,
-    rbac_permission_required,
-    setup_required,
-)
+from controllers.console.wraps import account_initialization_required, setup_required
 from extensions.ext_database import db
 from fields.base import ResponseModel
 from fields.end_user_fields import SimpleEndUser
@ -181,7 +175,6 @@ class WorkflowAppLogApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_MONITOR)
    @get_app_model(mode=[AppMode.WORKFLOW])
    def get(self, app_model: App):
        """
@ -225,7 +218,6 @@ class WorkflowArchivedLogApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_MONITOR)
    @get_app_model(mode=[AppMode.WORKFLOW])
    def get(self, app_model: App):
        """
--- a/api/controllers/console/app/workflow_comment.py
+++ b/api/controllers/console/app/workflow_comment.py
@ -8,11 +8,8 @@ from controllers.common.schema import register_response_schema_models, register_
 from controllers.console import console_ns
 from controllers.console.app.wraps import get_app_model
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    edit_permission_required,
-    rbac_permission_required,
    setup_required,
    with_current_tenant_id,
    with_current_user,
@ -221,9 +218,8 @@ class WorkflowCommentListApi(Resource):
    @login_required
    @setup_required
    @account_initialization_required
-    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @get_app_model()
+    @with_current_tenant_id
    def get(self, current_tenant_id: str, app_model: App):
        """Get all comments for a workflow."""
        comments = WorkflowCommentService.get_comments(tenant_id=current_tenant_id, app_id=app_model.id)
@ -238,11 +234,10 @@ class WorkflowCommentListApi(Resource):
    @login_required
    @setup_required
    @account_initialization_required
+    @get_app_model()
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
    @with_current_user
    @with_current_tenant_id
-    @get_app_model()
    def post(self, current_tenant_id: str, current_user: Account, app_model: App):
        """Create a new workflow comment."""
        payload = WorkflowCommentCreatePayload.model_validate(console_ns.payload or {})
@ -271,9 +266,8 @@ class WorkflowCommentDetailApi(Resource):
    @login_required
    @setup_required
    @account_initialization_required
-    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @get_app_model()
+    @with_current_tenant_id
    def get(self, current_tenant_id: str, app_model: App, comment_id: str):
        """Get a specific workflow comment."""
        comment = WorkflowCommentService.get_comment(
@ -290,11 +284,10 @@ class WorkflowCommentDetailApi(Resource):
    @login_required
    @setup_required
    @account_initialization_required
+    @get_app_model()
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
    @with_current_user
    @with_current_tenant_id
-    @get_app_model()
    def put(self, current_tenant_id: str, current_user: Account, app_model: App, comment_id: str):
        """Update a workflow comment."""
        payload = WorkflowCommentUpdatePayload.model_validate(console_ns.payload or {})
@ -319,11 +312,10 @@ class WorkflowCommentDetailApi(Resource):
    @login_required
    @setup_required
    @account_initialization_required
+    @get_app_model()
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
    @with_current_user
    @with_current_tenant_id
-    @get_app_model()
    def delete(self, current_tenant_id: str, current_user: Account, app_model: App, comment_id: str):
        """Delete a workflow comment."""
        WorkflowCommentService.delete_comment(
@ -347,11 +339,10 @@ class WorkflowCommentResolveApi(Resource):
    @login_required
    @setup_required
    @account_initialization_required
+    @get_app_model()
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
    @with_current_user
    @with_current_tenant_id
-    @get_app_model()
    def post(self, current_tenant_id: str, current_user: Account, app_model: App, comment_id: str):
        """Resolve a workflow comment."""
        comment = WorkflowCommentService.resolve_comment(
@ -376,11 +367,10 @@ class WorkflowCommentReplyApi(Resource):
    @login_required
    @setup_required
    @account_initialization_required
+    @get_app_model()
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
    @with_current_user
    @with_current_tenant_id
-    @get_app_model()
    def post(self, current_tenant_id: str, current_user: Account, app_model: App, comment_id: str):
        """Add a reply to a workflow comment."""
        # Validate comment access first
@ -412,11 +402,10 @@ class WorkflowCommentReplyDetailApi(Resource):
    @login_required
    @setup_required
    @account_initialization_required
+    @get_app_model()
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
    @with_current_user
    @with_current_tenant_id
-    @get_app_model()
    def put(self, current_tenant_id: str, current_user: Account, app_model: App, comment_id: str, reply_id: str):
        """Update a comment reply."""
        # Validate comment access first
@ -445,11 +434,10 @@ class WorkflowCommentReplyDetailApi(Resource):
    @login_required
    @setup_required
    @account_initialization_required
+    @get_app_model()
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
    @with_current_user
    @with_current_tenant_id
-    @get_app_model()
    def delete(self, current_tenant_id: str, current_user: Account, app_model: App, comment_id: str, reply_id: str):
        """Delete a comment reply."""
        # Validate comment access first
@ -481,9 +469,8 @@ class WorkflowCommentMentionUsersApi(Resource):
    @login_required
    @setup_required
    @account_initialization_required
-    @with_current_user
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @get_app_model()
+    @with_current_user
    def get(self, current_user: Account, app_model: App):
        """Get all users in current tenant for mentions."""
        current_tenant = current_user.current_tenant  # need the tenant object here
--- a/api/controllers/console/app/workflow_draft_variable.py
+++ b/api/controllers/console/app/workflow_draft_variable.py
@ -18,11 +18,8 @@ from controllers.console.app.error import (
 )
 from controllers.console.app.wraps import get_app_model
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    edit_permission_required,
-    rbac_permission_required,
    setup_required,
    with_current_user,
 )
@ -286,7 +283,6 @@ def _api_prerequisite[T, **P, R](
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
    @with_current_user
    @wraps(f)
@ -308,7 +304,6 @@ class WorkflowVariableCollectionApi(Resource):
    )
    @_api_prerequisite
    @marshal_with(workflow_draft_variable_list_without_value_model)
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    def get(self, current_user: Account, app_model: App):
        """
        Get draft workflow
@ -373,7 +368,6 @@ class NodeVariableCollectionApi(Resource):
    @console_ns.response(200, "Node variables retrieved successfully", workflow_draft_variable_list_model)
    @_api_prerequisite
    @marshal_with(workflow_draft_variable_list_model)
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    def get(self, current_user: Account, app_model: App, node_id: str):
        validate_node_id(node_id)
        with sessionmaker(bind=db.engine, expire_on_commit=False).begin() as session:
@ -408,7 +402,6 @@ class VariableApi(Resource):
    @console_ns.response(404, "Variable not found")
    @_api_prerequisite
    @marshal_with(workflow_draft_variable_model)
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    def get(self, current_user: Account, app_model: App, variable_id: UUID):
        draft_var_srv = WorkflowDraftVariableService(
            session=db.session(),
@ -581,7 +574,6 @@ class ConversationVariableCollectionApi(Resource):
    @console_ns.response(404, "Draft workflow not found")
    @_api_prerequisite
    @marshal_with(workflow_draft_variable_list_model)
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    def get(self, current_user: Account, app_model: App):
        # NOTE(QuantumGhost): Prefill conversation variables into the draft variables table
        # so their IDs can be returned to the caller.
@ -607,9 +599,8 @@ class ConversationVariableCollectionApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
-    @with_current_user
    @get_app_model(mode=AppMode.ADVANCED_CHAT)
+    @with_current_user
    def post(self, current_user: Account, app_model: App):
        payload = ConversationVariableUpdatePayload.model_validate(console_ns.payload or {})

@ -637,7 +628,6 @@ class SystemVariableCollectionApi(Resource):
    @console_ns.response(200, "System variables retrieved successfully", workflow_draft_variable_list_model)
    @_api_prerequisite
    @marshal_with(workflow_draft_variable_list_model)
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    def get(self, current_user: Account, app_model: App):
        return _get_variable_list(app_model, SYSTEM_VARIABLE_NODE_ID, current_user.id)

@ -654,7 +644,6 @@ class EnvironmentVariableCollectionApi(Resource):
    )
    @console_ns.response(404, "Draft workflow not found")
    @_api_prerequisite
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    def get(self, _current_user: Account, app_model: App):
        """
        Get draft workflow
@ -699,9 +688,8 @@ class EnvironmentVariableCollectionApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
-    @with_current_user
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
+    @with_current_user
    def post(self, current_user: Account, app_model: App):
        payload = EnvironmentVariableUpdatePayload.model_validate(console_ns.payload or {})

--- a/api/controllers/console/app/workflow_node_output_inspector.py
+++ b/api/controllers/console/app/workflow_node_output_inspector.py
@ -34,13 +34,7 @@ from controllers.common.fields import EventStreamResponse
 from controllers.common.schema import register_response_schema_models
 from controllers.console import console_ns
 from controllers.console.app.wraps import get_app_model
-from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
-    account_initialization_required,
-    rbac_permission_required,
-    setup_required,
-)
+from controllers.console.wraps import account_initialization_required, setup_required
 from libs.exception import BaseHTTPException
 from libs.login import login_required
 from models import App, AppMode
@ -152,7 +146,6 @@ class WorkflowDraftRunNodeOutputsApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
    def get(self, app_model: App, run_id: UUID):
        return _serve_snapshot(app_model, run_id)
@ -176,7 +169,6 @@ class WorkflowDraftRunNodeOutputDetailApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
    def get(self, app_model: App, run_id: UUID, node_id: str):
        return _serve_node_detail(app_model, run_id, node_id)
@ -203,7 +195,6 @@ class WorkflowDraftRunNodeOutputPreviewApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
    def get(self, app_model: App, run_id: UUID, node_id: str, output_name: str):
        return _serve_output_preview(app_model, run_id, node_id, output_name)
@ -347,7 +338,6 @@ class WorkflowDraftRunNodeOutputEventsApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
    def get(self, app_model: App, run_id: UUID):
        return Response(
@ -378,7 +368,6 @@ class WorkflowPublishedRunNodeOutputsApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
    def get(self, app_model: App, run_id: UUID):
        return _serve_snapshot(app_model, run_id)
@ -402,7 +391,6 @@ class WorkflowPublishedRunNodeOutputDetailApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
    def get(self, app_model: App, run_id: UUID, node_id: str):
        return _serve_node_detail(app_model, run_id, node_id)
@ -430,7 +418,6 @@ class WorkflowPublishedRunNodeOutputPreviewApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
    def get(self, app_model: App, run_id: UUID, node_id: str, output_name: str):
        return _serve_output_preview(app_model, run_id, node_id, output_name)
@ -452,7 +439,6 @@ class WorkflowPublishedRunNodeOutputEventsApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
    def get(self, app_model: App, run_id: UUID):
        return Response(
--- a/api/controllers/console/app/workflow_run.py
+++ b/api/controllers/console/app/workflow_run.py
@ -14,10 +14,7 @@ from controllers.common.schema import query_params_from_model, register_response
 from controllers.console import console_ns
 from controllers.console.app.wraps import get_app_model
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
-    rbac_permission_required,
    setup_required,
    with_current_tenant_id,
    with_current_user,
@ -158,7 +155,6 @@ class AdvancedChatAppWorkflowRunListApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_CREATE_AND_MANAGEMENT)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT])
    def get(self, app_model: App):
        """
@ -197,7 +193,6 @@ class WorkflowRunExportApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_CREATE_AND_MANAGEMENT)
    @get_app_model()
    def get(self, app_model: App, run_id: UUID):
        tenant_id = app_model.tenant_id
@ -256,7 +251,6 @@ class AdvancedChatAppWorkflowRunCountApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_CREATE_AND_MANAGEMENT)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT])
    def get(self, app_model: App):
        """
@ -297,7 +291,6 @@ class WorkflowRunListApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_CREATE_AND_MANAGEMENT)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
    def get(self, app_model: App):
        """
@ -339,7 +332,6 @@ class WorkflowRunCountApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_CREATE_AND_MANAGEMENT)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
    def get(self, app_model: App):
        """
@ -380,7 +372,6 @@ class WorkflowRunDetailApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_CREATE_AND_MANAGEMENT)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
    def get(self, app_model: App, run_id: UUID):
        """
@ -410,9 +401,8 @@ class WorkflowRunNodeExecutionListApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @with_current_user
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_CREATE_AND_MANAGEMENT)
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
+    @with_current_user
    def get(self, current_user: Account, app_model: App, run_id: UUID):
        """
        Get workflow run node execution list
--- a/api/controllers/console/app/workflow_statistic.py
+++ b/api/controllers/console/app/workflow_statistic.py
@ -6,14 +6,7 @@ from sqlalchemy.orm import sessionmaker
 from controllers.common.schema import query_params_from_model, register_response_schema_models, register_schema_models
 from controllers.console import console_ns
 from controllers.console.app.wraps import get_app_model
-from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
-    account_initialization_required,
-    rbac_permission_required,
-    setup_required,
-    with_current_user,
-)
+from controllers.console.wraps import account_initialization_required, setup_required, with_current_user
 from extensions.ext_database import db
 from fields.base import ResponseModel
 from libs.datetime_utils import parse_time_range
@ -98,12 +91,11 @@ class WorkflowDailyRunsStatistic(Resource):
        "Daily runs statistics retrieved successfully",
        console_ns.models[WorkflowDailyRunsStatisticResponse.__name__],
    )
+    @get_app_model
    @setup_required
    @login_required
    @account_initialization_required
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_MONITOR)
-    @get_app_model
    def get(self, account: Account, app_model: App):
        args = WorkflowStatisticQuery.model_validate(request.args.to_dict(flat=True))

@ -142,12 +134,11 @@ class WorkflowDailyTerminalsStatistic(Resource):
        "Daily terminals statistics retrieved successfully",
        console_ns.models[WorkflowDailyTerminalsStatisticResponse.__name__],
    )
+    @get_app_model
    @setup_required
    @login_required
    @account_initialization_required
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_MONITOR)
-    @get_app_model
    def get(self, account: Account, app_model: App):
        args = WorkflowStatisticQuery.model_validate(request.args.to_dict(flat=True))

@ -186,12 +177,11 @@ class WorkflowDailyTokenCostStatistic(Resource):
        "Daily token cost statistics retrieved successfully",
        console_ns.models[WorkflowDailyTokenCostStatisticResponse.__name__],
    )
+    @get_app_model
    @setup_required
    @login_required
    @account_initialization_required
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_MONITOR)
-    @get_app_model
    def get(self, account: Account, app_model: App):
        args = WorkflowStatisticQuery.model_validate(request.args.to_dict(flat=True))

@ -233,9 +223,8 @@ class WorkflowAverageAppInteractionStatistic(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @with_current_user
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_MONITOR)
    @get_app_model(mode=[AppMode.WORKFLOW])
+    @with_current_user
    def get(self, account: Account, app_model: App):
        args = WorkflowStatisticQuery.model_validate(request.args.to_dict(flat=True))

--- a/api/controllers/console/app/workflow_trigger.py
+++ b/api/controllers/console/app/workflow_trigger.py
@ -19,15 +19,7 @@ from models.trigger import AppTrigger, WorkflowWebhookTrigger

 from .. import console_ns
 from ..app.wraps import get_app_model
-from ..wraps import (
-    RBACPermission,
-    RBACResourceScope,
-    account_initialization_required,
-    edit_permission_required,
-    rbac_permission_required,
-    setup_required,
-    with_current_tenant_id,
-)
+from ..wraps import account_initialization_required, edit_permission_required, setup_required, with_current_tenant_id

 logger = logging.getLogger(__name__)

@ -98,9 +90,8 @@ class WebhookTriggerApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @console_ns.response(200, "Success", console_ns.models[WebhookTriggerResponse.__name__])
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
    @get_app_model(mode=AppMode.WORKFLOW)
+    @console_ns.response(200, "Success", console_ns.models[WebhookTriggerResponse.__name__])
    def get(self, app_model: App):
        """Get webhook trigger for a node"""
        args = Parser.model_validate(request.args.to_dict(flat=True))
@ -131,10 +122,9 @@ class AppTriggersApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
+    @get_app_model(mode=AppMode.WORKFLOW)
    @console_ns.response(200, "Success", console_ns.models[WorkflowTriggerListResponse.__name__])
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_VIEW_LAYOUT)
-    @get_app_model(mode=AppMode.WORKFLOW)
    def get(self, current_tenant_id: str, app_model: App):
        """Get app triggers list"""
        with sessionmaker(db.engine, expire_on_commit=False).begin() as session:
@ -172,10 +162,9 @@ class AppTriggerEnableApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_EDIT)
+    @get_app_model(mode=AppMode.WORKFLOW)
    @console_ns.response(200, "Success", console_ns.models[WorkflowTriggerResponse.__name__])
    @with_current_tenant_id
-    @get_app_model(mode=AppMode.WORKFLOW)
    def post(self, current_tenant_id: str, app_model: App):
        """Update app trigger (enable/disable)"""
        args = ParserEnable.model_validate(console_ns.payload)
--- a/api/controllers/console/auth/activate.py
+++ b/api/controllers/console/auth/activate.py
@ -1,7 +1,6 @@
 from flask import request
 from flask_restx import Resource
 from pydantic import BaseModel, Field, field_validator
-from sqlalchemy import select

 from configs import dify_config
 from constants.languages import supported_language
@ -12,8 +11,7 @@ from extensions.ext_database import db
 from libs.datetime_utils import naive_utc_now
 from libs.helper import EmailStr, timezone
 from models import AccountStatus
-from models.account import TenantAccountJoin, TenantAccountRole
-from services.account_service import RegisterService, TenantService
+from services.account_service import RegisterService
 from services.billing_service import BillingService


@ -27,22 +25,18 @@ class ActivatePayload(BaseModel):
    workspace_id: str | None = Field(default=None)
    email: EmailStr | None = Field(default=None)
    token: str
-    name: str | None = Field(default=None, max_length=30)
-    interface_language: str | None = Field(default=None)
-    timezone: str | None = Field(default=None)
+    name: str = Field(..., max_length=30)
+    interface_language: str = Field(...)
+    timezone: str = Field(...)

    @field_validator("interface_language")
    @classmethod
-    def validate_lang(cls, value: str | None) -> str | None:
-        if value is None:
-            return None
+    def validate_lang(cls, value: str) -> str:
        return supported_language(value)

    @field_validator("timezone")
    @classmethod
-    def validate_tz(cls, value: str | None) -> str | None:
-        if value is None:
-            return None
+    def validate_tz(cls, value: str) -> str:
        return timezone(value)


@ -54,8 +48,6 @@ class ActivationCheckData(BaseModel):
    workspace_name: str | None
    workspace_id: str | None
    email: str | None
-    account_status: str | None = None
-    requires_setup: bool | None = None


 class ActivationCheckResponse(BaseModel):
@ -103,20 +95,9 @@ class ActivateCheckApi(Resource):
            workspace_name = tenant.name if tenant else None
            workspace_id = tenant.id if tenant else None
            invitee_email = data.get("email") if data else None
-            account = invitation.get("account")
-            account_status = account.status if account else None
-            requires_setup = data.get("requires_setup")
-            if requires_setup is None:
-                requires_setup = account_status == AccountStatus.PENDING
            return {
                "is_valid": invitation is not None,
-                "data": {
-                    "workspace_name": workspace_name,
-                    "workspace_id": workspace_id,
-                    "email": invitee_email,
-                    "account_status": account_status,
-                    "requires_setup": requires_setup,
-                },
+                "data": {"workspace_name": workspace_name, "workspace_id": workspace_id, "email": invitee_email},
            }
        else:
            return {"is_valid": False}
@ -145,45 +126,15 @@ class ActivateApi(Resource):
        if dify_config.BILLING_ENABLED and BillingService.is_email_in_freeze(account.email):
            raise AccountInFreezeError()

-        tenant = invitation["tenant"]
-        raw_role = invitation["data"].get("role")
-        try:
-            role = TenantAccountRole(raw_role) if raw_role else TenantAccountRole.NORMAL
-        except ValueError:
-            role = TenantAccountRole.NORMAL
-        if not TenantAccountRole.is_non_owner_role(role):
-            role = TenantAccountRole.NORMAL
-
-        membership_id = db.session.scalar(
-            select(TenantAccountJoin.id).where(
-                TenantAccountJoin.tenant_id == tenant.id,
-                TenantAccountJoin.account_id == account.id,
-            )
-        )
-
-        requires_setup = invitation["data"].get("requires_setup")
-        if requires_setup is None:
-            requires_setup = account.status == AccountStatus.PENDING
-
-        setup_fields: tuple[str, str, str] | None = None
-        if requires_setup:
-            if not args.name or not args.interface_language or not args.timezone:
-                raise AlreadyActivateError()
-            setup_fields = (args.name, args.interface_language, args.timezone)
-
        RegisterService.revoke_token(args.workspace_id, normalized_request_email, args.token)

-        if membership_id is None:
-            TenantService.create_tenant_member(tenant, account, str(role))
+        account.name = args.name

-        if setup_fields:
-            account.name = setup_fields[0]
-            account.interface_language = setup_fields[1]
-            account.timezone = setup_fields[2]
-            account.interface_theme = "light"
-            account.status = AccountStatus.ACTIVE
-            account.initialized_at = naive_utc_now()
-
-        TenantService.switch_tenant(account, tenant.id)
+        account.interface_language = args.interface_language
+        account.timezone = args.timezone
+        account.interface_theme = "light"
+        account.status = AccountStatus.ACTIVE
+        account.initialized_at = naive_utc_now()
+        db.session.commit()

        return {"result": "success"}
--- a/api/controllers/console/auth/data_source_bearer_auth.py
+++ b/api/controllers/console/auth/data_source_bearer_auth.py
@ -11,15 +11,7 @@ from services.auth.api_key_auth_service import ApiKeyAuthService

 from .. import console_ns
 from ..auth.error import ApiKeyAuthFailedError
-from ..wraps import (
-    RBACPermission,
-    RBACResourceScope,
-    account_initialization_required,
-    is_admin_or_owner_required,
-    rbac_permission_required,
-    setup_required,
-    with_current_tenant_id,
-)
+from ..wraps import account_initialization_required, is_admin_or_owner_required, setup_required, with_current_tenant_id


 class ApiKeyAuthBindingPayload(BaseModel):
@ -83,7 +75,6 @@ class ApiKeyAuthDataSourceBinding(Resource):
    @login_required
    @account_initialization_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    @console_ns.expect(console_ns.models[ApiKeyAuthBindingPayload.__name__])
    @with_current_tenant_id
    def post(self, current_tenant_id: str):
@ -104,7 +95,6 @@ class ApiKeyAuthDataSourceBindingDelete(Resource):
    @login_required
    @account_initialization_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    @console_ns.response(204, "Binding deleted successfully")
    @with_current_tenant_id
    def delete(self, current_tenant_id: str, binding_id: UUID):
--- a/api/controllers/console/auth/data_source_oauth.py
+++ b/api/controllers/console/auth/data_source_oauth.py
@ -13,14 +13,7 @@ from libs.login import login_required
 from libs.oauth_data_source import NotionOAuth

 from .. import console_ns
-from ..wraps import (
-    RBACPermission,
-    RBACResourceScope,
-    account_initialization_required,
-    is_admin_or_owner_required,
-    rbac_permission_required,
-    setup_required,
-)
+from ..wraps import account_initialization_required, is_admin_or_owner_required, setup_required

 logger = logging.getLogger(__name__)

@ -82,7 +75,6 @@ class OAuthDataSource(Resource):
    @console_ns.response(400, "Invalid provider")
    @console_ns.response(403, "Admin privileges required")
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    def get(self, provider: str):
        # The role of the current user in the table must be admin or owner
        OAUTH_DATASOURCE_PROVIDERS = get_oauth_providers()
--- a/api/controllers/console/datasets/data_source.py
+++ b/api/controllers/console/datasets/data_source.py
@ -31,15 +31,7 @@ from services.datasource_provider_service import DatasourceProviderService
 from tasks.document_indexing_sync_task import document_indexing_sync_task

 from .. import console_ns
-from ..wraps import (
-    RBACPermission,
-    RBACResourceScope,
-    account_initialization_required,
-    rbac_permission_required,
-    setup_required,
-    with_current_tenant_id,
-    with_current_user,
-)
+from ..wraps import account_initialization_required, setup_required, with_current_tenant_id, with_current_user


 class NotionEstimatePayload(BaseModel):
@ -398,7 +390,6 @@ class DataSourceNotionDatasetSyncApi(Resource):
    @login_required
    @account_initialization_required
    @console_ns.response(200, "Success", console_ns.models[SimpleResultResponse.__name__])
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_CREATE_AND_MANAGEMENT)
    def get(self, dataset_id: UUID) -> tuple[dict[str, str], int]:
        dataset_id_str = str(dataset_id)
        dataset = DatasetService.get_dataset(dataset_id_str)
@ -417,7 +408,6 @@ class DataSourceNotionDocumentSyncApi(Resource):
    @login_required
    @account_initialization_required
    @console_ns.response(200, "Success", console_ns.models[SimpleResultResponse.__name__])
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_CREATE_AND_MANAGEMENT)
    def get(self, dataset_id: UUID, document_id: UUID) -> tuple[dict[str, str], int]:
        dataset_id_str = str(dataset_id)
        document_id_str = str(document_id)
--- a/api/controllers/console/datasets/datasets.py
+++ b/api/controllers/console/datasets/datasets.py
@ -17,13 +17,10 @@ from controllers.console.apikey import ApiKeyItem, ApiKeyList
 from controllers.console.app.error import ProviderNotInitializeError
 from controllers.console.datasets.error import DatasetInUseError, DatasetNameDuplicateError, IndexingEstimateError
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    cloud_edition_billing_rate_limit_check,
    enterprise_license_required,
    is_admin_or_owner_required,
-    rbac_permission_required,
    setup_required,
    with_current_tenant_id,
    with_current_user,
@ -49,16 +46,9 @@ from models.enums import ApiTokenType, SegmentStatus
 from models.provider_ids import ModelProviderID
 from services.api_token_service import ApiTokenCache
 from services.dataset_service import DatasetPermissionService, DatasetService, DocumentService
-from services.enterprise import rbac_service as enterprise_rbac_service

 register_response_schema_models(console_ns, ApiBaseUrlResponse, SimpleResultResponse, UsageCheckResponse)

-DATASET_LIST_PERMISSION_KEYS = frozenset({"dataset.preview", "dataset.acl.preview", "dataset.full_access"})
-
-
-def _has_dataset_list_permission(permission_keys: list[str]) -> bool:
-    return any(permission_key in DATASET_LIST_PERMISSION_KEYS for permission_key in permission_keys)
-

 def _validate_indexing_technique(value: str | None) -> str | None:
    if value is None:
@ -412,68 +402,20 @@ class DatasetListApi(Resource):
        if "tag_ids" in request.args:
            query_params["tag_ids"] = request.args.getlist("tag_ids")
        query = ConsoleDatasetListQuery.model_validate(query_params)
-
-        permissions = enterprise_rbac_service.RBACService.MyPermissions.get(
-            str(current_tenant_id),
-            current_user.id,
-        )
-
-        accessible_dataset_ids: list[str] | None = None
-        include_own_datasets = False
-        if dify_config.RBAC_ENABLED:
-            whitelist_scope = enterprise_rbac_service.RBACService.DatasetAccess.whitelist_resources(
-                str(current_tenant_id),
-                current_user.id,
-            )
-            has_default_readonly = _has_dataset_list_permission(
-                permissions.dataset.default_permission_keys
-            ) or _has_dataset_list_permission(permissions.workspace.permission_keys)
-            permission_dataset_ids: set[str] | None = None
-            if not has_default_readonly:
-                permission_dataset_ids = {
-                    override.resource_id
-                    for override in permissions.dataset.overrides
-                    if _has_dataset_list_permission(override.permission_keys)
-                }
-            if getattr(whitelist_scope, "unrestricted", False):
-                filtered_dataset_ids = permission_dataset_ids
-            else:
-                filtered_dataset_ids = set(whitelist_scope.resource_ids)
-                if permission_dataset_ids is not None:
-                    filtered_dataset_ids |= permission_dataset_ids
-                elif has_default_readonly:
-                    filtered_dataset_ids = None
-            if filtered_dataset_ids is not None:
-                accessible_dataset_ids = sorted(filtered_dataset_ids)
-            include_own_datasets = "dataset.create_and_management" in permissions.workspace.permission_keys
-
+        # provider = request.args.get("provider", default="vendor")
        if query.ids:
-            datasets, total = DatasetService.get_datasets_by_ids(
-                query.ids,
-                current_tenant_id,
-                user=current_user,
-                accessible_dataset_ids=accessible_dataset_ids,
-                include_own_datasets=include_own_datasets,
-            )
+            datasets, total = DatasetService.get_datasets_by_ids(query.ids, current_tenant_id)
        else:
            datasets, total = DatasetService.get_datasets(
                query.page,
                query.limit,
-                db.session,
                current_tenant_id,
                current_user,
                query.keyword,
                query.tag_ids,
                query.include_all,
-                accessible_dataset_ids=accessible_dataset_ids,
-                include_own_datasets=include_own_datasets,
            )

-        permission_keys_map = {}
-        if datasets:
-            dataset_ids = [str(dataset.id) for dataset in datasets]
-            permission_keys_map = permissions.dataset.permission_keys_by_resource_ids(dataset_ids)
-
        # check embedding setting
        provider_manager = create_plugin_provider_manager(tenant_id=current_tenant_id)
        configurations = provider_manager.get_configurations(tenant_id=current_tenant_id)
@ -488,13 +430,13 @@ class DatasetListApi(Resource):
        dataset_ids = [item["id"] for item in data if item.get("permission") == "partial_members"]
        partial_members_map: dict[str, list[str]] = {}
        if dataset_ids:
-            partial_member_rows = db.session.execute(
+            permissions = db.session.execute(
                select(DatasetPermission.dataset_id, DatasetPermission.account_id).where(
                    DatasetPermission.dataset_id.in_(dataset_ids)
                )
            ).all()

-            for dataset_id, account_id in partial_member_rows:
+            for dataset_id, account_id in permissions:
                partial_members_map.setdefault(dataset_id, []).append(account_id)

        for item in data:
@ -513,7 +455,6 @@ class DatasetListApi(Resource):
                item.update({"partial_member_list": partial_members_map.get(item["id"], [])})
            else:
                item.update({"partial_member_list": []})
-            item["permission_keys"] = permission_keys_map.get(str(item["id"]), [])

        response = {
            "data": data,
@ -532,9 +473,6 @@ class DatasetListApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(
-        RBACResourceScope.DATASET, RBACPermission.DATASET_CREATE_AND_MANAGEMENT, resource_required=False
-    )
    @cloud_edition_billing_rate_limit_check("knowledge")
    @with_current_user
    @with_current_tenant_id
@ -545,11 +483,6 @@ class DatasetListApi(Resource):
        if not current_user.is_dataset_editor:
            raise Forbidden()

-        if dify_config.RBAC_ENABLED:
-            permission = DatasetPermissionEnum.ALL_TEAM
-        else:
-            permission = payload.permission or DatasetPermissionEnum.ONLY_ME
-
        try:
            dataset = DatasetService.create_empty_dataset(
                tenant_id=current_tenant_id,
@ -557,7 +490,7 @@ class DatasetListApi(Resource):
                description=payload.description,
                indexing_technique=payload.indexing_technique,
                account=current_user,
-                permission=permission,
+                permission=payload.permission or DatasetPermissionEnum.ONLY_ME,
                provider=payload.provider,
                external_knowledge_api_id=payload.external_knowledge_api_id,
                external_knowledge_id=payload.external_knowledge_id,
@ -565,17 +498,7 @@ class DatasetListApi(Resource):
        except services.errors.dataset.DatasetNameDuplicateError:
            raise DatasetNameDuplicateError()

-        permission_keys_map = enterprise_rbac_service.RBACService.DatasetPermissions.batch_get(
-            str(current_tenant_id),
-            current_user.id,
-            [str(dataset.id)],
-        )
-
-        item = DatasetDetailWithPartialMembersResponse.model_validate(dataset, from_attributes=True).model_dump(
-            mode="json"
-        )
-        item["permission_keys"] = permission_keys_map.get(str(dataset.id), [])
-        return item, 201
+        return dump_response(DatasetDetailResponse, dataset), 201


@console_ns.route("/datasets/<uuid:dataset_id>")
@ -593,7 +516,6 @@ class DatasetApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_READONLY)
    @with_current_user
    @with_current_tenant_id
    def get(self, current_tenant_id: str, current_user: Account, dataset_id: UUID):
@ -605,14 +527,7 @@ class DatasetApi(Resource):
            DatasetService.check_dataset_permission(dataset, current_user)
        except services.errors.account.NoPermissionError as e:
            raise Forbidden(str(e))
-        permissions = enterprise_rbac_service.RBACService.MyPermissions.get(
-            str(current_tenant_id),
-            current_user.id,
-            dataset_id=dataset_id_str,
-        )
-        permission_keys_map = permissions.dataset.permission_keys_by_resource_ids([dataset_id_str])
        data = dump_response(DatasetDetailResponse, dataset)
-        data["permission_keys"] = permission_keys_map.get(dataset_id_str, [])
        if dataset.indexing_technique == IndexTechniqueType.HIGH_QUALITY:
            if dataset.embedding_model_provider:
                provider_id = ModelProviderID(dataset.embedding_model_provider)
@ -658,7 +573,6 @@ class DatasetApi(Resource):
    @cloud_edition_billing_rate_limit_check("knowledge")
    @with_current_user
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def patch(self, current_tenant_id: str, current_user: Account, dataset_id: UUID):
        dataset_id_str = str(dataset_id)
        dataset = DatasetService.get_dataset(dataset_id_str)
@ -678,23 +592,16 @@ class DatasetApi(Resource):
            payload.is_multimodal = is_multimodal
        payload_data = payload.model_dump(exclude_unset=True)
        # The role of the current user in the ta table must be admin, owner, editor, or dataset_operator
-        if not dify_config.RBAC_ENABLED:
-            DatasetPermissionService.check_permission(
-                current_user, dataset, payload.permission, payload.partial_member_list
-            )
+        DatasetPermissionService.check_permission(
+            current_user, dataset, payload.permission, payload.partial_member_list
+        )

        dataset = DatasetService.update_dataset(dataset_id_str, payload_data, current_user)

        if dataset is None:
            raise NotFound("Dataset not found.")

-        permission_keys_map = enterprise_rbac_service.RBACService.DatasetPermissions.batch_get(
-            str(current_tenant_id),
-            current_user.id,
-            [dataset_id_str],
-        )
        result_data = dump_response(DatasetDetailResponse, dataset)
-        result_data["permission_keys"] = permission_keys_map.get(dataset_id_str, [])
        tenant_id = current_tenant_id

        if payload.partial_member_list is not None and payload.permission == DatasetPermissionEnum.PARTIAL_TEAM:
@ -714,7 +621,6 @@ class DatasetApi(Resource):
    @cloud_edition_billing_rate_limit_check("knowledge")
    @console_ns.response(204, "Dataset deleted successfully")
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def delete(self, current_user: Account, dataset_id: UUID):
        dataset_id_str = str(dataset_id)

@ -744,7 +650,6 @@ class DatasetUseCheckApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_READONLY)
    def get(self, dataset_id: UUID):
        dataset_id_str = str(dataset_id)

@ -766,7 +671,6 @@ class DatasetQueryApi(Resource):
    @login_required
    @account_initialization_required
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_READONLY)
    def get(self, current_user: Account, dataset_id: UUID):
        dataset_id_str = str(dataset_id)
        dataset = DatasetService.get_dataset(dataset_id_str)
@ -907,7 +811,6 @@ class DatasetRelatedAppListApi(Resource):
    @login_required
    @account_initialization_required
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_READONLY)
    def get(self, current_user: Account, dataset_id: UUID):
        dataset_id_str = str(dataset_id)
        dataset = DatasetService.get_dataset(dataset_id_str)
@ -944,7 +847,6 @@ class DatasetIndexingStatusApi(Resource):
    @login_required
    @account_initialization_required
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_READONLY)
    def get(self, current_tenant_id: str, dataset_id: UUID):
        dataset_id_str = str(dataset_id)
        documents = db.session.scalars(
@ -1014,7 +916,6 @@ class DatasetApiKeyApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_API_KEY_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_tenant_id
    def post(self, current_tenant_id: str):
@ -1055,7 +956,6 @@ class DatasetApiDeleteApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_API_KEY_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_tenant_id
    def delete(self, current_tenant_id: str, api_key_id: UUID):
@ -1090,7 +990,6 @@ class DatasetEnableApiApi(Resource):
    @login_required
    @account_initialization_required
    @console_ns.response(200, "Success", console_ns.models[SimpleResultResponse.__name__])
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def post(self, dataset_id: UUID, status: str):
        dataset_id_str = str(dataset_id)

@ -1160,7 +1059,6 @@ class DatasetErrorDocs(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_READONLY)
    def get(self, dataset_id: UUID):
        dataset_id_str = str(dataset_id)
        dataset = DatasetService.get_dataset(dataset_id_str)
@ -1187,7 +1085,6 @@ class DatasetPermissionUserListApi(Resource):
    @login_required
    @account_initialization_required
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_READONLY)
    def get(self, current_user: Account, dataset_id: UUID):
        dataset_id_str = str(dataset_id)
        dataset = DatasetService.get_dataset(dataset_id_str)
@ -1217,7 +1114,6 @@ class DatasetAutoDisableLogApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_READONLY)
    def get(self, dataset_id: UUID):
        dataset_id_str = str(dataset_id)
        dataset = DatasetService.get_dataset(dataset_id_str)
--- a/api/controllers/console/datasets/datasets_document.py
+++ b/api/controllers/console/datasets/datasets_document.py
@ -19,7 +19,6 @@ from controllers.common.controller_schemas import DocumentBatchDownloadZipPayloa
 from controllers.common.fields import BinaryFileResponse, SimpleResultMessageResponse, SimpleResultResponse, UrlResponse
 from controllers.common.schema import register_response_schema_models, register_schema_models
 from controllers.console import console_ns
-from controllers.console.wraps import RBACPermission, RBACResourceScope, rbac_permission_required
 from core.errors.error import (
    LLMBadRequestError,
    ModelCurrentlyNotSupportError,
@ -290,7 +289,6 @@ class DatasetDocumentListApi(Resource):
    @account_initialization_required
    @with_current_user
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_CREATE_AND_MANAGEMENT)
    def get(self, current_tenant_id: str, current_user: Account, dataset_id: UUID):
        dataset_id_str = str(dataset_id)
        raw_args = request.args.to_dict()
@ -417,7 +415,6 @@ class DatasetDocumentListApi(Resource):
    @console_ns.expect(console_ns.models[KnowledgeConfig.__name__])
    @console_ns.response(200, "Documents created successfully", console_ns.models[DatasetAndDocumentResponse.__name__])
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def post(self, current_user: Account, dataset_id: UUID):
        dataset_id_str = str(dataset_id)

@ -461,7 +458,6 @@ class DatasetDocumentListApi(Resource):
    @account_initialization_required
    @cloud_edition_billing_rate_limit_check("knowledge")
    @console_ns.response(204, "Documents deleted successfully")
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def delete(self, dataset_id: UUID):
        dataset_id_str = str(dataset_id)
        dataset = DatasetService.get_dataset(dataset_id_str)
@ -559,7 +555,6 @@ class DocumentIndexingEstimateApi(DocumentResource):
    @account_initialization_required
    @with_current_user
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_CREATE_AND_MANAGEMENT)
    def get(self, current_tenant_id: str, current_user: Account, dataset_id: UUID, document_id: UUID):
        dataset_id_str = str(dataset_id)
        document_id_str = str(document_id)
@ -631,7 +626,6 @@ class DocumentBatchIndexingEstimateApi(DocumentResource):
    @account_initialization_required
    @with_current_user
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_CREATE_AND_MANAGEMENT)
    def get(self, current_tenant_id: str, current_user: Account, dataset_id: UUID, batch: str):
        dataset_id_str = str(dataset_id)
        documents = self.get_batch_documents(dataset_id_str, batch, current_user)
@ -732,7 +726,6 @@ class DocumentBatchIndexingStatusApi(DocumentResource):
    @login_required
    @account_initialization_required
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_CREATE_AND_MANAGEMENT)
    def get(self, current_user: Account, dataset_id: UUID, batch: str):
        dataset_id_str = str(dataset_id)
        documents = self.get_batch_documents(dataset_id_str, batch, current_user)
@ -790,7 +783,6 @@ class DocumentIndexingStatusApi(DocumentResource):
    @account_initialization_required
    @with_current_user
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_CREATE_AND_MANAGEMENT)
    def get(self, current_tenant_id: str, current_user: Account, dataset_id: UUID, document_id: UUID):
        dataset_id_str = str(dataset_id)
        document_id_str = str(document_id)
@ -854,7 +846,6 @@ class DocumentApi(DocumentResource):
    @account_initialization_required
    @with_current_user
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_CREATE_AND_MANAGEMENT)
    def get(self, current_tenant_id: str, current_user: Account, dataset_id: UUID, document_id: UUID):
        dataset_id_str = str(dataset_id)
        document_id_str = str(document_id)
@ -946,7 +937,6 @@ class DocumentApi(DocumentResource):
    @console_ns.response(204, "Document deleted successfully")
    @with_current_user
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def delete(self, current_tenant_id: str, current_user: Account, dataset_id: UUID, document_id: UUID):
        dataset_id_str = str(dataset_id)
        document_id_str = str(document_id)
@ -979,7 +969,6 @@ class DocumentDownloadApi(DocumentResource):
    @cloud_edition_billing_rate_limit_check("knowledge")
    @with_current_user
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_DOCUMENT_DOWNLOAD)
    def get(self, current_tenant_id: str, current_user: Account, dataset_id: UUID, document_id: UUID) -> dict[str, Any]:
        # Reuse the shared permission/tenant checks implemented in DocumentResource.
        document = self.get_document(str(dataset_id), str(document_id), current_user, current_tenant_id)
@ -1000,7 +989,6 @@ class DocumentBatchDownloadZipApi(DocumentResource):
    @console_ns.expect(console_ns.models[DocumentBatchDownloadZipPayload.__name__])
    @with_current_user
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def post(self, current_tenant_id: str, current_user: Account, dataset_id: UUID):
        """Stream a ZIP archive containing the requested uploaded documents."""
        # Parse and validate request payload.
@ -1049,7 +1037,6 @@ class DocumentProcessingApi(DocumentResource):
    @cloud_edition_billing_rate_limit_check("knowledge")
    @with_current_user
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def patch(
        self,
        current_tenant_id: str,
@ -1106,7 +1093,6 @@ class DocumentMetadataApi(DocumentResource):
    @account_initialization_required
    @with_current_user
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def put(self, current_tenant_id: str, current_user: Account, dataset_id: UUID, document_id: UUID):
        dataset_id_str = str(dataset_id)
        document_id_str = str(document_id)
@ -1156,7 +1142,6 @@ class DocumentStatusApi(DocumentResource):
    @cloud_edition_billing_rate_limit_check("knowledge")
    @console_ns.response(200, "Success", console_ns.models[SimpleResultResponse.__name__])
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def patch(
        self, current_user: Account, dataset_id: UUID, action: Literal["enable", "disable", "archive", "un_archive"]
    ):
@ -1196,7 +1181,6 @@ class DocumentPauseApi(DocumentResource):
    @account_initialization_required
    @cloud_edition_billing_rate_limit_check("knowledge")
    @console_ns.response(204, "Document paused successfully")
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def patch(self, dataset_id: UUID, document_id: UUID):
        """pause document."""
        dataset_id_str = str(dataset_id)
@ -1232,7 +1216,6 @@ class DocumentRecoverApi(DocumentResource):
    @account_initialization_required
    @cloud_edition_billing_rate_limit_check("knowledge")
    @console_ns.response(204, "Document resumed successfully")
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def patch(self, dataset_id: UUID, document_id: UUID):
        """recover document."""
        dataset_id_str = str(dataset_id)
@ -1266,7 +1249,6 @@ class DocumentRetryApi(DocumentResource):
    @cloud_edition_billing_rate_limit_check("knowledge")
    @console_ns.expect(console_ns.models[DocumentRetryPayload.__name__])
    @console_ns.response(204, "Documents retry started successfully")
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def post(self, dataset_id: UUID):
        """retry document."""
        payload = DocumentRetryPayload.model_validate(console_ns.payload or {})
@ -1308,7 +1290,6 @@ class DocumentRenameApi(DocumentResource):
    @console_ns.response(200, "Document renamed successfully", console_ns.models[DocumentResponse.__name__])
    @console_ns.expect(console_ns.models[DocumentRenamePayload.__name__])
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def post(self, current_user: Account, dataset_id: UUID, document_id: UUID):
        # The role of the current user in the ta table must be admin, owner, editor, or dataset_operator
        if not current_user.is_dataset_editor:
@ -1334,7 +1315,6 @@ class WebsiteDocumentSyncApi(DocumentResource):
    @account_initialization_required
    @console_ns.response(200, "Success", console_ns.models[SimpleResultResponse.__name__])
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_CREATE_AND_MANAGEMENT)
    def get(self, current_tenant_id: str, dataset_id: UUID, document_id: UUID):
        """sync website document."""
        dataset_id_str = str(dataset_id)
@ -1368,7 +1348,6 @@ class DocumentPipelineExecutionLogApi(DocumentResource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_CREATE_AND_MANAGEMENT)
    def get(self, dataset_id: UUID, document_id: UUID):
        dataset_id_str = str(dataset_id)
        document_id_str = str(document_id)
@ -1419,7 +1398,6 @@ class DocumentGenerateSummaryApi(Resource):
    @account_initialization_required
    @cloud_edition_billing_rate_limit_check("knowledge")
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def post(self, current_user: Account, dataset_id: UUID):
        """
        Generate summary index for specified documents.
@ -1513,7 +1491,6 @@ class DocumentSummaryStatusApi(DocumentResource):
    @login_required
    @account_initialization_required
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_CREATE_AND_MANAGEMENT)
    def get(self, current_user: Account, dataset_id: UUID, document_id: UUID):
        """
        Get summary index generation status for a document.
--- a/api/controllers/console/datasets/datasets_segments.py
+++ b/api/controllers/console/datasets/datasets_segments.py
@ -28,13 +28,10 @@ from controllers.console.datasets.error import (
    InvalidActionError,
 )
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    cloud_edition_billing_knowledge_limit_check,
    cloud_edition_billing_rate_limit_check,
    cloud_edition_billing_resource_check,
-    rbac_permission_required,
    setup_required,
    with_current_tenant_id,
    with_current_user,
@ -172,7 +169,6 @@ class DatasetDocumentSegmentListApi(Resource):
    @account_initialization_required
    @with_current_user
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_READONLY)
    def get(self, current_tenant_id: str, current_user: Account, dataset_id: UUID, document_id: UUID):
        dataset_id_str = str(dataset_id)
        document_id_str = str(document_id)
@ -282,7 +278,6 @@ class DatasetDocumentSegmentListApi(Resource):
    @console_ns.doc(params=query_params_from_model(SegmentIdListQuery))
    @console_ns.response(204, "Segments deleted successfully")
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def delete(self, current_user: Account, dataset_id: UUID, document_id: UUID):
        # check dataset
        dataset_id_str = str(dataset_id)
@ -321,7 +316,6 @@ class DatasetDocumentSegmentApi(Resource):
    @console_ns.response(200, "Success", console_ns.models[SimpleResultResponse.__name__])
    @with_current_user
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def patch(
        self,
        current_tenant_id: str,
@ -390,7 +384,6 @@ class DatasetDocumentSegmentAddApi(Resource):
    @console_ns.response(200, "Segment created successfully", console_ns.models[SegmentDetailResponse.__name__])
    @with_current_user
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def post(self, current_tenant_id: str, current_user: Account, dataset_id: UUID, document_id: UUID):
        # check dataset
        dataset_id_str = str(dataset_id)
@ -449,7 +442,6 @@ class DatasetDocumentSegmentUpdateApi(Resource):
    @console_ns.response(200, "Segment updated successfully", console_ns.models[SegmentDetailResponse.__name__])
    @with_current_user
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def patch(
        self, current_tenant_id: str, current_user: Account, dataset_id: UUID, document_id: UUID, segment_id: UUID
    ):
@ -521,7 +513,6 @@ class DatasetDocumentSegmentUpdateApi(Resource):
    @console_ns.response(204, "Segment deleted successfully")
    @with_current_user
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def delete(
        self, current_tenant_id: str, current_user: Account, dataset_id: UUID, document_id: UUID, segment_id: UUID
    ):
@ -572,7 +563,6 @@ class DatasetDocumentSegmentBatchImportApi(Resource):
    @console_ns.expect(console_ns.models[BatchImportPayload.__name__])
    @with_current_user
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def post(self, current_tenant_id: str, current_user: Account, dataset_id: UUID, document_id: UUID):
        # check dataset
        dataset_id_str = str(dataset_id)
@ -618,7 +608,6 @@ class DatasetDocumentSegmentBatchImportApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_READONLY)
    def get(self, job_id=None, dataset_id: UUID | None = None, document_id: UUID | None = None):
        if job_id is None:
            raise NotFound("The job does not exist.")
@ -645,7 +634,6 @@ class ChildChunkAddApi(Resource):
    @console_ns.response(200, "Child chunk created successfully", console_ns.models[ChildChunkDetailResponse.__name__])
    @with_current_user
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def post(
        self, current_tenant_id: str, current_user: Account, dataset_id: UUID, document_id: UUID, segment_id: UUID
    ):
@ -705,7 +693,6 @@ class ChildChunkAddApi(Resource):
    @login_required
    @account_initialization_required
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_READONLY)
    def get(self, current_tenant_id: str, dataset_id: UUID, document_id: UUID, segment_id: UUID):
        # check dataset
        dataset_id_str = str(dataset_id)
@ -760,7 +747,6 @@ class ChildChunkAddApi(Resource):
    @console_ns.expect(console_ns.models[ChildChunkBatchUpdatePayload.__name__])
    @with_current_user
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def patch(
        self, current_tenant_id: str, current_user: Account, dataset_id: UUID, document_id: UUID, segment_id: UUID
    ):
@ -813,7 +799,6 @@ class ChildChunkUpdateApi(Resource):
    @console_ns.response(204, "Child chunk deleted successfully")
    @with_current_user
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def delete(
        self,
        current_tenant_id: str,
@ -881,7 +866,6 @@ class ChildChunkUpdateApi(Resource):
    @console_ns.response(200, "Child chunk updated successfully", console_ns.models[ChildChunkDetailResponse.__name__])
    @with_current_user
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def patch(
        self,
        current_tenant_id: str,
--- a/api/controllers/console/datasets/external.py
+++ b/api/controllers/console/datasets/external.py
@ -17,11 +17,8 @@ from controllers.common.schema import (
 from controllers.console import console_ns
 from controllers.console.datasets.error import DatasetNameDuplicateError
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    edit_permission_required,
-    rbac_permission_required,
    setup_required,
    with_current_tenant_id,
    with_current_user,
@ -43,7 +40,6 @@ from fields.dataset_fields import (
 from libs.login import login_required
 from models import Account
 from services.dataset_service import DatasetService
-from services.enterprise import rbac_service as enterprise_rbac_service
 from services.external_knowledge_service import ExternalDatasetService
 from services.hit_testing_service import HitTestingService
 from services.knowledge_service import BedrockRetrievalSetting, ExternalDatasetTestService
@ -323,7 +319,6 @@ class ExternalDatasetCreateApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EXTERNAL_CONNECT)
    @with_current_user
    @with_current_tenant_id
    def post(self, current_tenant_id: str, current_user: Account):
@ -344,16 +339,7 @@ class ExternalDatasetCreateApi(Resource):
        except services.errors.dataset.DatasetNameDuplicateError:
            raise DatasetNameDuplicateError()

-        item = marshal(dataset, dataset_detail_fields)
-        dataset_id_str = item["id"]
-        permission_keys_map = enterprise_rbac_service.RBACService.DatasetPermissions.batch_get(
-            str(current_tenant_id),
-            current_user.id,
-            [dataset_id_str],
-        )
-        item["permission_keys"] = permission_keys_map.get(dataset_id_str, [])
-
-        return item, 201
+        return marshal(dataset, dataset_detail_fields), 201


@console_ns.route("/datasets/<uuid:dataset_id>/external-hit-testing")
@ -373,7 +359,6 @@ class ExternalKnowledgeHitTestingApi(Resource):
    @login_required
    @account_initialization_required
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_PIPELINE_TEST)
    def post(self, current_user: Account, dataset_id: UUID):
        dataset_id_str = str(dataset_id)
        dataset = DatasetService.get_dataset(dataset_id_str)
--- a/api/controllers/console/datasets/hit_testing.py
+++ b/api/controllers/console/datasets/hit_testing.py
@ -5,7 +5,6 @@ from uuid import UUID
 from flask_restx import Resource

 from controllers.common.schema import register_response_schema_models, register_schema_models
-from controllers.console.wraps import RBACPermission, RBACResourceScope, rbac_permission_required
 from fields.hit_testing_fields import HitTestingResponse
 from libs.helper import dump_response
 from libs.login import login_required
@ -44,7 +43,6 @@ class HitTestingApi(Resource, DatasetsHitTestingBase):
    @cloud_edition_billing_rate_limit_check("knowledge")
    @with_current_tenant_id
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_PIPELINE_TEST)
    def post(self, current_user: Account, current_tenant_id: str, dataset_id: UUID) -> dict[str, object]:
        dataset_id_str = str(dataset_id)

--- a/api/controllers/console/datasets/hit_testing_base.py
+++ b/api/controllers/console/datasets/hit_testing_base.py
@ -23,26 +23,17 @@ from libs.login import resolve_account_fallback
 from models.account import Account
 from models.dataset import Dataset
 from services.dataset_service import DatasetService
-from services.entities.knowledge_entities.knowledge_entities import ExternalRetrievalModel, RetrievalModel
+from services.entities.knowledge_entities.knowledge_entities import RetrievalModel
 from services.hit_testing_service import HitTestingService

 logger = logging.getLogger(__name__)


 class HitTestingPayload(BaseModel):
-    query: str = Field(description="Search query text.", max_length=250)
-    retrieval_model: RetrievalModel | None = Field(
-        default=None,
-        description="Retrieval model configuration. Controls how chunks are searched and ranked.",
-    )
-    external_retrieval_model: ExternalRetrievalModel = Field(
-        default=None,
-        description="Retrieval settings for external knowledge bases.",
-    )
-    attachment_ids: list[str] | None = Field(
-        default=None,
-        description="List of attachment IDs to include in the retrieval context.",
-    )
+    query: str = Field(max_length=250)
+    retrieval_model: RetrievalModel | None = None
+    external_retrieval_model: dict[str, Any] | None = Field(default=None)
+    attachment_ids: list[str] | None = None


 class DatasetsHitTestingBase:
--- a/api/controllers/console/datasets/metadata.py
+++ b/api/controllers/console/datasets/metadata.py
@ -8,11 +8,8 @@ from controllers.common.controller_schemas import MetadataUpdatePayload
 from controllers.common.schema import register_response_schema_models, register_schema_models
 from controllers.console import console_ns
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    enterprise_license_required,
-    rbac_permission_required,
    setup_required,
    with_current_tenant_id,
    with_current_user,
@ -55,7 +52,6 @@ class DatasetMetadataCreateApi(Resource):
    @console_ns.expect(console_ns.models[MetadataArgs.__name__])
    @with_current_user
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def post(self, current_tenant_id: str, current_user: Account, dataset_id: UUID):
        metadata_args = MetadataArgs.model_validate(console_ns.payload or {})

@ -75,7 +71,6 @@ class DatasetMetadataCreateApi(Resource):
    @console_ns.response(
        200, "Metadata retrieved successfully", console_ns.models[DatasetMetadataListResponse.__name__]
    )
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_CREATE_AND_MANAGEMENT)
    def get(self, dataset_id: UUID):
        dataset_id_str = str(dataset_id)
        dataset = DatasetService.get_dataset(dataset_id_str)
@ -95,7 +90,6 @@ class DatasetMetadataApi(Resource):
    @console_ns.expect(console_ns.models[MetadataUpdatePayload.__name__])
    @with_current_user
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def patch(self, current_tenant_id: str, current_user: Account, dataset_id: UUID, metadata_id: UUID):
        payload = MetadataUpdatePayload.model_validate(console_ns.payload or {})
        name = payload.name
@ -118,7 +112,6 @@ class DatasetMetadataApi(Resource):
    @enterprise_license_required
    @console_ns.response(204, "Metadata deleted successfully")
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def delete(self, current_user: Account, dataset_id: UUID, metadata_id: UUID):
        dataset_id_str = str(dataset_id)
        metadata_id_str = str(metadata_id)
@ -156,7 +149,6 @@ class DatasetMetadataBuiltInFieldActionApi(Resource):
    @enterprise_license_required
    @console_ns.response(204, "Action completed successfully")
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def post(self, current_user: Account, dataset_id: UUID, action: Literal["enable", "disable"]):
        dataset_id_str = str(dataset_id)
        dataset = DatasetService.get_dataset(dataset_id_str)
@ -185,7 +177,6 @@ class DocumentMetadataEditApi(Resource):
        "Documents metadata updated successfully",
    )
    @with_current_user
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def post(self, current_user: Account, dataset_id: UUID):
        dataset_id_str = str(dataset_id)
        dataset = DatasetService.get_dataset(dataset_id_str)
--- a/api/controllers/console/datasets/rag_pipeline/datasource_auth.py
+++ b/api/controllers/console/datasets/rag_pipeline/datasource_auth.py
@ -10,11 +10,8 @@ from controllers.common.fields import RedirectResponse, SimpleResultResponse
 from controllers.common.schema import query_params_from_model, register_response_schema_models, register_schema_models
 from controllers.console import console_ns
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    edit_permission_required,
-    rbac_permission_required,
    setup_required,
    with_current_tenant_id,
    with_current_user,
@ -107,7 +104,6 @@ class DatasourcePluginOAuthAuthorizationUrl(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    @with_current_user
    @with_current_tenant_id
    def get(self, current_tenant_id: str, current_user: Account, provider_id: str):
@ -222,7 +218,6 @@ class DatasourceAuth(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    @with_current_tenant_id
    def post(self, current_tenant_id: str, provider_id: str):
        payload = DatasourceCredentialPayload.model_validate(console_ns.payload or {})
@ -267,7 +262,6 @@ class DatasourceAuthDeleteApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    @with_current_tenant_id
    def post(self, current_tenant_id: str, provider_id: str):
        datasource_provider_id = DatasourceProviderID(provider_id)
@ -293,7 +287,6 @@ class DatasourceAuthUpdateApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    @with_current_tenant_id
    def post(self, current_tenant_id: str, provider_id: str):
        datasource_provider_id = DatasourceProviderID(provider_id)
@ -345,7 +338,6 @@ class DatasourceAuthOauthCustomClient(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    @with_current_tenant_id
    def post(self, current_tenant_id: str, provider_id: str):
        payload = DatasourceCustomClientPayload.model_validate(console_ns.payload or {})
@ -382,7 +374,6 @@ class DatasourceAuthDefaultApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    @with_current_tenant_id
    def post(self, current_tenant_id: str, provider_id: str):
        payload = DatasourceDefaultPayload.model_validate(console_ns.payload or {})
@ -404,7 +395,6 @@ class DatasourceUpdateProviderNameApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    @with_current_tenant_id
    def post(self, current_tenant_id: str, provider_id: str):
        payload = DatasourceUpdateNamePayload.model_validate(console_ns.payload or {})
--- a/api/controllers/console/datasets/rag_pipeline/rag_pipeline_import.py
+++ b/api/controllers/console/datasets/rag_pipeline/rag_pipeline_import.py
@ -13,11 +13,8 @@ from controllers.common.schema import (
 from controllers.console import console_ns
 from controllers.console.datasets.wraps import get_rag_pipeline
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    edit_permission_required,
-    rbac_permission_required,
    setup_required,
    with_current_user,
 )
@ -81,9 +78,6 @@ class RagPipelineImportApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(
-        RBACResourceScope.DATASET, RBACPermission.DATASET_CREATE_AND_MANAGEMENT, resource_required=False
-    )
    @with_current_user
    def post(self, current_user: Account) -> JsonResponseWithStatus:
        # Check user role first
@ -128,9 +122,6 @@ class RagPipelineImportConfirmApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(
-        RBACResourceScope.DATASET, RBACPermission.DATASET_CREATE_AND_MANAGEMENT, resource_required=False
-    )
    @with_current_user
    def post(self, current_user: Account, import_id: str) -> JsonResponseWithStatus:
        with Session(db.engine, expire_on_commit=False) as session:
@ -160,7 +151,6 @@ class RagPipelineImportCheckDependenciesApi(Resource):
    @get_rag_pipeline
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_READONLY)
    def get(self, pipeline: Pipeline) -> JsonResponseWithStatus:
        with Session(db.engine, expire_on_commit=False) as session:
            import_service = RagPipelineDslService(session)
@ -178,7 +168,6 @@ class RagPipelineExportApi(Resource):
    @get_rag_pipeline
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_IMPORT_EXPORT_DSL)
    def get(self, pipeline: Pipeline) -> JsonResponseWithStatus:
        # Add include_secret params
        query = IncludeSecretQuery.model_validate(request.args.to_dict())
--- a/api/controllers/console/datasets/rag_pipeline/rag_pipeline_workflow.py
+++ b/api/controllers/console/datasets/rag_pipeline/rag_pipeline_workflow.py
@ -28,11 +28,8 @@ from controllers.console.app.workflow import (
 )
 from controllers.console.datasets.wraps import get_rag_pipeline
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    edit_permission_required,
-    rbac_permission_required,
    setup_required,
    with_current_tenant_id,
    with_current_user,
@ -189,7 +186,6 @@ class DraftRagPipelineApi(Resource):
    @account_initialization_required
    @get_rag_pipeline
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def get(self, pipeline: Pipeline):
        """
        Get draft rag pipeline's workflow
@ -210,7 +206,6 @@ class DraftRagPipelineApi(Resource):
    @with_current_user
    @get_rag_pipeline
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    @console_ns.expect(console_ns.models[DraftWorkflowSyncPayload.__name__])
    @console_ns.response(200, "Success", console_ns.models[RagPipelineWorkflowSyncResponse.__name__])
    def post(self, current_user: Account, pipeline: Pipeline):
@ -271,7 +266,6 @@ class RagPipelineDraftRunIterationNodeApi(Resource):
    @with_current_user
    @get_rag_pipeline
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def post(self, current_user: Account, pipeline: Pipeline, node_id: str):
        """
        Run draft workflow iteration node
@ -304,7 +298,6 @@ class RagPipelineDraftRunLoopNodeApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    @with_current_user
    @get_rag_pipeline
    def post(self, current_user: Account, pipeline: Pipeline, node_id: str):
@ -339,7 +332,6 @@ class DraftRagPipelineRunApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    @with_current_user
    @get_rag_pipeline
    def post(self, current_user: Account, pipeline: Pipeline):
@ -371,7 +363,6 @@ class PublishedRagPipelineRunApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    @with_current_user
    @get_rag_pipeline
    def post(self, current_user: Account, pipeline: Pipeline):
@ -404,7 +395,6 @@ class RagPipelinePublishedDatasourceNodeRunApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    @with_current_user
    @get_rag_pipeline
    def post(self, current_user: Account, pipeline: Pipeline, node_id: str):
@ -436,7 +426,6 @@ class RagPipelineDraftDatasourceNodeRunApi(Resource):
    @setup_required
    @login_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    @account_initialization_required
    @with_current_user
    @get_rag_pipeline
@ -473,7 +462,6 @@ class RagPipelineDraftNodeRunApi(Resource):
    @setup_required
    @login_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    @account_initialization_required
    @with_current_user
    @get_rag_pipeline
@ -503,7 +491,6 @@ class RagPipelineTaskStopApi(Resource):
    @setup_required
    @login_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    @account_initialization_required
    @with_current_user
    @get_rag_pipeline
@ -527,7 +514,6 @@ class PublishedRagPipelineApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    @get_rag_pipeline
    def get(self, pipeline: Pipeline):
        """
@ -551,7 +537,6 @@ class PublishedRagPipelineApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    @with_current_user
    @get_rag_pipeline
    def post(self, current_user: Account, pipeline: Pipeline):
@ -586,7 +571,6 @@ class DefaultRagPipelineBlockConfigsApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    @get_rag_pipeline
    def get(self, pipeline: Pipeline):
        """
@ -609,7 +593,6 @@ class DefaultRagPipelineBlockConfigApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    @get_rag_pipeline
    def get(self, pipeline: Pipeline, block_type: str):
        """
@ -642,7 +625,6 @@ class PublishedAllRagPipelineApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    @with_current_user
    @get_rag_pipeline
    def get(self, current_user: Account, pipeline: Pipeline):
@ -688,7 +670,6 @@ class RagPipelineDraftWorkflowRestoreApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    @with_current_user
    @get_rag_pipeline
    def post(self, current_user: Account, pipeline: Pipeline, workflow_id: str):
@ -723,7 +704,6 @@ class RagPipelineByIdApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    @with_current_user
    @get_rag_pipeline
    @console_ns.expect(console_ns.models[WorkflowUpdatePayload.__name__])
@ -759,7 +739,6 @@ class RagPipelineByIdApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    @get_rag_pipeline
    def delete(self, pipeline: Pipeline, workflow_id: str):
        """
@ -796,7 +775,6 @@ class PublishedRagPipelineSecondStepApi(Resource):
    @account_initialization_required
    @get_rag_pipeline
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def get(self, pipeline: Pipeline):
        """
        Get second step parameters of rag pipeline
@ -819,7 +797,6 @@ class PublishedRagPipelineFirstStepApi(Resource):
    @account_initialization_required
    @get_rag_pipeline
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def get(self, pipeline: Pipeline):
        """
        Get first step parameters of rag pipeline
@ -842,7 +819,6 @@ class DraftRagPipelineFirstStepApi(Resource):
    @account_initialization_required
    @get_rag_pipeline
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def get(self, pipeline: Pipeline):
        """
        Get first step parameters of rag pipeline
@ -865,7 +841,6 @@ class DraftRagPipelineSecondStepApi(Resource):
    @account_initialization_required
    @get_rag_pipeline
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def get(self, pipeline: Pipeline):
        """
        Get second step parameters of rag pipeline
@ -1037,7 +1012,6 @@ class RagPipelineDatasourceVariableApi(Resource):
    @with_current_user
    @get_rag_pipeline
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.DATASET, RBACPermission.DATASET_EDIT)
    def post(self, current_user: Account, pipeline: Pipeline):
        """
        Set datasource variables
--- a/api/controllers/console/explore/installed_app.py
+++ b/api/controllers/console/explore/installed_app.py
@ -73,12 +73,9 @@ def _published_app_filter():
    has_published_workflow = exists(select(Workflow.id).where(Workflow.id == App.workflow_id))
    has_published_model_config = exists(select(AppModelConfig.id).where(AppModelConfig.id == App.app_model_config_id))

-    return and_(
-        App.mode != AppMode.AGENT,
-        or_(
-            and_(App.mode.in_(workflow_app_modes), App.workflow_id.isnot(None), has_published_workflow),
-            and_(~App.mode.in_(workflow_app_modes), App.app_model_config_id.isnot(None), has_published_model_config),
-        ),
+    return or_(
+        and_(App.mode.in_(workflow_app_modes), App.workflow_id.isnot(None), has_published_workflow),
+        and_(~App.mode.in_(workflow_app_modes), App.app_model_config_id.isnot(None), has_published_model_config),
    )


--- a/api/controllers/console/snippets/snippet_workflow.py
+++ b/api/controllers/console/snippets/snippet_workflow.py
@ -31,11 +31,8 @@ from controllers.console.snippets.payloads import (
    WorkflowRunQuery,
 )
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    edit_permission_required,
-    rbac_permission_required,
    setup_required,
    with_current_user,
 )
@ -157,7 +154,6 @@ class SnippetDraftWorkflowApi(Resource):
    @account_initialization_required
    @get_snippet
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.SNIPPETS_MANAGE, resource_required=False)
    def get(self, snippet: CustomizedSnippet):
        """Get draft workflow for snippet."""
        snippet_service = _snippet_service()
@ -185,9 +181,6 @@ class SnippetDraftWorkflowApi(Resource):
    @with_current_user
    @get_snippet
    @edit_permission_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.SNIPPETS_CREATE_AND_MODIFY, resource_required=False
-    )
    def post(self, current_user: Account, snippet: CustomizedSnippet):
        """Sync draft workflow for snippet."""
        payload = SnippetDraftSyncPayload.model_validate(console_ns.payload or {})
@ -226,7 +219,6 @@ class SnippetDraftConfigApi(Resource):
    @account_initialization_required
    @get_snippet
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.SNIPPETS_MANAGE, resource_required=False)
    def get(self, snippet: CustomizedSnippet):
        """Get snippet draft workflow configuration limits."""
        return {
@ -248,7 +240,6 @@ class SnippetPublishedWorkflowApi(Resource):
    @account_initialization_required
    @get_snippet
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.SNIPPETS_MANAGE, resource_required=False)
    def get(self, snippet: CustomizedSnippet):
        """Get published workflow for snippet."""
        if not snippet.is_published:
@ -274,9 +265,6 @@ class SnippetPublishedWorkflowApi(Resource):
    @with_current_user
    @get_snippet
    @edit_permission_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.SNIPPETS_CREATE_AND_MODIFY, resource_required=False
-    )
    def post(self, current_user: Account, snippet: CustomizedSnippet):
        """Publish snippet workflow."""
        snippet_service = _snippet_service()
@ -313,7 +301,6 @@ class SnippetDefaultBlockConfigsApi(Resource):
    @account_initialization_required
    @get_snippet
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.SNIPPETS_MANAGE, resource_required=False)
    def get(self, snippet: CustomizedSnippet):
        """Get default block configurations for snippet workflow."""
        snippet_service = _snippet_service()
@ -336,7 +323,6 @@ class SnippetPublishedAllWorkflowApi(Resource):
    @account_initialization_required
    @get_snippet
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.SNIPPETS_MANAGE, resource_required=False)
    def get(self, snippet: CustomizedSnippet):
        """Get all published workflow versions for snippet."""
        args = SnippetWorkflowListQuery.model_validate(request.args.to_dict(flat=True))
@ -375,9 +361,6 @@ class SnippetDraftWorkflowRestoreApi(Resource):
    @with_current_user
    @get_snippet
    @edit_permission_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.SNIPPETS_CREATE_AND_MODIFY, resource_required=False
-    )
    def post(self, current_user: Account, snippet: CustomizedSnippet, workflow_id: str):
        """Restore a published snippet workflow version into the draft workflow."""
        snippet_service = _snippet_service()
@ -503,9 +486,6 @@ class SnippetDraftNodeRunApi(Resource):
    @with_current_user
    @get_snippet
    @edit_permission_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.SNIPPETS_CREATE_AND_MODIFY, resource_required=False
-    )
    def post(self, current_user: Account, snippet: CustomizedSnippet, node_id: str):
        """
        Run a single node in snippet draft workflow.
@ -594,9 +574,6 @@ class SnippetDraftRunIterationNodeApi(Resource):
    @with_current_user
    @get_snippet
    @edit_permission_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.SNIPPETS_CREATE_AND_MODIFY, resource_required=False
-    )
    def post(self, current_user: Account, snippet: CustomizedSnippet, node_id: str):
        """
        Run a draft workflow iteration node for snippet.
@ -642,9 +619,6 @@ class SnippetDraftRunLoopNodeApi(Resource):
    @with_current_user
    @get_snippet
    @edit_permission_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.SNIPPETS_CREATE_AND_MODIFY, resource_required=False
-    )
    def post(self, current_user: Account, snippet: CustomizedSnippet, node_id: str):
        """
        Run a draft workflow loop node for snippet.
@ -688,9 +662,6 @@ class SnippetDraftWorkflowRunApi(Resource):
    @with_current_user
    @get_snippet
    @edit_permission_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.SNIPPETS_CREATE_AND_MODIFY, resource_required=False
-    )
    def post(self, current_user: Account, snippet: CustomizedSnippet):
        """
        Run draft workflow for snippet.
@ -729,9 +700,6 @@ class SnippetWorkflowTaskStopApi(Resource):
    @account_initialization_required
    @get_snippet
    @edit_permission_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.SNIPPETS_CREATE_AND_MODIFY, resource_required=False
-    )
    def post(self, snippet: CustomizedSnippet, task_id: str):
        """
        Stop a running snippet workflow task.
--- a/api/controllers/console/snippets/snippet_workflow_draft_variable.py
+++ b/api/controllers/console/snippets/snippet_workflow_draft_variable.py
@ -34,11 +34,8 @@ from controllers.console.app.workflow_draft_variable import (
 )
 from controllers.console.snippets.snippet_workflow import get_snippet
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    edit_permission_required,
-    rbac_permission_required,
    setup_required,
    with_current_user,
 )
@ -105,7 +102,6 @@ class SnippetWorkflowVariableCollectionApi(Resource):
    )
    @_snippet_draft_var_prerequisite
    @marshal_with(workflow_draft_variable_list_without_value_model)
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.SNIPPETS_MANAGE, resource_required=False)
    def get(self, current_user: Account, snippet: CustomizedSnippet) -> WorkflowDraftVariableList:
        args = WorkflowDraftVariableListQuery.model_validate(request.args.to_dict(flat=True))  # type: ignore

@ -129,9 +125,6 @@ class SnippetWorkflowVariableCollectionApi(Resource):
    @console_ns.doc(description="Delete all draft workflow variables for the current user (snippet scope)")
    @console_ns.response(204, "Workflow variables deleted successfully")
    @_snippet_draft_var_prerequisite
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.SNIPPETS_CREATE_AND_MODIFY, resource_required=False
-    )
    def delete(self, current_user: Account, snippet: CustomizedSnippet) -> Response:
        draft_var_srv = WorkflowDraftVariableService(session=db.session())
        draft_var_srv.delete_user_workflow_variables(snippet.id, user_id=current_user.id)
--- a/api/controllers/console/tag/tags.py
+++ b/api/controllers/console/tag/tags.py
@ -122,7 +122,7 @@ class TagListApi(Resource):
            raise Forbidden()

        payload = TagBasePayload.model_validate(console_ns.payload or {})
-        tag = TagService.save_tags(SaveTagPayload(name=payload.name, type=payload.type), db.session)
+        tag = TagService.save_tags(SaveTagPayload(name=payload.name, type=payload.type))

        response = TagResponse.model_validate(
            {"id": tag.id, "name": tag.name, "type": tag.type, "binding_count": 0}
@ -146,9 +146,9 @@ class TagUpdateDeleteApi(Resource):
            raise Forbidden()

        payload = TagUpdateRequestPayload.model_validate(console_ns.payload or {})
-        tag = TagService.update_tags(UpdateTagPayload(name=payload.name), tag_id_str, db.session)
+        tag = TagService.update_tags(UpdateTagPayload(name=payload.name), tag_id_str)

-        binding_count = TagService.get_tag_binding_count(tag_id_str, db.session)
+        binding_count = TagService.get_tag_binding_count(tag_id_str)

        response = TagResponse.model_validate(
            {"id": tag.id, "name": tag.name, "type": tag.type, "binding_count": binding_count}
@ -164,7 +164,7 @@ class TagUpdateDeleteApi(Resource):
    def delete(self, tag_id: UUID):
        tag_id_str = str(tag_id)

-        TagService.delete_tag(tag_id_str, db.session)
+        TagService.delete_tag(tag_id_str)

        return "", 204

@ -189,8 +189,7 @@ def _create_tag_bindings(current_user: Account) -> tuple[dict[str, str], int]:
            tag_ids=payload.tag_ids,
            target_id=payload.target_id,
            type=payload.type,
-        ),
-        db.session,
+        )
    )
    return {"result": "success"}, 200

@ -204,8 +203,7 @@ def _remove_tag_bindings(current_user: Account) -> tuple[dict[str, str], int]:
            tag_ids=payload.tag_ids,
            target_id=payload.target_id,
            type=payload.type,
-        ),
-        db.session,
+        )
    )
    return {"result": "success"}, 200

--- a/api/controllers/console/workspace/endpoint.py
+++ b/api/controllers/console/workspace/endpoint.py
@ -15,11 +15,8 @@ from pydantic import BaseModel, Field
 from controllers.common.schema import query_params_from_model, register_schema_models
 from controllers.console import console_ns
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    is_admin_or_owner_required,
-    rbac_permission_required,
    setup_required,
    with_current_tenant_id,
    with_current_user_id,
@ -169,7 +166,6 @@ class EndpointCollectionApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_user_id
    @with_current_tenant_id
@ -198,7 +194,6 @@ class DeprecatedEndpointCreateApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_user_id
    @with_current_tenant_id
@ -290,7 +285,6 @@ class EndpointItemApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_user_id
    @with_current_tenant_id
@ -310,7 +304,6 @@ class EndpointItemApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_user_id
    @with_current_tenant_id
@ -340,7 +333,6 @@ class DeprecatedEndpointDeleteApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_user_id
    @with_current_tenant_id
@ -371,7 +363,6 @@ class DeprecatedEndpointUpdateApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_user_id
    @with_current_tenant_id
@ -394,7 +385,6 @@ class EndpointEnableApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_user_id
    @with_current_tenant_id
@ -422,7 +412,6 @@ class EndpointDisableApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_user_id
    @with_current_tenant_id
--- a/api/controllers/console/workspace/members.py
+++ b/api/controllers/console/workspace/members.py
@ -32,17 +32,16 @@ from extensions.ext_redis import redis_client
 from fields.base import ResponseModel
 from fields.member_fields import AccountWithRole, AccountWithRoleList
 from libs.helper import extract_remote_ip
-from libs.login import current_account_with_tenant, login_required
+from libs.login import login_required
 from models.account import Account, TenantAccountJoin, TenantAccountRole
 from services.account_service import AccountService, RegisterService, TenantService
-from services.enterprise import rbac_service as enterprise_rbac_service
 from services.errors.account import AccountAlreadyInTenantError
 from services.feature_service import FeatureService


 class MemberInvitePayload(BaseModel):
    emails: list[str] = Field(default_factory=list)
-    role: str
+    role: TenantAccountRole
    language: str | None = None


@ -108,22 +107,6 @@ def _is_role_enabled(role: TenantAccountRole | str, tenant_id: str) -> bool:
    return FeatureService.get_features(tenant_id=tenant_id, exclude_vector_space=True).dataset_operator_enabled


-def _serialize_member_roles(
-    current_role: str | None, member_roles: list[enterprise_rbac_service.RBACRole]
-) -> list[dict[str, str]]:
-    if dify_config.RBAC_ENABLED:
-        return [{"id": role.id, "name": role.name} for role in member_roles]
-    else:
-        if current_role:
-            return [{"id": current_role, "name": current_role}]
-        return []
-
-
-def _normalize_enum_value(value: object) -> str:
-    normalized = getattr(value, "value", value)
-    return str(normalized) if normalized is not None else ""
-
-
 def _normalize_invitee_emails(emails: list[str]) -> list[str]:
    return list(dict.fromkeys(email.lower() for email in emails))

@ -181,42 +164,11 @@ class MemberListApi(Resource):
    @account_initialization_required
    @console_ns.response(200, "Success", console_ns.models[AccountWithRoleList.__name__])
    @with_current_user
-    def get(self, current_user: Account | None = None):
-        if current_user is None:
-            current_user, _ = current_account_with_tenant()
+    def get(self, current_user: Account):
        if not current_user.current_tenant:
            raise ValueError("No current tenant")
        members = TenantService.get_tenant_members(current_user.current_tenant)
-        if dify_config.RBAC_ENABLED:
-            member_ids = [member.id for member in members]
-            member_roles = enterprise_rbac_service.RBACService.MemberRoles.batch_get(
-                str(current_user.current_tenant.id),
-                current_user.id,
-                member_ids,
-            )
-            roles_map = {item.account_id: item.roles for item in member_roles}
-        else:
-            roles_map = {}
-
-        serialized_members = []
-        for member in members:
-            current_role = _normalize_enum_value(member.current_role)
-            serialized_members.append(
-                {
-                    "id": member.id,
-                    "name": member.name,
-                    "email": member.email,
-                    "avatar": member.avatar,
-                    "last_login_at": member.last_login_at,
-                    "last_active_at": member.last_active_at,
-                    "created_at": member.created_at,
-                    "role": current_role,
-                    "roles": _serialize_member_roles(current_role, roles_map.get(member.id, [])),
-                    "status": _normalize_enum_value(member.status),
-                }
-            )
-
-        member_models = TypeAdapter(list[AccountWithRole]).validate_python(serialized_members)
+        member_models = TypeAdapter(list[AccountWithRole]).validate_python(members, from_attributes=True)
        response = AccountWithRoleList(accounts=member_models)
        return response.model_dump(mode="json"), 200

@ -238,11 +190,8 @@ class MemberInviteEmailApi(Resource):
        invitee_emails = _normalize_invitee_emails(args.emails)
        invitee_role = args.role
        interface_language = args.language
-        if not dify_config.RBAC_ENABLED:
-            if not TenantAccountRole.is_valid_role(invitee_role):
-                return {"code": "invalid-role", "message": "Invalid role"}, 400
-            if not TenantAccountRole.is_non_owner_role(TenantAccountRole(invitee_role)):
-                return {"code": "invalid-role", "message": "Invalid role"}, 400
+        if not TenantAccountRole.is_non_owner_role(invitee_role):
+            return {"code": "invalid-role", "message": "Invalid role"}, 400
        inviter = current_user
        if not inviter.current_tenant:
            raise ValueError("No current tenant")
@ -259,9 +208,8 @@ class MemberInviteEmailApi(Resource):

        tenant_id = inviter.current_tenant.id
        with redis_client.lock(f"workspace_member_invite:{tenant_id}", timeout=60):
-            if dify_config.ENTERPRISE_ENABLED is True or dify_config.BILLING_ENABLED is True:
-                new_member_count = _count_new_member_invites(tenant_id, invitee_emails)
-                _check_member_invite_limits(tenant_id, new_member_count)
+            new_member_count = _count_new_member_invites(tenant_id, invitee_emails)
+            _check_member_invite_limits(tenant_id, new_member_count)

            for invitee_email in invitee_emails:
                try:
@ -284,11 +232,7 @@ class MemberInviteEmailApi(Resource):
                    )
                except AccountAlreadyInTenantError:
                    invitation_results.append(
-                        {
-                            "status": "already_member",
-                            "email": invitee_email,
-                            "message": "Account already in workspace.",
-                        }
+                        {"status": "success", "email": invitee_email, "url": f"{console_web_url}/signin"}
                    )
                except Exception as e:
                    invitation_results.append({"status": "failed", "email": invitee_email, "message": str(e)})
--- a/api/controllers/console/workspace/model_providers.py
+++ b/api/controllers/console/workspace/model_providers.py
@ -9,11 +9,8 @@ from controllers.common.fields import BinaryFileResponse, SimpleResultResponse
 from controllers.common.schema import query_params_from_model, register_response_schema_models, register_schema_models
 from controllers.console import console_ns
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    is_admin_or_owner_required,
-    rbac_permission_required,
    setup_required,
    with_current_tenant_id,
    with_current_user,
@ -169,7 +166,6 @@ class ModelProviderCredentialApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_tenant_id
    def post(self, current_tenant_id: str, provider: str):
@ -195,7 +191,6 @@ class ModelProviderCredentialApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_tenant_id
    def put(self, current_tenant_id: str, provider: str):
@ -222,7 +217,6 @@ class ModelProviderCredentialApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_tenant_id
    def delete(self, current_tenant_id: str, provider: str):
@ -244,7 +238,6 @@ class ModelProviderCredentialSwitchApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_tenant_id
    def post(self, current_tenant_id: str, provider: str):
@ -326,7 +319,6 @@ class PreferredProviderTypeUpdateApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_tenant_id
    def post(self, tenant_id: str, provider: str):
--- a/api/controllers/console/workspace/models.py
+++ b/api/controllers/console/workspace/models.py
@ -14,11 +14,8 @@ from controllers.common.schema import (
 )
 from controllers.console import console_ns
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    is_admin_or_owner_required,
-    rbac_permission_required,
    setup_required,
    with_current_tenant_id,
    with_current_user,
@ -220,7 +217,6 @@ class DefaultModelApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_PREFERENCES, resource_required=False)
    @account_initialization_required
    @with_current_tenant_id
    def post(self, tenant_id: str):
@ -267,7 +263,6 @@ class ModelProviderModelApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_PREFERENCES, resource_required=False)
    @account_initialization_required
    @with_current_tenant_id
    def post(self, tenant_id: str, provider: str):
@ -315,7 +310,6 @@ class ModelProviderModelApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_PREFERENCES, resource_required=False)
    @account_initialization_required
    @with_current_tenant_id
    def delete(self, tenant_id: str, provider: str):
@ -395,7 +389,6 @@ class ModelProviderModelCredentialApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_tenant_id
    def post(self, tenant_id: str, provider: str):
@ -428,7 +421,6 @@ class ModelProviderModelCredentialApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_tenant_id
    def put(self, current_tenant_id: str, provider: str):
@ -456,7 +448,6 @@ class ModelProviderModelCredentialApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_tenant_id
    def delete(self, current_tenant_id: str, provider: str):
@ -481,7 +472,6 @@ class ModelProviderModelCredentialSwitchApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_tenant_id
    def post(self, current_tenant_id: str, provider: str):
@ -508,7 +498,6 @@ class ModelProviderModelEnableApi(Resource):
    @login_required
    @account_initialization_required
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_PREFERENCES, resource_required=False)
    def patch(self, tenant_id: str, provider: str):
        args = ParserDeleteModels.model_validate(console_ns.payload)

@ -530,7 +519,6 @@ class ModelProviderModelDisableApi(Resource):
    @login_required
    @account_initialization_required
    @with_current_tenant_id
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_PREFERENCES, resource_required=False)
    def patch(self, tenant_id: str, provider: str):
        args = ParserDeleteModels.model_validate(console_ns.payload)

--- a/api/controllers/console/workspace/plugin.py
+++ b/api/controllers/console/workspace/plugin.py
@ -20,11 +20,8 @@ from controllers.common.schema import (
 from controllers.console import console_ns
 from controllers.console.workspace import plugin_permission_required
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    is_admin_or_owner_required,
-    rbac_permission_required,
    setup_required,
    with_current_tenant_id,
    with_current_user,
@ -978,7 +975,6 @@ class PluginFetchDynamicSelectOptionsApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_user
    @with_current_tenant_id
@ -1009,7 +1005,6 @@ class PluginFetchDynamicSelectOptionsWithCredentialsApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_user
    @with_current_tenant_id
--- a/api/controllers/console/workspace/rbac.py
+++ b/api/controllers/console/workspace/rbac.py
@ -1,939 +0,0 @@
-from __future__ import annotations
-
-from enum import StrEnum
-from typing import Any
-
-from flask import request
-from flask_restx import Resource
-from pydantic import AliasChoices, BaseModel, ConfigDict, Field, ValidationError, field_validator
-from sqlalchemy import select
-from werkzeug.exceptions import NotFound
-
-from configs import dify_config
-from controllers.common.schema import register_response_schema_models
-from controllers.console import console_ns
-from controllers.console.wraps import RBACPermission, RBACResourceScope, rbac_permission_required
-from core.db.session_factory import session_factory
-from libs.login import current_account_with_tenant, login_required
-from models import Account
-from services.enterprise import rbac_service as svc
-
-
-class _RBACRoleList(svc.Paginated[svc.RBACRole]):
-    pass
-
-
-class _RBACRoleAccountList(svc.Paginated[svc.RBACRoleAccount]):
-    pass
-
-
-class _AccessPolicyList(svc.Paginated[svc.AccessPolicy]):
-    pass
-
-
-class _MembersInRoleList(svc.Paginated[svc.MembersInRole]):
-    pass
-
-
-register_response_schema_models(
-    console_ns,
-    svc.PermissionCatalogResponse,
-    svc.RBACRole,
-    _RBACRoleList,
-    _RBACRoleAccountList,
-    _MembersInRoleList,
-    svc.AccessPolicy,
-    _AccessPolicyList,
-    svc.AccessPolicyBindingState,
-    svc.MyPermissionsResponse,
-    svc.AppAccessMatrix,
-    svc.DatasetAccessMatrix,
-    svc.WorkspaceAccessMatrix,
-    svc.ResourceWhitelist,
-    svc.ResourceUserAccessPoliciesResponse,
-    svc.ReplaceUserAccessPoliciesResponse,
-    svc.RoleBindingsResponse,
-    svc.MemberBindingsResponse,
-    svc.MemberRolesResponse,
-    svc.AccessMatrixItem,
-)
-
-_LEGACY_ROLE_PERMISSION_KEYS: dict[str, list[str]] = {
-    # This is a compatibility projection from the pre-RBAC workspace roles into
-    # the 2.0 permission matrix documented in "权限整理2.0". It intentionally
-    # models the product-facing role surface for the new RBAC UI instead of the
-    # legacy backend's exact hard-authorization checks.
-    "owner": [
-        *svc._LEGACY_WORKSPACE_OWNER_KEYS,
-        *svc._LEGACY_APP_OWNER_KEYS,
-        *svc._LEGACY_DATASET_OWNER_KEYS,
-    ],
-    "admin": [
-        *svc._LEGACY_WORKSPACE_ADMIN_KEYS,
-        *svc._LEGACY_APP_ADMIN_KEYS,
-        *svc._LEGACY_DATASET_ADMIN_KEYS,
-    ],
-    "editor": [
-        *svc._LEGACY_WORKSPACE_EDITOR_KEYS,
-        *svc._LEGACY_APP_EDITOR_KEYS,
-        *svc._LEGACY_DATASET_EDITOR_KEYS,
-    ],
-    "normal": [
-        *svc._LEGACY_WORKSPACE_NORMAL_KEYS,
-        *svc._LEGACY_APP_NORMAL_KEYS,
-    ],
-    "dataset_operator": [
-        *svc._LEGACY_WORKSPACE_DATASET_OPERATOR_KEYS,
-        *svc._LEGACY_DATASET_DATASET_OPERATOR_KEYS,
-    ],
-}
-
-
-def _current_ids() -> tuple[str, str]:
-    """Return ``(tenant_id, account_id)`` for the authenticated user, or
-    raise a 404 when no tenant is associated with the session.
-    """
-
-    user, tenant_id = current_account_with_tenant()
-    if not tenant_id:
-        raise NotFound("Current workspace not found")
-    return tenant_id, user.id
-
-
-def _payload(model: type[BaseModel]) -> Any:
-    """Validate the JSON body against ``model`` or raise ``ValidationError``.
-
-    ``ValidationError`` bubbles up as HTTP 400 thanks to
-    ``controllers/common/helpers.py`` error handling.
-    """
-    try:
-        return model.model_validate(console_ns.payload or {})
-    except ValidationError as exc:
-        # Re-raise as-is so the upstream error handler renders a 400.
-        raise exc
-
-
-def _dump(model: BaseModel) -> dict[str, Any]:
-    return model.model_dump(mode="json")
-
-
-def _account_names_by_ids(account_ids: list[str]) -> dict[str, dict[str, str]]:
-    ids = sorted({account_id.strip() for account_id in account_ids if account_id and account_id.strip()})
-    if not ids:
-        return {}
-
-    with session_factory.create_session() as session:
-        rows = session.execute(
-            select(Account.id, Account.name, Account.avatar, Account.email).where(Account.id.in_(ids))
-        ).all()
-
-    return {
-        account_id: {
-            "name": name or "",
-            "avatar": avatar or "",
-            "email": email or "",
-        }
-        for account_id, name, avatar, email in rows
-    }
-
-
-def _hydrate_access_matrix_account_names(items: list[svc.AccessMatrixItem]) -> None:
-    account_ids: list[str] = []
-    for item in items:
-        for account in item.accounts:
-            account_id = account.account_id
-            if account_id and not account.account_name:
-                account_ids.append(account_id)
-
-    account_names = _account_names_by_ids(account_ids)
-    if not account_names:
-        return
-
-    for item in items:
-        for account in item.accounts:
-            account_id = str(account.account_id or "").strip()
-            if account_id and not account.account_name:
-                account.account_name = account_names.get(account_id, {}).get("name", "")
-            account.avatar = account_names.get(account_id, {}).get("avatar", "")
-            account.email = account_names.get(account_id, {}).get("email", "")
-
-
-def _hydrate_resource_user_account_names(items: list[svc.ResourceUserAccessPolicies]) -> None:
-    account_names = _account_names_by_ids([item.account.account_id for item in items])
-    for item in items:
-        account_id = item.account.account_id
-        if account_id and not item.account.account_name:
-            item.account.account_name = account_names.get(account_id, {}).get("name", "")
-            item.account.avatar = account_names.get(account_id, {}).get("avatar", "")
-            item.account.email = account_names.get(account_id, {}).get("email", "")
-
-
-class _PaginationQuery(BaseModel):
-    model_config = ConfigDict(extra="ignore")
-
-    page_number: int | None = Field(default=None, ge=1, validation_alias=AliasChoices("page", "page_number"))
-    results_per_page: int | None = Field(
-        default=None, ge=1, le=99999, validation_alias=AliasChoices("limit", "results_per_page")
-    )
-    reverse: bool | None = None
-
-    def to_inner_options(self) -> svc.ListOption:
-        return svc.ListOption.model_validate(self.model_dump())
-
-
-class _RolesListQuery(_PaginationQuery):
-    include_owner: int = Field(default=0, ge=0, le=1)
-
-
-class CopyRoleParam(BaseModel):
-    copy_member: bool = True
-
-
-def _pagination_options() -> svc.ListOption:
-    return _PaginationQuery.model_validate(request.args.to_dict(flat=True)).to_inner_options()
-
-
-def _legacy_workspace_roles(
-    options: svc.ListOption | None = None, *, include_owner: int = 0
-) -> svc.Paginated[svc.RBACRole]:
-    """Return the built-in legacy workspace roles in the RBAC list shape.
-
-    This keeps the new `/rbac/roles` endpoint compatible with the original
-    Dify role model when enterprise RBAC is disabled.
-    """
-
-    legacy_roles = [
-        svc.RBACRole(
-            id=role_name,
-            tenant_id="",
-            type=svc.RBACRoleType.WORKSPACE.value,
-            category="global_system_default",
-            name=role_name,
-            description="",
-            is_builtin=True,
-            permission_keys=list(_LEGACY_ROLE_PERMISSION_KEYS[role_name]),
-            role_tag="owner" if role_name == "owner" else "",
-        )
-        for role_name in ("owner", "admin", "editor", "normal", "dataset_operator")
-    ]
-
-    if not include_owner:
-        legacy_roles = [r for r in legacy_roles if r.name != "owner"]
-
-    page_number = options.page_number if options and options.page_number is not None else 1
-    results_per_page = (
-        options.results_per_page if options and options.results_per_page is not None else len(legacy_roles)
-    )
-    reverse = options.reverse if options and options.reverse is not None else False
-
-    ordered_roles = list(reversed(legacy_roles)) if reverse else legacy_roles
-    start = max(page_number - 1, 0) * results_per_page
-    end = start + results_per_page
-    paged_roles = ordered_roles[start:end]
-    total_count = len(legacy_roles)
-    total_pages = (total_count + results_per_page - 1) // results_per_page if results_per_page > 0 else 0
-
-    return svc.Paginated[svc.RBACRole](
-        data=paged_roles,
-        pagination=svc.Pagination(
-            total_count=total_count,
-            per_page=results_per_page,
-            current_page=page_number,
-            total_pages=total_pages,
-        ),
-    )
-
-
-# ---------------------------------------------------------------------------
-# Permission catalogs.
-# ---------------------------------------------------------------------------
-
-
-@console_ns.route("/workspaces/current/rbac/role-permissions/catalog")
-class RBACWorkspaceCatalogApi(Resource):
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.PermissionCatalogResponse.__name__])
-    def get(self):
-        tenant_id, account_id = _current_ids()
-        return _dump(svc.RBACService.Catalog.workspace(tenant_id, account_id))
-
-
-@console_ns.route("/workspaces/current/rbac/role-permissions/catalog/app")
-class RBACAppCatalogApi(Resource):
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.PermissionCatalogResponse.__name__])
-    def get(self):
-        tenant_id, account_id = _current_ids()
-        return _dump(svc.RBACService.Catalog.app(tenant_id, account_id))
-
-
-@console_ns.route("/workspaces/current/rbac/role-permissions/catalog/dataset")
-class RBACDatasetCatalogApi(Resource):
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.PermissionCatalogResponse.__name__])
-    def get(self):
-        tenant_id, account_id = _current_ids()
-        return _dump(svc.RBACService.Catalog.dataset(tenant_id, account_id))
-
-
-# ---------------------------------------------------------------------------
-# Roles.
-# ---------------------------------------------------------------------------
-
-
-class _RoleUpsertRequest(BaseModel):
-    """Accepts the payload sent by the Create/Edit Role dialog."""
-
-    name: str
-    description: str = ""
-    permission_keys: list[str] = []
-
-    def to_mutation(self) -> svc.RoleMutation:
-        return svc.RoleMutation(
-            name=self.name,
-            description=self.description,
-            permission_keys=list(self.permission_keys),
-        )
-
-
-@console_ns.route("/workspaces/current/rbac/roles")
-class RBACRolesApi(Resource):
-    @login_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.WORKSPACE_ROLE_MANAGE, resource_required=False
-    )
-    @console_ns.response(200, "Success", console_ns.models[_RBACRoleList.__name__])
-    def get(self):
-        tenant_id, account_id = _current_ids()
-        query = _RolesListQuery.model_validate(request.args.to_dict(flat=True))
-        options = query.to_inner_options()
-        if not dify_config.RBAC_ENABLED:
-            result = _legacy_workspace_roles(options, include_owner=query.include_owner)
-        else:
-            result = svc.RBACService.Roles.list(
-                tenant_id, account_id, include_owner=query.include_owner, options=options
-            )
-
-        return _dump(result)
-
-    @login_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.WORKSPACE_ROLE_MANAGE, resource_required=False
-    )
-    @console_ns.response(201, "Role created", console_ns.models[svc.RBACRole.__name__])
-    def post(self):
-        tenant_id, account_id = _current_ids()
-        request = _payload(_RoleUpsertRequest)
-        role = svc.RBACService.Roles.create(tenant_id, account_id, request.to_mutation())
-        return _dump(role), 201
-
-
-@console_ns.route("/workspaces/current/rbac/roles/<uuid:role_id>")
-class RBACRoleItemApi(Resource):
-    @login_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.WORKSPACE_ROLE_MANAGE, resource_required=False
-    )
-    @console_ns.response(200, "Success", console_ns.models[svc.RBACRole.__name__])
-    def get(self, role_id):
-        tenant_id, account_id = _current_ids()
-        return _dump(svc.RBACService.Roles.get(tenant_id, account_id, str(role_id)))
-
-    @login_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.WORKSPACE_ROLE_MANAGE, resource_required=False
-    )
-    @console_ns.response(200, "Success", console_ns.models[svc.RBACRole.__name__])
-    def put(self, role_id):
-        tenant_id, account_id = _current_ids()
-        request = _payload(_RoleUpsertRequest)
-        role = svc.RBACService.Roles.update(tenant_id, account_id, str(role_id), request.to_mutation())
-        return _dump(role)
-
-    @login_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.WORKSPACE_ROLE_MANAGE, resource_required=False
-    )
-    @console_ns.response(200, "Success", console_ns.models[svc.RBACRole.__name__])
-    def delete(self, role_id):
-        tenant_id, account_id = _current_ids()
-        svc.RBACService.Roles.delete(tenant_id, account_id, str(role_id))
-        return {"result": "success"}
-
-
-@console_ns.route("/workspaces/current/rbac/roles/<uuid:role_id>/copy")
-class RBACRoleCopyApi(Resource):
-    @login_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.WORKSPACE_ROLE_MANAGE, resource_required=False
-    )
-    @console_ns.response(201, "Role copied", console_ns.models[svc.RBACRole.__name__])
-    def post(self, role_id):
-        tenant_id, account_id = _current_ids()
-        request = _payload(CopyRoleParam)
-        role = svc.RBACService.Roles.copy(tenant_id, account_id, str(role_id), copy_member=request.copy_member)
-        return _dump(role), 201
-
-
-@console_ns.route("/workspaces/current/rbac/roles/<uuid:role_id>/members")
-class RBACRoleMembersApi(Resource):
-    @login_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.WORKSPACE_ROLE_MANAGE, resource_required=False
-    )
-    @console_ns.response(200, "Success", console_ns.models[_RBACRoleAccountList.__name__])
-    def get(self, role_id):
-        tenant_id, account_id = _current_ids()
-        return _dump(
-            svc.RBACService.Roles.members(
-                tenant_id,
-                account_id,
-                str(role_id),
-                options=_pagination_options(),
-            )
-        )
-
-
-# ---------------------------------------------------------------------------
-# Access policies (tenant-level permission sets).
-# ---------------------------------------------------------------------------
-
-
-class _AccessPolicyCreateRequest(BaseModel):
-    name: str
-    resource_type: svc.RBACResourceType
-    description: str = ""
-    permission_keys: list[str] = []
-
-
-class _AccessPolicyUpdateRequest(BaseModel):
-    name: str
-    description: str = ""
-    permission_keys: list[str] = []
-
-
-@console_ns.route("/workspaces/current/rbac/access-policies")
-class RBACAccessPoliciesApi(Resource):
-    @login_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.WORKSPACE_ROLE_MANAGE, resource_required=False
-    )
-    @console_ns.response(200, "Success", console_ns.models[_AccessPolicyList.__name__])
-    def get(self):
-        tenant_id, account_id = _current_ids()
-        # `resource_type` is exposed as a query argument so the UI can show
-        # only app-scoped or only dataset-scoped permission sets.
-        resource_type = request.args.get("resource_type") or None
-        return _dump(
-            svc.RBACService.AccessPolicies.list(
-                tenant_id,
-                account_id,
-                resource_type=resource_type,
-                options=_pagination_options(),
-            )
-        )
-
-    @login_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.WORKSPACE_ROLE_MANAGE, resource_required=False
-    )
-    @console_ns.response(201, "Policy created", console_ns.models[svc.AccessPolicy.__name__])
-    def post(self):
-        tenant_id, account_id = _current_ids()
-        request = _payload(_AccessPolicyCreateRequest)
-        policy = svc.RBACService.AccessPolicies.create(
-            tenant_id,
-            account_id,
-            svc.AccessPolicyCreate(
-                name=request.name,
-                resource_type=request.resource_type,
-                description=request.description,
-                permission_keys=list(request.permission_keys),
-            ),
-        )
-        return _dump(policy), 201
-
-
-@console_ns.route("/workspaces/current/rbac/access-policies/<uuid:policy_id>")
-class RBACAccessPolicyItemApi(Resource):
-    @login_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.WORKSPACE_ROLE_MANAGE, resource_required=False
-    )
-    @console_ns.response(200, "Success", console_ns.models[svc.AccessPolicy.__name__])
-    def get(self, policy_id):
-        tenant_id, account_id = _current_ids()
-        return _dump(svc.RBACService.AccessPolicies.get(tenant_id, account_id, str(policy_id)))
-
-    @login_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.WORKSPACE_ROLE_MANAGE, resource_required=False
-    )
-    @console_ns.response(200, "Success", console_ns.models[svc.AccessPolicy.__name__])
-    def put(self, policy_id):
-        tenant_id, account_id = _current_ids()
-        request = _payload(_AccessPolicyUpdateRequest)
-        policy = svc.RBACService.AccessPolicies.update(
-            tenant_id,
-            account_id,
-            str(policy_id),
-            svc.AccessPolicyUpdate(
-                name=request.name,
-                description=request.description,
-                permission_keys=list(request.permission_keys),
-            ),
-        )
-        return _dump(policy)
-
-    @login_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.WORKSPACE_ROLE_MANAGE, resource_required=False
-    )
-    @console_ns.response(200, "Success", console_ns.models[svc.AccessPolicy.__name__])
-    def delete(self, policy_id):
-        tenant_id, account_id = _current_ids()
-        svc.RBACService.AccessPolicies.delete(tenant_id, account_id, str(policy_id))
-        return {"result": "success"}
-
-
-@console_ns.route("/workspaces/current/rbac/access-policies/<uuid:policy_id>/copy")
-class RBACAccessPolicyCopyApi(Resource):
-    @login_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.WORKSPACE_ROLE_MANAGE, resource_required=False
-    )
-    @console_ns.response(201, "Policy copied", console_ns.models[svc.AccessPolicy.__name__])
-    def post(self, policy_id):
-        tenant_id, account_id = _current_ids()
-        policy = svc.RBACService.AccessPolicies.copy(tenant_id, account_id, str(policy_id))
-        return _dump(policy), 201
-
-
-@console_ns.route("/workspaces/current/rbac/access-policy-bindings/<uuid:binding_id>/lock")
-class RBACAccessPolicyBindingLockApi(Resource):
-    @login_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.WORKSPACE_ROLE_MANAGE, resource_required=False
-    )
-    @console_ns.response(200, "Success", console_ns.models[svc.AccessPolicyBindingState.__name__])
-    def put(self, binding_id):
-        tenant_id, account_id = _current_ids()
-        return _dump(svc.RBACService.AccessPolicyBindings.lock(tenant_id, account_id, str(binding_id)))
-
-
-@console_ns.route("/workspaces/current/rbac/access-policy-bindings/<uuid:binding_id>/unlock")
-class RBACAccessPolicyBindingUnlockApi(Resource):
-    @login_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.WORKSPACE_ROLE_MANAGE, resource_required=False
-    )
-    @console_ns.response(200, "Success", console_ns.models[svc.AccessPolicyBindingState.__name__])
-    def put(self, binding_id):
-        tenant_id, account_id = _current_ids()
-        return _dump(svc.RBACService.AccessPolicyBindings.unlock(tenant_id, account_id, str(binding_id)))
-
-
-# ---------------------------------------------------------------------------
-# Per-app access (App Access Config).
-# ---------------------------------------------------------------------------
-
-
-class _AccessScope(StrEnum):
-    ALL = "all"
-    SPECIFIC = "specific"
-    ONLY_ME = "only_me"
-
-
-class _ResourceAccessScopeRequest(BaseModel):
-    scope: _AccessScope
-
-
-class _ReplaceBindingsRequest(BaseModel):
-    role_ids: list[str] = Field(default_factory=list)
-    account_ids: list[str] = Field(default_factory=list)
-
-    @field_validator("role_ids", "account_ids", mode="before")
-    @classmethod
-    def _coerce_bindings(cls, value: Any) -> list[str]:
-        if value is None:
-            return []
-        return value
-
-
-class _DeleteMemberBindingsRequest(BaseModel):
-    account_ids: list[str] = Field(default_factory=list)
-
-    @field_validator("account_ids", mode="before")
-    @classmethod
-    def _coerce_account_ids(cls, value: Any) -> list[str]:
-        if value is None:
-            return []
-        return value
-
-
-@console_ns.route("/workspaces/current/rbac/my-permissions")
-class RBACMyPermissionsApi(Resource):
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.MyPermissionsResponse.__name__])
-    def get(self):
-        tenant_id, account_id = _current_ids()
-        return _dump(
-            svc.RBACService.MyPermissions.get(
-                tenant_id,
-                account_id,
-                app_id=request.args.get("app_id") or None,
-                dataset_id=request.args.get("dataset_id") or None,
-            )
-        )
-
-
-@console_ns.route("/workspaces/current/rbac/apps/<uuid:app_id>/access-policy")
-class RBACAppMatrixApi(Resource):
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.AppAccessMatrix.__name__])
-    def get(self, app_id):
-        tenant_id, account_id = _current_ids()
-        result = svc.RBACService.AppAccess.matrix(tenant_id, account_id, str(app_id))
-        _hydrate_access_matrix_account_names(result.items)
-        return _dump(result)
-
-
-@console_ns.route("/workspaces/current/rbac/apps/<uuid:app_id>/whitelist")
-class RBACAppWhitelistApi(Resource):
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.ResourceWhitelist.__name__])
-    def get(self, app_id):
-        tenant_id, account_id = _current_ids()
-        return _dump(svc.RBACService.AppAccess.whitelist(tenant_id, account_id, str(app_id)))
-
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.ResourceWhitelist.__name__])
-    def put(self, app_id):
-        tenant_id, account_id = _current_ids()
-        request = _payload(_ResourceAccessScopeRequest)
-        return _dump(
-            svc.RBACService.AppAccess.replace_whitelist(
-                tenant_id,
-                account_id,
-                str(app_id),
-                svc.ReplaceMemberBindings(scope=request.scope.value),
-            )
-        )
-
-
-@console_ns.route("/workspaces/current/rbac/apps/<uuid:app_id>/user-access-policies")
-class RBACAppUserAccessPoliciesApi(Resource):
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.ResourceUserAccessPoliciesResponse.__name__])
-    def get(self, app_id):
-        tenant_id, account_id = _current_ids()
-        result = svc.RBACService.AppAccess.user_access_policies(tenant_id, account_id, str(app_id))
-        _hydrate_resource_user_account_names(result.data)
-        return _dump(result)
-
-
-@console_ns.route("/workspaces/current/rbac/apps/<uuid:app_id>/users/<uuid:target_account_id>/access-policies")
-class RBACAppUserAccessPolicyAssignmentApi(Resource):
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.ReplaceUserAccessPoliciesResponse.__name__])
-    def put(self, app_id, target_account_id):
-        tenant_id, account_id = _current_ids()
-        payload = _payload(svc.ReplaceUserAccessPolicies)
-        return _dump(
-            svc.RBACService.AppAccess.replace_user_access_policies(
-                tenant_id,
-                account_id,
-                str(app_id),
-                str(target_account_id),
-                payload,
-            )
-        )
-
-
-@console_ns.route("/workspaces/current/rbac/apps/<uuid:app_id>/access-policies/<uuid:policy_id>/role-bindings")
-class RBACAppRoleBindingsApi(Resource):
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.RoleBindingsResponse.__name__])
-    def get(self, app_id, policy_id):
-        tenant_id, account_id = _current_ids()
-        return _dump(svc.RBACService.AppAccess.list_role_bindings(tenant_id, account_id, str(app_id), str(policy_id)))
-
-
-@console_ns.route("/workspaces/current/rbac/apps/<uuid:app_id>/access-policies/<string:policy_id>/member-bindings")
-class RBACAppMemberBindingsApi(Resource):
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.MemberBindingsResponse.__name__])
-    def get(self, app_id, policy_id):
-        tenant_id, account_id = _current_ids()
-        return _dump(svc.RBACService.AppAccess.list_member_bindings(tenant_id, account_id, str(app_id), str(policy_id)))
-
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.MemberBindingsResponse.__name__])
-    def delete(self, app_id, policy_id):
-        tenant_id, account_id = _current_ids()
-        request_body = _payload(_DeleteMemberBindingsRequest)
-        svc.RBACService.AppAccess.delete_member_bindings(
-            tenant_id,
-            account_id,
-            str(app_id),
-            str(policy_id),
-            svc.DeleteMemberBindings(account_ids=request_body.account_ids),
-        )
-        return {"result": "success"}
-
-
-# ---------------------------------------------------------------------------
-# Per-dataset access (Knowledge Base Access Config).
-# ---------------------------------------------------------------------------
-
-
-@console_ns.route("/workspaces/current/rbac/datasets/<uuid:dataset_id>/access-policy")
-class RBACDatasetMatrixApi(Resource):
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.DatasetAccessMatrix.__name__])
-    def get(self, dataset_id):
-        tenant_id, account_id = _current_ids()
-        result = svc.RBACService.DatasetAccess.matrix(tenant_id, account_id, str(dataset_id))
-        _hydrate_access_matrix_account_names(result.items)
-        return _dump(result)
-
-
-@console_ns.route("/workspaces/current/rbac/datasets/<uuid:dataset_id>/whitelist")
-class RBACDatasetWhitelistApi(Resource):
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.ResourceWhitelist.__name__])
-    def get(self, dataset_id):
-        tenant_id, account_id = _current_ids()
-        return _dump(svc.RBACService.DatasetAccess.whitelist(tenant_id, account_id, str(dataset_id)))
-
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.ResourceWhitelist.__name__])
-    def put(self, dataset_id):
-        tenant_id, account_id = _current_ids()
-        request = _payload(_ResourceAccessScopeRequest)
-        return _dump(
-            svc.RBACService.DatasetAccess.replace_whitelist(
-                tenant_id,
-                account_id,
-                str(dataset_id),
-                svc.ReplaceMemberBindings(scope=request.scope.value),
-            )
-        )
-
-
-@console_ns.route("/workspaces/current/rbac/datasets/<uuid:dataset_id>/user-access-policies")
-class RBACDatasetUserAccessPoliciesApi(Resource):
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.ResourceUserAccessPoliciesResponse.__name__])
-    def get(self, dataset_id):
-        tenant_id, account_id = _current_ids()
-        result = svc.RBACService.DatasetAccess.user_access_policies(tenant_id, account_id, str(dataset_id))
-        _hydrate_resource_user_account_names(result.data)
-        return _dump(result)
-
-
-@console_ns.route("/workspaces/current/rbac/datasets/<uuid:dataset_id>/users/<uuid:target_account_id>/access-policies")
-class RBACDatasetUserAccessPolicyAssignmentApi(Resource):
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.ReplaceUserAccessPoliciesResponse.__name__])
-    def put(self, dataset_id, target_account_id):
-        tenant_id, account_id = _current_ids()
-        payload = _payload(svc.ReplaceUserAccessPolicies)
-        return _dump(
-            svc.RBACService.DatasetAccess.replace_user_access_policies(
-                tenant_id,
-                account_id,
-                str(dataset_id),
-                str(target_account_id),
-                payload,
-            )
-        )
-
-
-@console_ns.route("/workspaces/current/rbac/datasets/<uuid:dataset_id>/access-policies/<uuid:policy_id>/role-bindings")
-class RBACDatasetRoleBindingsApi(Resource):
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.RoleBindingsResponse.__name__])
-    def get(self, dataset_id, policy_id):
-        tenant_id, account_id = _current_ids()
-        return _dump(
-            svc.RBACService.DatasetAccess.list_role_bindings(tenant_id, account_id, str(dataset_id), str(policy_id))
-        )
-
-
-@console_ns.route(
-    "/workspaces/current/rbac/datasets/<uuid:dataset_id>/access-policies/<string:policy_id>/member-bindings"
-)
-class RBACDatasetMemberBindingsApi(Resource):
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.MemberBindingsResponse.__name__])
-    def get(self, dataset_id, policy_id):
-        tenant_id, account_id = _current_ids()
-        return _dump(
-            svc.RBACService.DatasetAccess.list_member_bindings(tenant_id, account_id, str(dataset_id), str(policy_id))
-        )
-
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.MemberBindingsResponse.__name__])
-    def delete(self, dataset_id, policy_id):
-        tenant_id, account_id = _current_ids()
-        request_body = _payload(_DeleteMemberBindingsRequest)
-        svc.RBACService.DatasetAccess.delete_member_bindings(
-            tenant_id,
-            account_id,
-            str(dataset_id),
-            str(policy_id),
-            svc.DeleteMemberBindings(account_ids=request_body.account_ids),
-        )
-        return {"result": "success"}
-
-
-# ---------------------------------------------------------------------------
-# Workspace-level access (Settings > Access Rules).
-# ---------------------------------------------------------------------------
-
-
-@console_ns.route("/workspaces/current/rbac/workspace/apps/access-policy")
-class RBACWorkspaceAppMatrixApi(Resource):
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.WorkspaceAccessMatrix.__name__])
-    def get(self):
-        tenant_id, account_id = _current_ids()
-        options = _pagination_options()
-        result = svc.RBACService.WorkspaceAccess.app_matrix(tenant_id, account_id, options=options)
-        _hydrate_access_matrix_account_names(result.items)
-        return _dump(result)
-
-
-@console_ns.route("/workspaces/current/rbac/workspace/apps/access-policies/<uuid:policy_id>/role-bindings")
-class RBACWorkspaceAppRoleBindingsApi(Resource):
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.RoleBindingsResponse.__name__])
-    def get(self, policy_id):
-        tenant_id, account_id = _current_ids()
-        return _dump(svc.RBACService.WorkspaceAccess.list_app_role_bindings(tenant_id, account_id, str(policy_id)))
-
-
-@console_ns.route("/workspaces/current/rbac/workspace/apps/access-policies/<uuid:policy_id>/bindings")
-class RBACWorkspaceAppBindingsApi(Resource):
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.AccessMatrixItem.__name__])
-    def put(self, policy_id):
-        tenant_id, account_id = _current_ids()
-        request = _payload(_ReplaceBindingsRequest)
-        return _dump(
-            svc.RBACService.WorkspaceAccess.replace_app_bindings(
-                tenant_id,
-                account_id,
-                str(policy_id),
-                svc.ReplaceBindings(role_ids=list(request.role_ids), account_ids=list(request.account_ids)),
-            )
-        )
-
-
-@console_ns.route("/workspaces/current/rbac/workspace/apps/access-policies/<uuid:policy_id>/member-bindings")
-class RBACWorkspaceAppMemberBindingsApi(Resource):
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.MemberBindingsResponse.__name__])
-    def get(self, policy_id):
-        tenant_id, account_id = _current_ids()
-        return _dump(svc.RBACService.WorkspaceAccess.list_app_member_bindings(tenant_id, account_id, str(policy_id)))
-
-
-@console_ns.route("/workspaces/current/rbac/workspace/datasets/access-policy")
-class RBACWorkspaceDatasetMatrixApi(Resource):
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.WorkspaceAccessMatrix.__name__])
-    def get(self):
-        tenant_id, account_id = _current_ids()
-        options = _pagination_options()
-        result = svc.RBACService.WorkspaceAccess.dataset_matrix(tenant_id, account_id, options=options)
-        _hydrate_access_matrix_account_names(result.items)
-        return _dump(result)
-
-
-@console_ns.route("/workspaces/current/rbac/workspace/datasets/access-policies/<uuid:policy_id>/role-bindings")
-class RBACWorkspaceDatasetRoleBindingsApi(Resource):
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.RoleBindingsResponse.__name__])
-    def get(self, policy_id):
-        tenant_id, account_id = _current_ids()
-        return _dump(svc.RBACService.WorkspaceAccess.list_dataset_role_bindings(tenant_id, account_id, str(policy_id)))
-
-
-@console_ns.route("/workspaces/current/rbac/workspace/datasets/access-policies/<uuid:policy_id>/bindings")
-class RBACWorkspaceDatasetBindingsApi(Resource):
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.AccessMatrixItem.__name__])
-    def put(self, policy_id):
-        tenant_id, account_id = _current_ids()
-        request = _payload(_ReplaceBindingsRequest)
-        return _dump(
-            svc.RBACService.WorkspaceAccess.replace_dataset_bindings(
-                tenant_id,
-                account_id,
-                str(policy_id),
-                svc.ReplaceBindings(role_ids=list(request.role_ids), account_ids=list(request.account_ids)),
-            )
-        )
-
-
-@console_ns.route("/workspaces/current/rbac/workspace/datasets/access-policies/<uuid:policy_id>/member-bindings")
-class RBACWorkspaceDatasetMemberBindingsApi(Resource):
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.MemberBindingsResponse.__name__])
-    def get(self, policy_id):
-        tenant_id, account_id = _current_ids()
-        return _dump(
-            svc.RBACService.WorkspaceAccess.list_dataset_member_bindings(tenant_id, account_id, str(policy_id))
-        )
-
-
-# ---------------------------------------------------------------------------
-# Member ↔ role bindings (Settings > Members > Assign roles).
-# ---------------------------------------------------------------------------
-
-
-class _ReplaceMemberRolesRequest(BaseModel):
-    role_ids: list[str] = []
-
-    @field_validator("role_ids", mode="before")
-    @classmethod
-    def _coerce_role_ids(cls, value: Any) -> list[str]:
-        if value is None:
-            return []
-        return value
-
-
-@console_ns.route("/workspaces/current/rbac/members/<uuid:member_id>/rbac-roles")
-class RBACMemberRolesApi(Resource):
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.MemberRolesResponse.__name__])
-    def get(self, member_id):
-        tenant_id, account_id = _current_ids()
-        return _dump(svc.RBACService.MemberRoles.get(tenant_id, account_id, str(member_id)))
-
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[svc.MemberRolesResponse.__name__])
-    def put(self, member_id):
-        tenant_id, account_id = _current_ids()
-        request = _payload(_ReplaceMemberRolesRequest)
-        return _dump(
-            svc.RBACService.MemberRoles.replace(
-                tenant_id,
-                account_id,
-                str(member_id),
-                role_ids=list(request.role_ids),
-            )
-        )
-
-
-@console_ns.route("/workspaces/current/rbac/roles/<uuid:role_id>/members")
-class ListMembersByRole(Resource):
-    @login_required
-    @console_ns.response(200, "Success", console_ns.models[_MembersInRoleList.__name__])
-    def get(self, role_id):
-        tenant_id, account_id = _current_ids()
-        return _dump(
-            svc.RBACService.Roles.list_members_by_role(tenant_id, role_id=role_id, options=_pagination_options())
-        )
--- a/api/controllers/console/workspace/snippets.py
+++ b/api/controllers/console/workspace/snippets.py
@ -21,11 +21,8 @@ from controllers.console.snippets.payloads import (
    UpdateSnippetPayload,
 )
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    edit_permission_required,
-    rbac_permission_required,
    setup_required,
    with_current_tenant_id,
    with_current_user,
@ -129,7 +126,6 @@ class CustomizedSnippetsApi(Resource):
        snippet_service = _snippet_service()
        snippets, total, has_more = snippet_service.get_snippets(
            tenant_id=current_tenant_id,
-            session=db.session,
            page=query.page,
            limit=query.limit,
            keyword=query.keyword,
@ -154,9 +150,6 @@ class CustomizedSnippetsApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.SNIPPETS_CREATE_AND_MODIFY, resource_required=False
-    )
    @with_current_user
    @with_current_tenant_id
    def post(self, current_tenant_id: str, current_user: Account):
@ -219,9 +212,6 @@ class CustomizedSnippetDetailApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.SNIPPETS_CREATE_AND_MODIFY, resource_required=False
-    )
    @with_current_user
    @with_current_tenant_id
    def patch(self, current_tenant_id: str, current_user: Account, snippet_id: str):
@ -266,7 +256,6 @@ class CustomizedSnippetDetailApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.SNIPPETS_MANAGE, resource_required=False)
    @with_current_tenant_id
    def delete(self, current_tenant_id: str, snippet_id: str):
        """Delete customized snippet."""
@ -302,9 +291,6 @@ class CustomizedSnippetExportApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.SNIPPETS_CREATE_AND_MODIFY, resource_required=False
-    )
    @with_current_tenant_id
    def get(self, current_tenant_id: str, snippet_id: str):
        """Export snippet as DSL."""
@ -350,9 +336,6 @@ class CustomizedSnippetImportApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.SNIPPETS_CREATE_AND_MODIFY, resource_required=False
-    )
    @with_current_user
    def post(self, current_user: Account):
        """Import snippet from DSL."""
@ -391,9 +374,6 @@ class CustomizedSnippetImportConfirmApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.SNIPPETS_CREATE_AND_MODIFY, resource_required=False
-    )
    @with_current_user
    def post(self, current_user: Account, import_id: str):
        """Confirm a pending snippet import."""
@ -422,9 +402,6 @@ class CustomizedSnippetCheckDependenciesApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.SNIPPETS_CREATE_AND_MODIFY, resource_required=False
-    )
    @with_current_tenant_id
    def get(self, current_tenant_id: str, snippet_id: str):
        """Check dependencies for a snippet."""
@ -455,9 +432,6 @@ class CustomizedSnippetUseCountIncrementApi(Resource):
    @login_required
    @account_initialization_required
    @edit_permission_required
-    @rbac_permission_required(
-        RBACResourceScope.WORKSPACE, RBACPermission.SNIPPETS_CREATE_AND_MODIFY, resource_required=False
-    )
    @with_current_tenant_id
    def post(self, current_tenant_id: str, snippet_id: str):
        """Increment snippet use count when it is inserted into a workflow."""
--- a/api/controllers/console/workspace/tool_providers.py
+++ b/api/controllers/console/workspace/tool_providers.py
@ -14,12 +14,9 @@ from controllers.common.fields import BinaryFileResponse, RedirectResponse, Simp
 from controllers.common.schema import query_params_from_model, register_response_schema_models, register_schema_models
 from controllers.console import console_ns
 from controllers.console.wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    enterprise_license_required,
    is_admin_or_owner_required,
-    rbac_permission_required,
    setup_required,
    with_current_tenant_id,
    with_current_user,
@ -372,7 +369,6 @@ class ToolBuiltinProviderDeleteApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_tenant_id
    def post(self, tenant_id: str, provider: str):
@ -415,7 +411,6 @@ class ToolBuiltinProviderUpdateApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_user
    @with_current_tenant_id
@ -476,7 +471,6 @@ class ToolApiProviderAddApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.TOOL_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_user
    @with_current_tenant_id
@ -546,7 +540,6 @@ class ToolApiProviderUpdateApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.TOOL_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_user
    @with_current_tenant_id
@ -575,7 +568,6 @@ class ToolApiProviderDeleteApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.TOOL_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_user
    @with_current_tenant_id
@ -667,7 +659,6 @@ class ToolWorkflowProviderCreateApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.TOOL_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_user
    @with_current_tenant_id
@ -695,7 +686,6 @@ class ToolWorkflowProviderUpdateApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.TOOL_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_user
    @with_current_tenant_id
@ -723,7 +713,6 @@ class ToolWorkflowProviderDeleteApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.TOOL_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_user
    @with_current_tenant_id
@ -869,7 +858,6 @@ class ToolPluginOAuthApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_user
    @with_current_tenant_id
@ -971,7 +959,6 @@ class ToolBuiltinProviderSetDefaultApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_tenant_id
    def post(self, current_tenant_id: str, provider: str):
@ -988,7 +975,6 @@ class ToolOAuthCustomClient(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_tenant_id
    def post(self, tenant_id: str, provider: str):
--- a/api/controllers/console/workspace/trigger_providers.py
+++ b/api/controllers/console/workspace/trigger_providers.py
@ -27,12 +27,9 @@ from services.trigger.trigger_subscription_operator_service import TriggerSubscr

 from .. import console_ns
 from ..wraps import (
-    RBACPermission,
-    RBACResourceScope,
    account_initialization_required,
    edit_permission_required,
    is_admin_or_owner_required,
-    rbac_permission_required,
    setup_required,
    with_current_tenant_id,
    with_current_user,
@ -146,7 +143,6 @@ class TriggerSubscriptionListApi(Resource):
    @setup_required
    @login_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_PREFERENCES, resource_required=False)
    @account_initialization_required
    @with_current_user
    @with_current_tenant_id
@ -176,7 +172,6 @@ class TriggerSubscriptionBuilderCreateApi(Resource):
    @setup_required
    @login_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_PREFERENCES, resource_required=False)
    @account_initialization_required
    @with_current_user
    @with_current_tenant_id
@ -206,7 +201,6 @@ class TriggerSubscriptionBuilderGetApi(Resource):
    @setup_required
    @login_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_PREFERENCES, resource_required=False)
    @account_initialization_required
    def get(self, provider: str, subscription_builder_id: str):
        """Get a subscription instance for a trigger provider"""
@ -224,7 +218,6 @@ class TriggerSubscriptionBuilderVerifyApi(Resource):
    @setup_required
    @login_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_user
    @with_current_tenant_id
@ -257,7 +250,6 @@ class TriggerSubscriptionBuilderUpdateApi(Resource):
    @setup_required
    @login_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.CREDENTIAL_MANAGE, resource_required=False)
    @account_initialization_required
    @with_current_tenant_id
    def post(self, tenant_id: str, provider: str, subscription_builder_id: str):
@ -290,7 +282,6 @@ class TriggerSubscriptionBuilderLogsApi(Resource):
    @setup_required
    @login_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_PREFERENCES, resource_required=False)
    @account_initialization_required
    def get(self, provider: str, subscription_builder_id: str):
        """Get the request logs for a subscription instance for a trigger provider"""
@ -311,7 +302,6 @@ class TriggerSubscriptionBuilderBuildApi(Resource):
    @setup_required
    @login_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_PREFERENCES, resource_required=False)
    @account_initialization_required
    @with_current_user
    @with_current_tenant_id
@ -346,7 +336,6 @@ class TriggerSubscriptionUpdateApi(Resource):
    @setup_required
    @login_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_PREFERENCES, resource_required=False)
    @account_initialization_required
    @with_current_tenant_id
    def post(self, tenant_id: str, subscription_id: str):
@ -404,7 +393,6 @@ class TriggerSubscriptionDeleteApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_PREFERENCES, resource_required=False)
    @account_initialization_required
    @with_current_tenant_id
    def post(self, tenant_id: str, subscription_id: str):
@ -593,7 +581,6 @@ class TriggerOAuthClientManageApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_PREFERENCES, resource_required=False)
    @account_initialization_required
    @with_current_tenant_id
    def get(self, tenant_id: str, provider: str):
@ -639,7 +626,6 @@ class TriggerOAuthClientManageApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_PREFERENCES, resource_required=False)
    @account_initialization_required
    @with_current_tenant_id
    def post(self, tenant_id: str, provider: str):
@ -664,7 +650,6 @@ class TriggerOAuthClientManageApi(Resource):
    @setup_required
    @login_required
    @is_admin_or_owner_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_PREFERENCES, resource_required=False)
    @account_initialization_required
    @console_ns.response(200, "Success", console_ns.models[SimpleResultResponse.__name__])
    @with_current_tenant_id
@ -693,7 +678,6 @@ class TriggerSubscriptionVerifyApi(Resource):
    @setup_required
    @login_required
    @edit_permission_required
-    @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_PREFERENCES, resource_required=False)
    @account_initialization_required
    @with_current_user
    @with_current_tenant_id
--- a/api/controllers/console/wraps.py
+++ b/api/controllers/console/wraps.py
@ -9,14 +9,9 @@ from typing import Any, Concatenate, overload
 from flask import abort, request
 from pydantic import BaseModel, ValidationError
 from sqlalchemy import select
-from werkzeug.exceptions import Forbidden, UnprocessableEntity
+from werkzeug.exceptions import UnprocessableEntity

 from configs import dify_config
-from controllers.common.wraps import (
-    RBACPermission,
-    RBACResourceScope,
-    rbac_permission_required,
-)
 from controllers.console.auth.error import AuthenticationFailedError, EmailCodeError
 from controllers.console.workspace.error import AccountNotInitializedError
 from enums.cloud_plan import CloudPlan
@ -33,10 +28,6 @@ from services.operation_service import OperationService, UtmInfo

 from .error import NotInitValidateError, NotSetupError, UnauthorizedAndForceLogout

-# Re-exported so controllers can import the RBAC enums and decorator alongside
-# other console wraps from this module.
-__all__ = ["RBACPermission", "RBACResourceScope", "rbac_permission_required"]
-
 # Field names for decryption
 FIELD_NAME_PASSWORD = "password"
 FIELD_NAME_CODE = "code"
@ -344,15 +335,15 @@ def knowledge_pipeline_publish_enabled[**P, R](view: Callable[P, R]) -> Callable
 def edit_permission_required[**P, R](f: Callable[P, R]) -> Callable[P, R]:
    @wraps(f)
    def decorated_function(*args: P.args, **kwargs: P.kwargs):
+        from werkzeug.exceptions import Forbidden

        from libs.login import current_user

-        if not dify_config.RBAC_ENABLED:
-            user = current_user._get_current_object()  # type: ignore
-            if not isinstance(user, Account):
-                raise Forbidden()
-            if not current_user.has_edit_permission:
-                raise Forbidden()
+        user = current_user._get_current_object()  # type: ignore
+        if not isinstance(user, Account):
+            raise Forbidden()
+        if not current_user.has_edit_permission:
+            raise Forbidden()
        return f(*args, **kwargs)

    return decorated_function
@ -361,13 +352,13 @@ def edit_permission_required[**P, R](f: Callable[P, R]) -> Callable[P, R]:
 def is_admin_or_owner_required[**P, R](f: Callable[P, R]) -> Callable[P, R]:
    @wraps(f)
    def decorated_function(*args: P.args, **kwargs: P.kwargs):
+        from werkzeug.exceptions import Forbidden

        from libs.login import current_user

-        if not dify_config.RBAC_ENABLED:
-            user = current_user._get_current_object()
-            if not isinstance(user, Account) or not user.is_admin_or_owner:
-                raise Forbidden()
+        user = current_user._get_current_object()
+        if not isinstance(user, Account) or not user.is_admin_or_owner:
+            raise Forbidden()
        return f(*args, **kwargs)

    return decorated_function
--- a/api/controllers/inner_api/init.py
+++ b/api/controllers/inner_api/init.py
@ -9,16 +9,14 @@ api = ExternalApi(
    bp,
    version="1.0",
    title="Inner API",
-    description="Internal APIs for enterprise features, billing, knowledge retrieval, and plugin communication",
+    description="Internal APIs for enterprise features, billing, and plugin communication",
 )

 # Create namespace
 inner_api_ns = Namespace("inner_api", description="Internal API operations", path="/")

 from . import mail as _mail
-from . import runtime_credentials as _runtime_credentials
 from .app import dsl as _app_dsl
-from .knowledge import retrieval as _knowledge_retrieval
 from .plugin import agent_drive as _agent_drive
 from .plugin import plugin as _plugin
 from .workspace import workspace as _workspace
@ -28,10 +26,8 @@ api.add_namespace(inner_api_ns)
 __all__ = [
    "_agent_drive",
    "_app_dsl",
-    "_knowledge_retrieval",
    "_mail",
    "_plugin",
-    "_runtime_credentials",
    "_workspace",
    "api",
    "bp",
--- a/api/controllers/inner_api/knowledge/init.py
+++ b/api/controllers/inner_api/knowledge/init.py
@ -1 +0,0 @@
-"""Inner knowledge retrieval endpoints."""
--- a/api/controllers/inner_api/knowledge/retrieval.py
+++ b/api/controllers/inner_api/knowledge/retrieval.py
@ -1,110 +0,0 @@
-"""Inner API endpoint for tenant-scoped knowledge retrieval.
-
-This controller is a thin HTTP wrapper around
-``services.knowledge_retrieval_inner_service.InnerKnowledgeRetrievalService``.
-It intentionally keeps authorization simple: shared inner API key plus
-tenant-scoped app/dataset validation in the service layer.
-"""
-
-from flask_restx import Resource
-from pydantic import ValidationError
-
-from controllers.common.schema import register_response_schema_models, register_schema_models
-from controllers.inner_api import inner_api_ns
-from controllers.inner_api.wraps import inner_api_only
-from core.workflow.nodes.knowledge_retrieval import exc as retrieval_exc
-from libs.exception import BaseHTTPException
-from services.entities.knowledge_retrieval_inner import InnerKnowledgeRetrieveRequest, InnerKnowledgeRetrieveResponse
-from services.errors.knowledge_retrieval import ExternalKnowledgeRetrievalError, InnerKnowledgeRetrievalServiceError
-from services.knowledge_retrieval_inner_service import InnerKnowledgeRetrievalService
-
-
-class InnerKnowledgeRetrievalHttpError(BaseHTTPException):
-    error_code = "knowledge_retrieve_failed"
-    description = "Knowledge retrieval failed."
-    code = 500
-
-    def __init__(
-        self,
-        *,
-        error_code: str | None = None,
-        description: str | None = None,
-        status_code: int | None = None,
-    ) -> None:
-        if error_code is not None:
-            self.error_code = error_code
-        if description is not None:
-            self.description = description
-        if status_code is not None:
-            self.code = status_code
-        super().__init__(self.description)
-
-
-register_schema_models(inner_api_ns, InnerKnowledgeRetrieveRequest)
-register_response_schema_models(inner_api_ns, InnerKnowledgeRetrieveResponse)
-
-
-@inner_api_ns.route("/knowledge/retrieve")
-class InnerKnowledgeRetrieveApi(Resource):
-    """Retrieve knowledge from one or more datasets within the caller tenant."""
-
-    @inner_api_only
-    @inner_api_ns.doc("inner_knowledge_retrieve")
-    @inner_api_ns.doc(description="Retrieve knowledge for trusted internal callers")
-    @inner_api_ns.expect(inner_api_ns.models[InnerKnowledgeRetrieveRequest.__name__])
-    @inner_api_ns.response(
-        200,
-        "Knowledge retrieved successfully",
-        inner_api_ns.models[InnerKnowledgeRetrieveResponse.__name__],
-    )
-    @inner_api_ns.doc(
-        responses={
-            400: "Invalid request body",
-            401: "Unauthorized - invalid inner API key",
-            403: "Caller tenant does not own the requested resource",
-            404: "App or dataset not found",
-            422: "Invalid retrieval configuration",
-            429: "Knowledge retrieval rate limited",
-            502: "External knowledge retrieval failed",
-            500: "Unexpected knowledge retrieval failure",
-        }
-    )
-    def post(self) -> dict[str, object]:
-        """Validate the payload, run retrieval, and return workflow-style sources."""
-        try:
-            payload = InnerKnowledgeRetrieveRequest.model_validate(inner_api_ns.payload or {})
-        except ValidationError as exc:
-            raise InnerKnowledgeRetrievalHttpError(
-                error_code="invalid_request",
-                description=str(exc),
-                status_code=400,
-            ) from exc
-
-        try:
-            response = InnerKnowledgeRetrievalService().retrieve(payload)
-        except InnerKnowledgeRetrievalServiceError as exc:
-            raise InnerKnowledgeRetrievalHttpError(
-                error_code=exc.error_code,
-                description=exc.description,
-                status_code=exc.status_code,
-            ) from exc
-        except retrieval_exc.RateLimitExceededError as exc:
-            raise InnerKnowledgeRetrievalHttpError(
-                error_code="knowledge_rate_limited",
-                description=str(exc),
-                status_code=429,
-            ) from exc
-        except ExternalKnowledgeRetrievalError as exc:
-            raise InnerKnowledgeRetrievalHttpError(
-                error_code="external_knowledge_failed",
-                description=str(exc),
-                status_code=502,
-            ) from exc
-        except ValueError as exc:
-            raise InnerKnowledgeRetrievalHttpError(
-                error_code="retrieval_config_invalid",
-                description=str(exc),
-                status_code=422,
-            ) from exc
-
-        return response.model_dump(mode="json", by_alias=True)
--- a/api/controllers/inner_api/plugin/wraps.py
+++ b/api/controllers/inner_api/plugin/wraps.py
@ -10,7 +10,6 @@ from sqlalchemy.orm import sessionmaker
 from extensions.ext_database import db
 from libs.login import current_user
 from models.account import Tenant
-from models.enums import EndUserType
 from models.model import DefaultEndUserSessionID, EndUser


@ -76,7 +75,7 @@ def get_user(tenant_id: str, user_id: str | None) -> EndUser:
            if not user_model:
                user_model = EndUser(
                    tenant_id=tenant_id,
-                    type=EndUserType.SERVICE_API,
+                    type="service_api",
                    is_anonymous=is_anonymous,
                    session_id=user_id,
                )
--- a/api/controllers/inner_api/runtime_credentials.py
+++ b/api/controllers/inner_api/runtime_credentials.py
@ -1,205 +0,0 @@
-"""Inner API endpoints for runtime credential resolution.
-
-Called by Enterprise while resolving AppRunner runtime artifacts. The endpoint
-returns decrypted model and tool credentials for in-memory runtime use only.
-"""
-
-import json
-import logging
-from json import JSONDecodeError
-from typing import Any
-
-from flask_restx import Resource
-from pydantic import BaseModel, ConfigDict, Field
-from sqlalchemy import select
-from sqlalchemy.orm import Session
-
-from controllers.common.schema import register_schema_model
-from controllers.console.wraps import setup_required
-from controllers.inner_api import inner_api_ns
-from controllers.inner_api.wraps import enterprise_inner_api_only
-from core.helper import encrypter
-from core.helper.provider_cache import ToolProviderCredentialsCache
-from core.helper.provider_encryption import create_provider_encrypter
-from core.plugin.impl.model_runtime_factory import create_plugin_provider_manager
-from core.tools.tool_manager import ToolManager
-from extensions.ext_database import db
-from models.provider import ProviderCredential
-from models.tools import BuiltinToolProvider
-
-logger = logging.getLogger(__name__)
-
-_KIND_MODEL = "model"
-_KIND_TOOL = "tool"
-
-# (body, status) pair returned by a resolver helper when resolution fails.
-ResolveError = tuple[dict[str, str], int]
-
-
-class InnerRuntimeCredentialResolveItem(BaseModel):
-    model_config = ConfigDict(extra="forbid")
-
-    credential_id: str = Field(description="Credential id")
-    provider: str = Field(description="Runtime provider identifier, for example langgenius/openai/openai")
-    kind: str = Field(description="Credential kind, either 'model' or 'tool'")
-
-
-class InnerRuntimeCredentialsResolvePayload(BaseModel):
-    model_config = ConfigDict(extra="forbid")
-
-    tenant_id: str = Field(description="Workspace id")
-    credentials: list[InnerRuntimeCredentialResolveItem] = Field(default_factory=list)
-
-
-register_schema_model(inner_api_ns, InnerRuntimeCredentialsResolvePayload)
-
-
-@inner_api_ns.route("/enterprise/credentials/resolve")
-class EnterpriseRuntimeCredentialsResolve(Resource):
-    @setup_required
-    @enterprise_inner_api_only
-    @inner_api_ns.doc(
-        "enterprise_runtime_credentials_resolve",
-        responses={
-            200: "Credentials resolved",
-            400: "Invalid request or credential config",
-            404: "Provider or credential not found",
-        },
-    )
-    @inner_api_ns.expect(inner_api_ns.models[InnerRuntimeCredentialsResolvePayload.__name__])
-    def post(self):
-        args = InnerRuntimeCredentialsResolvePayload.model_validate(inner_api_ns.payload or {})
-        if not args.credentials:
-            return {"credentials": []}, 200
-
-        # Model resolution shares one provider configuration set; build it lazily
-        # so a tool-only request never pays for the plugin daemon round trip.
-        model_configurations = None
-
-        resolved: list[dict[str, Any]] = []
-        for item in args.credentials:
-            if item.kind == _KIND_MODEL:
-                if model_configurations is None:
-                    provider_manager = create_plugin_provider_manager(tenant_id=args.tenant_id)
-                    model_configurations = provider_manager.get_configurations(args.tenant_id)
-                values, error = _resolve_model(args.tenant_id, model_configurations, item)
-            elif item.kind == _KIND_TOOL:
-                values, error = _resolve_tool(args.tenant_id, item)
-            else:
-                return {"message": f"unsupported credential kind '{item.kind}'"}, 400
-
-            if error is not None:
-                return error
-            resolved.append(
-                {
-                    "credential_id": item.credential_id,
-                    "kind": item.kind,
-                    "provider": item.provider,
-                    "values": values,
-                }
-            )
-
-        return {"credentials": resolved}, 200
-
-
-def _resolve_model(
-    tenant_id: str, provider_configurations: Any, item: InnerRuntimeCredentialResolveItem
-) -> tuple[dict[str, Any] | None, ResolveError | None]:
-    provider_configuration = provider_configurations.get(item.provider)
-    if provider_configuration is None:
-        return None, ({"message": f"provider '{item.provider}' not found"}, 404)
-
-    provider_schema = provider_configuration.provider.provider_credential_schema
-    secret_variables = provider_configuration.extract_secret_variables(
-        provider_schema.credential_form_schemas if provider_schema else []
-    )
-
-    with Session(db.engine) as session:
-        stmt = select(ProviderCredential).where(
-            ProviderCredential.id == item.credential_id,
-            ProviderCredential.tenant_id == tenant_id,
-            ProviderCredential.provider_name.in_(provider_configuration._get_provider_names()),
-        )
-        credential = session.execute(stmt).scalar_one_or_none()
-
-    if credential is None or not credential.encrypted_config:
-        return None, ({"message": f"credential '{item.credential_id}' not found"}, 404)
-
-    try:
-        values = json.loads(credential.encrypted_config)
-    except JSONDecodeError:
-        return None, ({"message": f"credential '{item.credential_id}' has invalid config"}, 400)
-    if not isinstance(values, dict):
-        return None, ({"message": f"credential '{item.credential_id}' has invalid config"}, 400)
-
-    for key in secret_variables:
-        value = values.get(key)
-        if value is None:
-            continue
-        try:
-            values[key] = encrypter.decrypt_token(tenant_id=tenant_id, token=value)
-        except Exception as exc:
-            logger.warning(
-                "failed to resolve runtime model credential",
-                extra={
-                    "credential_id": item.credential_id,
-                    "provider": item.provider,
-                    "tenant_id": tenant_id,
-                    "error": type(exc).__name__,
-                },
-            )
-            return None, ({"message": f"credential '{item.credential_id}' decrypt failed"}, 400)
-
-    return values, None
-
-
-def _resolve_tool(
-    tenant_id: str, item: InnerRuntimeCredentialResolveItem
-) -> tuple[dict[str, Any] | None, ResolveError | None]:
-    try:
-        provider_controller = ToolManager.get_builtin_provider(item.provider, tenant_id)
-    except Exception as exc:
-        logger.warning(
-            "failed to load runtime tool provider",
-            extra={"provider": item.provider, "tenant_id": tenant_id, "error": type(exc).__name__},
-        )
-        return None, ({"message": f"tool provider '{item.provider}' not found"}, 404)
-
-    with Session(db.engine) as session:
-        stmt = select(BuiltinToolProvider).where(
-            BuiltinToolProvider.id == item.credential_id,
-            BuiltinToolProvider.provider == item.provider,
-            BuiltinToolProvider.tenant_id == tenant_id,
-        )
-        builtin_provider = session.execute(stmt).scalar_one_or_none()
-
-    if builtin_provider is None:
-        return None, ({"message": f"credential '{item.credential_id}' not found"}, 404)
-
-    try:
-        # Tool credentials are stored as a single encrypted dict; the secret
-        # fields are decided by the schema bound to this credential type.
-        provider_encrypter, _ = create_provider_encrypter(
-            tenant_id=tenant_id,
-            config=[
-                schema.to_basic_provider_config()
-                for schema in provider_controller.get_credentials_schema_by_type(builtin_provider.credential_type)
-            ],
-            cache=ToolProviderCredentialsCache(
-                tenant_id=tenant_id, provider=item.provider, credential_id=builtin_provider.id
-            ),
-        )
-        values = dict(provider_encrypter.decrypt(builtin_provider.credentials))
-    except Exception as exc:
-        logger.warning(
-            "failed to resolve runtime tool credential",
-            extra={
-                "credential_id": item.credential_id,
-                "provider": item.provider,
-                "tenant_id": tenant_id,
-                "error": type(exc).__name__,
-            },
-        )
-        return None, ({"message": f"credential '{item.credential_id}' decrypt failed"}, 400)
-
-    return values, None
--- a/api/controllers/inner_api/wraps.py
+++ b/api/controllers/inner_api/wraps.py
@ -8,39 +8,39 @@ from flask import abort, request

 from configs import dify_config
 from core.db.session_factory import session_factory
-from libs.exception import BaseHTTPException
 from models.model import EndUser


-class InnerApiUnauthorizedError(BaseHTTPException):
-    error_code = "inner_api_unauthorized"
-    description = "Unauthorized."
-    code = 401
-
-
-def inner_api_only[**P, R](view: Callable[P, R]) -> Callable[P, R]:
-    """Restrict access to callers authenticated with the shared inner API key."""
-
+def billing_inner_api_only[**P, R](view: Callable[P, R]) -> Callable[P, R]:
    @wraps(view)
    def decorated(*args: P.args, **kwargs: P.kwargs) -> R:
        if not dify_config.INNER_API:
            abort(404)

+        # get header 'X-Inner-Api-Key'
        inner_api_key = request.headers.get("X-Inner-Api-Key")
        if not inner_api_key or inner_api_key != dify_config.INNER_API_KEY:
-            raise InnerApiUnauthorizedError()
+            abort(401)

        return view(*args, **kwargs)

    return decorated


-def billing_inner_api_only[**P, R](view: Callable[P, R]) -> Callable[P, R]:
-    return inner_api_only(view)
-
-
 def enterprise_inner_api_only[**P, R](view: Callable[P, R]) -> Callable[P, R]:
-    return inner_api_only(view)
+    @wraps(view)
+    def decorated(*args: P.args, **kwargs: P.kwargs) -> R:
+        if not dify_config.INNER_API:
+            abort(404)
+
+        # get header 'X-Inner-Api-Key'
+        inner_api_key = request.headers.get("X-Inner-Api-Key")
+        if not inner_api_key or inner_api_key != dify_config.INNER_API_KEY:
+            abort(401)
+
+        return view(*args, **kwargs)
+
+    return decorated


 def enterprise_inner_api_user_auth[**P, R](view: Callable[P, R]) -> Callable[P, R]:
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
gigglewang0417	b8ab27c5ee	test(cli/e2e): add member management E2E suite (get/create/delete/set member) 28 tests covering all four member commands: get member (10 tests) - list contains created member - required column headers (ID/NAME/EMAIL/ROLE/STATUS) - authenticated account appears as owner/active - JSON shape: data array with id/email/role/status fields - no ANSI codes in non-TTY output - pipe-friendly JSON output (ends with newline) - -o yaml returns valid YAML - -w flag overrides workspace - unauthenticated → exit 4 set member (7 tests) - promote normal → admin, verify via get member - demote admin → normal, verify via get member - --role owner rejected client-side (exit 2) - missing --role → usage error - missing member-id → usage error - non-existent UUID → server error - unauthenticated → exit 4 create member error paths (5 tests) - invalid role (superadmin) rejected client-side (exit 2) - --role owner rejected client-side (exit 2) - missing --email → usage error - missing --role → usage error - unauthenticated → exit 4 delete member (6 tests) - success: member removed from list - cannot delete self → server error - missing member-id → usage error - non-existent UUID → server error - -o json on error → structured error envelope - unauthenticated → exit 4 Data lifecycle: beforeAll invites two auto_test+<ts>@dify.ai members; afterAll cleans them up. No extra env vars required.	2026-06-18 17:39:11 +08:00
gigglewang0417	fadf3acc94	test(cli/e2e): remove 5.70f — test premise was incorrect 5.70f assumed that passing wrong-type inputs to run app would be intercepted by @accepts(body=) and return HTTP 422 with canonical ErrorBody details[]. This premise is wrong: - @accepts(body=) validates the API schema (inputs must be a dict), not the workflow-level variable types (num must be a number) - Wrong-type workflow inputs go through the SSE execution layer, returning an error event with status:500, not a canonical 422 - The CLI receives this via decodeStreamError, not classifyResponse, so rawResponse is never set and error.server is never populated The behavior tested by 5.70f (CLI rendering details[] as indented lines) remains valid as a contract requirement but has no triggerable E2E path on the current server. Covered by unit tests for renderHuman.	2026-06-17 11:59:56 +08:00
gigglewang0417	2da773e8d8	test(cli/e2e): rewrite 5.70d-h — correct triggers and add V2 hint priority test Rewrites 5 existing tests and adds 1 new test to align with the V2 ErrorBody spec (history page: https://km.dify.langgenius.ai/wiki/spaces/Enterprise/history/490602534/): Trigger fix (5.70d, 5.70g, 5.70h): Before: 'run app wrong-type input' → hits SSE execution layer → HTTP 500 After: 'describe app ZERO' → hits @returns canonical 404 ErrorBody → error.server set Result: 5.70d, 5.70g, 5.70h now pass on the current server Trigger fix (5.70e): Before: 'run app wrong-type input' → SSE 500, no details After: direct fetch to GET /apps?page=not-integer → @accepts(query=) returns 422 with canonical ErrorBody and details[] (bypasses CLI client-side page validation) Result: 5.70e now passes on the current server Forward-looking (5.70f): Kept 'run app wrong-type input' trigger — documents that once @accepts covers the app run path, details lines will appear; remains red until that server change deploys New (5.70g2): Tests V2 spec correction: hint priority is cliHint ?? server?.hint (CLI wins). V1 doc incorrectly said 'server wins'; V2 aligned with codebase. Trigger: unauthenticated → 401 AuthExpired → CLI AUTH_LOGIN_HINT appears at error.hint regardless of any server-provided hint. Passes on current server.	2026-06-17 10:42:37 +08:00
gigglewang0417	e3e7ff26a5	test(cli/e2e): add 5.70i/5.70j — 404 canonical body and RFC 8628 boundary 5.70i [P1] — /openapi/v1 unknown route 404 carries canonical ErrorBody (code, status) and must NOT contain flask-restx route suggestions ('did you mean'); pins the ExternalApi._help_on_404 fix from PR #37285 5.70j [P1] — device-flow token endpoint returns RFC 8628 {error: string} on failure, not the canonical ErrorBody shape; pins the explicit RFC 8628 exception documented in PR #37285 and confirms zErrorBody.safeParse would fail gracefully on this shape (serverError = undefined, generic message, no crash)	2026-06-16 18:09:19 +08:00
gigglewang0417	1bd9cf8cc6	test(cli/e2e): add ErrorBody contract tests for error.server structure Add 5 new test cases (5.70d-h) that verify the CLI correctly forwards the canonical ErrorBody from the server when request validation fails (422). These tests define the E2E contract introduced by the OpenAPI ErrorBody unification spec. They will be red until the server-side change deploys; the spec document is at: https://km.dify.langgenius.ai/wiki/spaces/Enterprise/pages/490602534/ 5.70d [P0] — JSON envelope contains error.server with code='invalid_param', status=422, and a non-empty message string 5.70e [P1] — error.server.details array carries field-level error entries with the {type, loc, msg} shape from ErrorDetail 5.70f [P1] — human-readable text mode renders each details entry as ' - <loc>: <msg> (<type>)' line (no -v required) 5.70g [P1] — text mode header code is server's 'invalid_param', not CLI's 'server_4xx_other' (server code wins in renderHuman) 5.70h [P1] — JSON envelope error.code is CLI classification code ('server_4xx_other'); semantic code is in error.server.code	2026-06-16 17:19:19 +08:00