build(dify-ui): add package infra (eslint, tsgo, vp check, staged, CI)

Add vite-plus toolchain, shared ESLint config via @antfu/eslint-config, tsgo type-check, pre-commit staged hooks, and CI lint/type-check steps for the @langgenius/dify-ui package. Made-with: Cursor
fix: apply score threshold after reranking in hybrid search (#35263 )
2026-06-01 06:28:14 +08:00 · 2026-04-16 16:06:34 +08:00 · 2026-04-16 06:21:11 +00:00 · 2026-04-16 06:06:57 +00:00 · 2026-04-16 05:36:20 +00:00 · 2026-04-16 05:13:17 +00:00
6485 changed files with 221126 additions and 275418 deletions
--- a/.agents/skills/e2e-cucumber-playwright/SKILL.md
+++ b/.agents/skills/e2e-cucumber-playwright/SKILL.md
@ -0,0 +1,79 @@
 ---
 name: e2e-cucumber-playwright
 description: Write, update, or review Dify end-to-end tests under `e2e/` that use Cucumber, Gherkin, and Playwright. Use when the task involves `.feature` files, `features/step-definitions/`, `features/support/`, `DifyWorld`, scenario tags, locator/assertion choices, or E2E testing best practices for this repository.
 ---
 # Dify E2E Cucumber + Playwright
 Use this skill for Dify's repository-level E2E suite in `e2e/`. Use [`e2e/AGENTS.md`](../../../e2e/AGENTS.md) as the canonical guide for local architecture and conventions, then apply Playwright/Cucumber best practices only where they fit the current suite.
 ## Scope
 - Use this skill for `.feature` files, Cucumber step definitions, `DifyWorld`, hooks, tags, and E2E review work under `e2e/`.
 - Do not use this skill for Vitest or React Testing Library work under `web/`; use `frontend-testing` instead.
 - Do not use this skill for backend test or API review tasks under `api/`.
 ## Read Order
 1. Read [`e2e/AGENTS.md`](../../../e2e/AGENTS.md) first.
 2. Read only the files directly involved in the task:
   - target `.feature` files under `e2e/features/`
   - related step files under `e2e/features/step-definitions/`
   - `e2e/features/support/hooks.ts` and `e2e/features/support/world.ts` when session lifecycle or shared state matters
   - `e2e/scripts/run-cucumber.ts` and `e2e/cucumber.config.ts` when tags or execution flow matter
 3. Read [`references/playwright-best-practices.md`](references/playwright-best-practices.md) only when locator, assertion, isolation, or waiting choices are involved.
 4. Read [`references/cucumber-best-practices.md`](references/cucumber-best-practices.md) only when scenario wording, step granularity, tags, or expression design are involved.
 5. Re-check official docs with Context7 before introducing a new Playwright or Cucumber pattern.
 ## Local Rules
 - `e2e/` uses Cucumber for scenarios and Playwright as the browser layer.
 - `DifyWorld` is the per-scenario context object. Type `this` as `DifyWorld` and use `async function`, not arrow functions.
 - Keep glue organized by capability under `e2e/features/step-definitions/`; use `common/` only for broadly reusable steps.
 - Browser session behavior comes from `features/support/hooks.ts`:
  - default: authenticated session with shared storage state
  - `@unauthenticated`: clean browser context
  - `@authenticated`: readability/selective-run tag only unless implementation changes
  - `@fresh`: only for `e2e:full*` flows
 - Do not import Playwright Test runner patterns that bypass the current Cucumber + `DifyWorld` architecture unless the task is explicitly about changing that architecture.
 ## Workflow
 1. Rebuild local context.
   - Inspect the target feature area.
   - Reuse an existing step when wording and behavior already match.
   - Add a new step only for a genuinely new user action or assertion.
   - Keep edits close to the current capability folder unless the step is broadly reusable.
 2. Write behavior-first scenarios.
   - Describe user-observable behavior, not DOM mechanics.
   - Keep each scenario focused on one workflow or outcome.
   - Keep scenarios independent and re-runnable.
 3. Write step definitions in the local style.
   - Keep one step to one user-visible action or one assertion.
   - Prefer Cucumber Expressions such as `{string}` and `{int}`.
   - Scope locators to stable containers when the page has repeated elements.
   - Avoid page-object layers or extra helper abstractions unless repeated complexity clearly justifies them.
 4. Use Playwright in the local style.
   - Prefer user-facing locators: `getByRole`, `getByLabel`, `getByPlaceholder`, `getByText`, then `getByTestId` for explicit contracts.
   - Use web-first `expect(...)` assertions.
   - Do not use `waitForTimeout`, manual polling, or raw visibility checks when a locator action or retrying assertion already expresses the behavior.
 5. Validate narrowly.
   - Run the narrowest tagged scenario or flow that exercises the change.
   - Run `pnpm -C e2e check`.
   - Broaden verification only when the change affects hooks, tags, setup, or shared step semantics.
 ## Review Checklist
 - Does the scenario describe behavior rather than implementation?
 - Does it fit the current session model, tags, and `DifyWorld` usage?
 - Should an existing step be reused instead of adding a new one?
 - Are locators user-facing and assertions web-first?
 - Does the change introduce hidden coupling across scenarios, tags, or instance state?
 - Does it document or implement behavior that differs from the real hooks or configuration?
 Lead findings with correctness, flake risk, and architecture drift.
 ## References
 - [`references/playwright-best-practices.md`](references/playwright-best-practices.md)
 - [`references/cucumber-best-practices.md`](references/cucumber-best-practices.md)
--- a/.agents/skills/e2e-cucumber-playwright/agents/openai.yaml
+++ b/.agents/skills/e2e-cucumber-playwright/agents/openai.yaml
@ -0,0 +1,4 @@
 interface:
  display_name: "E2E Cucumber + Playwright"
  short_description: "Write and review Dify E2E scenarios."
  default_prompt: "Use $e2e-cucumber-playwright to write or review a Dify E2E scenario under e2e/."
--- a/.agents/skills/e2e-cucumber-playwright/references/cucumber-best-practices.md
+++ b/.agents/skills/e2e-cucumber-playwright/references/cucumber-best-practices.md
@ -0,0 +1,93 @@
 # Cucumber Best Practices For Dify E2E
 Use this reference when writing or reviewing Gherkin scenarios, step definitions, parameter expressions, and step reuse in Dify's `e2e/` suite.
 Official sources:
 - https://cucumber.io/docs/guides/10-minute-tutorial/
 - https://cucumber.io/docs/cucumber/step-definitions/
 - https://cucumber.io/docs/cucumber/cucumber-expressions/
 ## What Matters Most
 ### 1. Treat scenarios as executable specifications
 Cucumber scenarios should describe examples of behavior, not test implementation recipes.
 Apply it like this:
 - write what the user does and what should happen
 - avoid UI-internal wording such as selector details, DOM structure, or component names
 - keep language concrete enough that the scenario reads like living documentation
 ### 2. Keep scenarios focused
 A scenario should usually prove one workflow or business outcome. If a scenario wanders across several unrelated behaviors, split it.
 In Dify's suite, this means:
 - one capability-focused scenario per feature path
 - no long setup chains when existing bootstrap or reusable steps already cover them
 - no hidden dependency on another scenario's side effects
 ### 3. Reuse steps, but only when behavior really matches
 Good reuse reduces duplication. Bad reuse hides meaning.
 Prefer reuse when:
 - the user action is genuinely the same
 - the expected outcome is genuinely the same
 - the wording stays natural across features
 Write a new step when:
 - the behavior is materially different
 - reusing the old wording would make the scenario misleading
 - a supposedly generic step would become an implementation-detail wrapper
 ### 4. Prefer Cucumber Expressions
 Use Cucumber Expressions for parameters unless regex is clearly necessary.
 Common examples:
 - `{string}` for labels, names, and visible text
 - `{int}` for counts
 - `{float}` for decimal values
 - `{word}` only when the value is truly a single token
 Keep expressions readable. If a step needs complicated parsing logic, first ask whether the scenario wording should be simpler.
 ### 5. Keep step definitions thin and meaningful
 Step definitions are glue between Gherkin and automation, not a second abstraction language.
 For Dify:
 - type `this` as `DifyWorld`
 - use `async function`
 - keep each step to one user-visible action or assertion
 - rely on `DifyWorld` and existing support code for shared context
 - avoid leaking cross-scenario state
 ### 6. Use tags intentionally
 Tags should communicate run scope or session semantics, not become ad hoc metadata.
 In Dify's current suite:
 - capability tags group related scenarios
 - `@unauthenticated` changes session behavior
 - `@authenticated` is descriptive/selective, not a behavior switch by itself
 - `@fresh` belongs to reset/full-install flows only
 If a proposed tag implies behavior, verify that hooks or runner configuration actually implement it.
 ## Review Questions
 - Does the scenario read like a real example of product behavior?
 - Are the steps behavior-oriented instead of implementation-oriented?
 - Is a reused step still truthful in this feature?
 - Is a new tag documenting real behavior, or inventing semantics that the suite does not implement?
 - Would a new reader understand the outcome without opening the step-definition file?
--- a/.agents/skills/e2e-cucumber-playwright/references/playwright-best-practices.md
+++ b/.agents/skills/e2e-cucumber-playwright/references/playwright-best-practices.md
@ -0,0 +1,96 @@
 # Playwright Best Practices For Dify E2E
 Use this reference when writing or reviewing locator, assertion, isolation, or synchronization logic for Dify's Cucumber-based E2E suite.
 Official sources:
 - https://playwright.dev/docs/best-practices
 - https://playwright.dev/docs/locators
 - https://playwright.dev/docs/test-assertions
 - https://playwright.dev/docs/browser-contexts
 ## What Matters Most
 ### 1. Keep scenarios isolated
 Playwright's model is built around clean browser contexts so one test does not leak into another. In Dify's suite, that principle maps to per-scenario session setup in `features/support/hooks.ts` and `DifyWorld`.
 Apply it like this:
 - do not depend on another scenario having run first
 - do not persist ad hoc scenario state outside `DifyWorld`
 - do not couple ordinary scenarios to `@fresh` behavior
 - when a flow needs special auth/session semantics, express that through the existing tag model or explicit hook changes
 ### 2. Prefer user-facing locators
 Playwright recommends built-in locators that reflect what users perceive on the page.
 Preferred order in this repository:
 1. `getByRole`
 2. `getByLabel`
 3. `getByPlaceholder`
 4. `getByText`
 5. `getByTestId` when an explicit test contract is the most stable option
 Avoid raw CSS/XPath selectors unless no stable user-facing contract exists and adding one is not practical.
 Also remember:
 - repeated content usually needs scoping to a stable container
 - exact text matching is often too brittle when role/name or label already exists
 - `getByTestId` is acceptable when semantics are weak but the contract is intentional
 ### 3. Use web-first assertions
 Playwright assertions auto-wait and retry. Prefer them over manual state inspection.
 Prefer:
 - `await expect(page).toHaveURL(...)`
 - `await expect(locator).toBeVisible()`
 - `await expect(locator).toBeHidden()`
 - `await expect(locator).toBeEnabled()`
 - `await expect(locator).toHaveText(...)`
 Avoid:
 - `expect(await locator.isVisible()).toBe(true)`
 - custom polling loops for DOM state
 - `waitForTimeout` as synchronization
 If a condition genuinely needs custom retry logic, use Playwright's polling/assertion tools deliberately and keep that choice local and explicit.
 ### 4. Let actions wait for actionability
 Locator actions already wait for the element to be actionable. Do not preface every click/fill with extra timing logic unless the action needs a specific visible/ready assertion for clarity.
 Good pattern:
 - assert a meaningful visible state when that is part of the behavior
 - then click/fill/select via locator APIs
 Bad pattern:
 - stack arbitrary waits before every action
 - wait on unstable implementation details instead of the visible state the user cares about
 ### 5. Match debugging to the current suite
 Playwright's wider ecosystem supports traces and rich debugging tools. Dify's current suite already captures:
 - full-page screenshots
 - page HTML
 - console errors
 - page errors
 Use the existing artifact flow by default. If a task is specifically about improving diagnostics, confirm the change fits the current Cucumber architecture before importing broader Playwright tooling.
 ## Review Questions
 - Would this locator survive DOM refactors that do not change user-visible behavior?
 - Is this assertion using Playwright's retrying semantics?
 - Is any explicit wait masking a real readiness problem?
 - Does this code preserve per-scenario isolation?
 - Is a new abstraction really needed, or does it bypass the existing `DifyWorld` + step-definition model?
--- a/.claude/skills/e2e-cucumber-playwright
+++ b/.claude/skills/e2e-cucumber-playwright
@ -0,0 +1 @@
 ../../.agents/skills/e2e-cucumber-playwright
--- a/.devcontainer/post_create_command.sh
+++ b/.devcontainer/post_create_command.sh
@ -7,7 +7,7 @@ cd web && pnpm install
 pipx install uv
 echo "alias start-api=\"cd $WORKSPACE_ROOT/api && uv run python -m flask run --host 0.0.0.0 --port=5001 --debug\"" >> ~/.bashrc
-echo "alias start-worker=\"cd $WORKSPACE_ROOT/api && uv run python -m celery -A app.celery worker -P threads -c 1 --loglevel INFO -Q dataset,dataset_summary,priority_dataset,priority_pipeline,pipeline,mail,ops_trace,app_deletion,plugin,workflow_storage,conversation,workflow,schedule_poller,schedule_executor,triggered_workflow_dispatcher,trigger_refresh_executor,retention,workflow_based_app_execution\"" >> ~/.bashrc
+echo "alias start-worker=\"cd $WORKSPACE_ROOT/api && uv run python -m celery -A app.celery worker -P threads -c 1 --loglevel INFO -Q dataset,dataset_summary,priority_dataset,priority_pipeline,pipeline,mail,ops_trace,app_deletion,plugin,workflow_storage,conversation,workflow,schedule_poller,schedule_executor,triggered_workflow_dispatcher,trigger_refresh_publisher,trigger_refresh_executor,retention\"" >> ~/.bashrc
 echo "alias start-web=\"cd $WORKSPACE_ROOT/web && pnpm dev:inspect\"" >> ~/.bashrc
 echo "alias start-web-prod=\"cd $WORKSPACE_ROOT/web && pnpm build && pnpm start\"" >> ~/.bashrc
 echo "alias start-containers=\"cd $WORKSPACE_ROOT/docker && docker-compose -f docker-compose.middleware.yaml -p dify --env-file middleware.env up -d\"" >> ~/.bashrc
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -36,7 +36,6 @@
 /api/core/workflow/graph/ @laipz8200 @QuantumGhost
 /api/core/workflow/graph_events/ @laipz8200 @QuantumGhost
 /api/core/workflow/node_events/ @laipz8200 @QuantumGhost
 /api/dify_graph/model_runtime/ @laipz8200 @QuantumGhost
 # Backend - Workflow - Nodes (Agent, Iteration, Loop, LLM)
 /api/core/workflow/nodes/agent/ @Nov1c444
--- a/.github/actions/setup-web/action.yml
+++ b/.github/actions/setup-web/action.yml
@ -6,7 +6,6 @@ runs:
    - name: Setup Vite+
      uses: voidzero-dev/setup-vp@20553a7a7429c429a74894104a2835d7fed28a72 # v1.3.0
      with:
        working-directory: web
        node-version-file: .nvmrc
        cache: true
        run-install: true
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -1,106 +1,6 @@
 version: 2
 updates:
  - package-ecosystem: "pip"
    directory: "/api"
    open-pull-requests-limit: 10
    schedule:
      interval: "weekly"
    groups:
      flask:
        patterns:
          - "flask"
          - "flask-*"
          - "werkzeug"
          - "gunicorn"
      google:
        patterns:
          - "google-*"
          - "googleapis-*"
      opentelemetry:
        patterns:
          - "opentelemetry-*"
      pydantic:
        patterns:
          - "pydantic"
          - "pydantic-*"
      llm:
        patterns:
          - "langfuse"
          - "langsmith"
          - "litellm"
          - "mlflow*"
          - "opik"
          - "weave*"
          - "arize*"
          - "tiktoken"
          - "transformers"
      database:
        patterns:
          - "sqlalchemy"
          - "psycopg2*"
          - "psycogreen"
          - "redis*"
          - "alembic*"
      storage:
        patterns:
          - "boto3*"
          - "botocore*"
          - "azure-*"
          - "bce-*"
          - "cos-python-*"
          - "esdk-obs-*"
          - "google-cloud-storage"
          - "opendal"
          - "oss2"
          - "supabase*"
          - "tos*"
      vdb:
        patterns:
          - "alibabacloud*"
          - "chromadb"
          - "clickhouse-*"
          - "clickzetta-*"
          - "couchbase"
          - "elasticsearch"
          - "opensearch-py"
          - "oracledb"
          - "pgvect*"
          - "pymilvus"
          - "pymochow"
          - "pyobvector"
          - "qdrant-client"
          - "intersystems-*"
          - "tablestore"
          - "tcvectordb"
          - "tidb-vector"
          - "upstash-*"
          - "volcengine-*"
          - "weaviate-*"
          - "xinference-*"
          - "mo-vector"
          - "mysql-connector-*"
      dev:
        patterns:
          - "coverage"
          - "dotenv-linter"
          - "faker"
          - "lxml-stubs"
          - "basedpyright"
          - "ruff"
          - "pytest*"
          - "types-*"
          - "boto3-stubs"
          - "hypothesis"
          - "pandas-stubs"
          - "scipy-stubs"
          - "import-linter"
          - "celery-types"
          - "mypy*"
          - "pyrefly"
      python-packages:
        patterns:
          - "*"
  - package-ecosystem: "uv"
    directory: "/api"
    open-pull-requests-limit: 10
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@ -1,3 +1,10 @@
 web:
  - changed-files:
-      - any-glob-to-any-file: 'web/**'
+      - any-glob-to-any-file:
          - 'web/**'
          - 'packages/**'
          - 'package.json'
          - 'pnpm-lock.yaml'
          - 'pnpm-workspace.yaml'
          - '.npmrc'
          - '.nvmrc'
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -7,6 +7,7 @@
 ## Summary
 <!-- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change. -->
 <!-- If this PR was created by an automated agent, add `From <Tool Name>` as the final line of the description. Example: `From Codex`. -->
 ## Screenshots
@ -17,7 +18,7 @@
 ## Checklist
 - [ ] This change requires a documentation update, included: [Dify Document](https://github.com/langgenius/dify-docs)
- [x] I understand that this PR may be closed in case there was no previous discussion or issues. (This doesn't apply to typos!)
+- [ ] I understand that this PR may be closed in case there was no previous discussion or issues. (This doesn't apply to typos!)
- [x] I've added a test for each change that was introduced, and I tried as much as possible to make a single atomic change.
+- [ ] I've added a test for each change that was introduced, and I tried as much as possible to make a single atomic change.
- [x] I've updated the documentation accordingly.
+- [ ] I've updated the documentation accordingly.
- [x] I ran `make lint` and `make type-check` (backend) and `cd web && npx lint-staged` (frontend) to appease the lint gods
+- [ ] I ran `make lint && make type-check` (backend) and `cd web && pnpm exec vp staged` (frontend) to appease the lint gods
--- a/.github/scripts/generate-i18n-changes.mjs
+++ b/.github/scripts/generate-i18n-changes.mjs
@ -0,0 +1,82 @@
 import { execFileSync } from 'node:child_process'
 import fs from 'node:fs'
 import path from 'node:path'
 const repoRoot = process.cwd()
 const baseSha = process.env.BASE_SHA || ''
 const headSha = process.env.HEAD_SHA || ''
 const files = (process.env.CHANGED_FILES || '').split(/\s+/).filter(Boolean)
 const outputPath = process.env.I18N_CHANGES_OUTPUT_PATH || '/tmp/i18n-changes.json'
 const englishPath = fileStem => path.join(repoRoot, 'web', 'i18n', 'en-US', `${fileStem}.json`)
 const readCurrentJson = (fileStem) => {
  const filePath = englishPath(fileStem)
  if (!fs.existsSync(filePath))
    return null
  return JSON.parse(fs.readFileSync(filePath, 'utf8'))
 }
 const readBaseJson = (fileStem) => {
  if (!baseSha)
    return null
  try {
    const relativePath = `web/i18n/en-US/${fileStem}.json`
    const content = execFileSync('git', ['show', `${baseSha}:${relativePath}`], { encoding: 'utf8' })
    return JSON.parse(content)
  }
  catch {
    return null
  }
 }
 const compareJson = (beforeValue, afterValue) => JSON.stringify(beforeValue) === JSON.stringify(afterValue)
 const changes = {}
 for (const fileStem of files) {
  const currentJson = readCurrentJson(fileStem)
  const beforeJson = readBaseJson(fileStem) || {}
  const afterJson = currentJson || {}
  const added = {}
  const updated = {}
  const deleted = []
  for (const [key, value] of Object.entries(afterJson)) {
    if (!(key in beforeJson)) {
      added[key] = value
      continue
    }
    if (!compareJson(beforeJson[key], value)) {
      updated[key] = {
        before: beforeJson[key],
        after: value,
      }
    }
  }
  for (const key of Object.keys(beforeJson)) {
    if (!(key in afterJson))
      deleted.push(key)
  }
  changes[fileStem] = {
    fileDeleted: currentJson === null,
    added,
    updated,
    deleted,
  }
 }
 fs.writeFileSync(
  outputPath,
  JSON.stringify({
    baseSha,
    headSha,
    files,
    changes,
  })
 )
--- a/.github/workflows/api-tests.yml
+++ b/.github/workflows/api-tests.yml
@ -14,18 +14,17 @@ concurrency:
  cancel-in-progress: true
 jobs:
-  test:
+  api-unit:
-    name: API Tests
+    name: API Unit Tests
    runs-on: ubuntu-latest
    env:
-      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+      COVERAGE_FILE: coverage-unit
    defaults:
      run:
        shell: bash
    strategy:
      matrix:
        python-version:
          - "3.11"
          - "3.12"
    steps:
@ -36,7 +35,7 @@ jobs:
          persist-credentials: false
      - name: Setup UV and Python
-        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          enable-cache: true
          python-version: ${{ matrix.python-version }}
@ -51,6 +50,52 @@ jobs:
      - name: Run dify config tests
        run: uv run --project api dev/pytest/pytest_config_tests.py
      - name: Run Unit Tests
        run: uv run --project api bash dev/pytest/pytest_unit_tests.sh
      - name: Upload unit coverage data
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: api-coverage-unit
          path: coverage-unit
          retention-days: 1
  api-integration:
    name: API Integration Tests
    runs-on: ubuntu-latest
    env:
      COVERAGE_FILE: coverage-integration
      STORAGE_TYPE: opendal
      OPENDAL_SCHEME: fs
      OPENDAL_FS_ROOT: /tmp/dify-storage
    defaults:
      run:
        shell: bash
    strategy:
      matrix:
        python-version:
          - "3.12"
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false
      - name: Setup UV and Python
        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          enable-cache: true
          python-version: ${{ matrix.python-version }}
          cache-dependency-glob: api/uv.lock
      - name: Check UV lockfile
        run: uv lock --project api --check
      - name: Install dependencies
        run: uv sync --project api --dev
      - name: Set up dotenvs
        run: |
          cp docker/.env.example docker/.env
@ -74,23 +119,91 @@ jobs:
        run: |
          cp api/tests/integration_tests/.env.example api/tests/integration_tests/.env
-      - name: Run API Tests
+      - name: Run Integration Tests
        env:
          STORAGE_TYPE: opendal
          OPENDAL_SCHEME: fs
          OPENDAL_FS_ROOT: /tmp/dify-storage
        run: |
          uv run --project api pytest \
            -n auto \
            --timeout "${PYTEST_TIMEOUT:-180}" \
            api/tests/integration_tests/workflow \
            api/tests/integration_tests/tools \
-            api/tests/test_containers_integration_tests \
+            api/tests/test_containers_integration_tests
-            api/tests/unit_tests
+
      - name: Upload integration coverage data
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: api-coverage-integration
          path: coverage-integration
          retention-days: 1
  api-coverage:
    name: API Coverage
    runs-on: ubuntu-latest
    needs:
      - api-unit
      - api-integration
    env:
      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
      COVERAGE_FILE: .coverage
    defaults:
      run:
        shell: bash
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false
      - name: Setup UV and Python
        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          enable-cache: true
          python-version: "3.12"
          cache-dependency-glob: api/uv.lock
      - name: Install dependencies
        run: uv sync --project api --dev
      - name: Download coverage data
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          path: coverage-data
          pattern: api-coverage-*
          merge-multiple: true
      - name: Combine coverage
        run: |
          set -euo pipefail
          echo "### API Coverage" >> "$GITHUB_STEP_SUMMARY"
          echo "" >> "$GITHUB_STEP_SUMMARY"
          echo "Merged backend coverage report generated for Codecov project status." >> "$GITHUB_STEP_SUMMARY"
          echo "" >> "$GITHUB_STEP_SUMMARY"
          unit_coverage="$(find coverage-data -type f -name coverage-unit -print -quit)"
          integration_coverage="$(find coverage-data -type f -name coverage-integration -print -quit)"
          : "${unit_coverage:?coverage-unit artifact not found}"
          : "${integration_coverage:?coverage-integration artifact not found}"
          report_file="$(mktemp)"
          uv run --project api coverage combine "$unit_coverage" "$integration_coverage"
          uv run --project api coverage report --show-missing | tee "$report_file"
          echo "Summary: \`$(tail -n 1 "$report_file")\`" >> "$GITHUB_STEP_SUMMARY"
          {
            echo ""
            echo "<details><summary>Coverage report</summary>"
            echo ""
            echo '```'
            cat "$report_file"
            echo '```'
            echo "</details>"
          } >> "$GITHUB_STEP_SUMMARY"
          uv run --project api coverage xml -o coverage.xml
      - name: Report coverage
-        if: ${{ env.CODECOV_TOKEN != '' && matrix.python-version == '3.12' }}
+        if: ${{ env.CODECOV_TOKEN != '' }}
-        uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5.5.3
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
        with:
          files: ./coverage.xml
          disable_search: true
--- a/.github/workflows/autofix.yml
+++ b/.github/workflows/autofix.yml
@ -2,6 +2,9 @@ name: autofix.ci
 on:
  pull_request:
    branches: ["main"]
  merge_group:
    branches: ["main"]
    types: [checks_requested]
  push:
    branches: ["main"]
 permissions:
@ -12,9 +15,15 @@ jobs:
    if: github.repository == 'langgenius/dify'
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Complete merge group check
        if: github.event_name == 'merge_group'
        run: echo "autofix.ci updates pull request branches, not merge group refs."
      - if: github.event_name != 'merge_group'
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Check Docker Compose inputs
        if: github.event_name != 'merge_group'
        id: docker-compose-changes
        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
@ -24,30 +33,40 @@ jobs:
            docker/docker-compose-template.yaml
            docker/docker-compose.yaml
      - name: Check web inputs
        if: github.event_name != 'merge_group'
        id: web-changes
        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            web/**
            packages/**
            package.json
            pnpm-lock.yaml
            pnpm-workspace.yaml
            .npmrc
            .nvmrc
      - name: Check api inputs
        if: github.event_name != 'merge_group'
        id: api-changes
        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            api/**
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - if: github.event_name != 'merge_group'
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: "3.11"
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
+      - if: github.event_name != 'merge_group'
        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
      - name: Generate Docker Compose
-        if: steps.docker-compose-changes.outputs.any_changed == 'true'
+        if: github.event_name != 'merge_group' && steps.docker-compose-changes.outputs.any_changed == 'true'
        run: |
          cd docker
          ./generate_docker_compose
-      - if: steps.api-changes.outputs.any_changed == 'true'
+      - if: github.event_name != 'merge_group' && steps.api-changes.outputs.any_changed == 'true'
        run: |
          cd api
          uv sync --dev
@ -59,13 +78,13 @@ jobs:
          uv run ruff format ..
      - name: count migration progress
-        if: steps.api-changes.outputs.any_changed == 'true'
+        if: github.event_name != 'merge_group' && steps.api-changes.outputs.any_changed == 'true'
        run: |
          cd api
          ./cnt_base.sh
      - name: ast-grep
-        if: steps.api-changes.outputs.any_changed == 'true'
+        if: github.event_name != 'merge_group' && steps.api-changes.outputs.any_changed == 'true'
        run: |
          # ast-grep exits 1 if no matches are found; allow idempotent runs.
          uvx --from ast-grep-cli ast-grep --pattern 'db.session.query($WHATEVER).filter($HERE)' --rewrite 'db.session.query($WHATEVER).where($HERE)' -l py --update-all || true
@ -95,13 +114,14 @@ jobs:
          find . -name "*.py.bak" -type f -delete
      - name: Setup web environment
-        if: steps.web-changes.outputs.any_changed == 'true'
+        if: github.event_name != 'merge_group' && steps.web-changes.outputs.any_changed == 'true'
        uses: ./.github/actions/setup-web
      - name: ESLint autofix
-        if: steps.web-changes.outputs.any_changed == 'true'
+        if: github.event_name != 'merge_group' && steps.web-changes.outputs.any_changed == 'true'
        run: |
          cd web
          vp exec eslint --concurrency=2 --prune-suppressions --quiet || true
-      - uses: autofix-ci/action@7a166d7532b277f34e16238930461bf77f9d7ed8 # v1.3.3
+      - if: github.event_name != 'merge_group'
        uses: autofix-ci/action@7a166d7532b277f34e16238930461bf77f9d7ed8 # v1.3.3
--- a/.github/workflows/build-push.yml
+++ b/.github/workflows/build-push.yml
@ -24,27 +24,39 @@ env:
 jobs:
  build:
-    runs-on: ${{ matrix.platform == 'linux/arm64' && 'arm64_runner' || 'ubuntu-latest' }}
+    runs-on: ${{ matrix.runs_on }}
    if: github.repository == 'langgenius/dify'
    strategy:
      matrix:
        include:
          - service_name: "build-api-amd64"
            image_name_env: "DIFY_API_IMAGE_NAME"
-            context: "api"
+            artifact_context: "api"
            build_context: "{{defaultContext}}:api"
            file: "Dockerfile"
            platform: linux/amd64
            runs_on: ubuntu-latest
          - service_name: "build-api-arm64"
            image_name_env: "DIFY_API_IMAGE_NAME"
-            context: "api"
+            artifact_context: "api"
            build_context: "{{defaultContext}}:api"
            file: "Dockerfile"
            platform: linux/arm64
            runs_on: ubuntu-24.04-arm
          - service_name: "build-web-amd64"
            image_name_env: "DIFY_WEB_IMAGE_NAME"
-            context: "web"
+            artifact_context: "web"
            build_context: "{{defaultContext}}"
            file: "web/Dockerfile"
            platform: linux/amd64
            runs_on: ubuntu-latest
          - service_name: "build-web-arm64"
            image_name_env: "DIFY_WEB_IMAGE_NAME"
-            context: "web"
+            artifact_context: "web"
            build_context: "{{defaultContext}}"
            file: "web/Dockerfile"
            platform: linux/arm64
            runs_on: ubuntu-24.04-arm
    steps:
      - name: Prepare
@ -53,14 +65,11 @@ jobs:
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
      - name: Login to Docker Hub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ env.DOCKERHUB_USER }}
          password: ${{ env.DOCKERHUB_TOKEN }}
      - name: Set up QEMU
        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
@ -72,13 +81,12 @@ jobs:
      - name: Build Docker image
        id: build
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
-          context: "{{defaultContext}}:${{ matrix.context }}"
+          context: ${{ matrix.build_context }}
          file: ${{ matrix.file }}
          platforms: ${{ matrix.platform }}
-          build-args: |
+          build-args: COMMIT_SHA=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
            COMMIT_SHA=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
            ENABLE_PROD_SOURCEMAP=${{ matrix.context == 'web' && github.ref_name == 'deploy/dev' }}
          labels: ${{ steps.meta.outputs.labels }}
          outputs: type=image,name=${{ env[matrix.image_name_env] }},push-by-digest=true,name-canonical=true,push=true
          cache-from: type=gha,scope=${{ matrix.service_name }}
@ -93,9 +101,9 @@ jobs:
          touch "/tmp/digests/${sanitized_digest}"
      - name: Upload digest
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
-          name: digests-${{ matrix.context }}-${{ env.PLATFORM_PAIR }}
+          name: digests-${{ matrix.artifact_context }}-${{ env.PLATFORM_PAIR }}
          path: /tmp/digests/*
          if-no-files-found: error
          retention-days: 1
@ -122,7 +130,7 @@ jobs:
          merge-multiple: true
      - name: Login to Docker Hub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ env.DOCKERHUB_USER }}
          password: ${{ env.DOCKERHUB_TOKEN }}
--- a/.github/workflows/db-migration-test.yml
+++ b/.github/workflows/db-migration-test.yml
@ -19,7 +19,7 @@ jobs:
          persist-credentials: false
      - name: Setup UV and Python
-        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          enable-cache: true
          python-version: "3.12"
@ -69,7 +69,7 @@ jobs:
          persist-credentials: false
      - name: Setup UV and Python
-        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          enable-cache: true
          python-version: "3.12"
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@ -14,35 +14,40 @@ concurrency:
 jobs:
  build-docker:
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.runs_on }}
    strategy:
      matrix:
        include:
          - service_name: "api-amd64"
            platform: linux/amd64
-            context: "api"
+            runs_on: ubuntu-latest
            context: "{{defaultContext}}:api"
            file: "Dockerfile"
          - service_name: "api-arm64"
            platform: linux/arm64
-            context: "api"
+            runs_on: ubuntu-24.04-arm
            context: "{{defaultContext}}:api"
            file: "Dockerfile"
          - service_name: "web-amd64"
            platform: linux/amd64
-            context: "web"
+            runs_on: ubuntu-latest
            context: "{{defaultContext}}"
            file: "web/Dockerfile"
          - service_name: "web-arm64"
            platform: linux/arm64
-            context: "web"
+            runs_on: ubuntu-24.04-arm
            context: "{{defaultContext}}"
            file: "web/Dockerfile"
    steps:
      - name: Set up QEMU
        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      - name: Build Docker Image
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          push: false
-          context: "{{defaultContext}}:${{ matrix.context }}"
+          context: ${{ matrix.context }}
-          file: "${{ matrix.file }}"
+          file: ${{ matrix.file }}
          platforms: ${{ matrix.platform }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
--- a/.github/workflows/main-ci.yml
+++ b/.github/workflows/main-ci.yml
@ -3,10 +3,14 @@ name: Main CI Pipeline
 on:
  pull_request:
    branches: ["main"]
  merge_group:
    branches: ["main"]
    types: [checks_requested]
  push:
    branches: ["main"]
 permissions:
  actions: write
  contents: write
  pull-requests: write
  checks: write
@ -17,12 +21,28 @@ concurrency:
  cancel-in-progress: true
 jobs:
  pre_job:
    name: Skip Duplicate Checks
    runs-on: ubuntu-latest
    outputs:
      should_skip: ${{ steps.skip_check.outputs.should_skip || 'false' }}
    steps:
      - id: skip_check
        continue-on-error: true
        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.1
        with:
          cancel_others: 'true'
          concurrent_skipping: same_content_newer
  # Check which paths were changed to determine which tests to run
  check-changes:
    name: Check Changed Files
    needs: pre_job
    if: needs.pre_job.outputs.should_skip != 'true'
    runs-on: ubuntu-latest
    outputs:
      api-changed: ${{ steps.changes.outputs.api }}
      e2e-changed: ${{ steps.changes.outputs.e2e }}
      web-changed: ${{ steps.changes.outputs.web }}
      vdb-changed: ${{ steps.changes.outputs.vdb }}
      migration-changed: ${{ steps.changes.outputs.migration }}
@ -34,49 +54,377 @@ jobs:
          filters: |
            api:
              - 'api/**'
              - 'docker/**'
              - '.github/workflows/api-tests.yml'
              - '.github/workflows/expose_service_ports.sh'
              - 'docker/.env.example'
              - 'docker/middleware.env.example'
              - 'docker/docker-compose.middleware.yaml'
              - 'docker/docker-compose-template.yaml'
              - 'docker/generate_docker_compose'
              - 'docker/ssrf_proxy/**'
              - 'docker/volumes/sandbox/conf/**'
            web:
              - 'web/**'
              - 'packages/**'
              - 'package.json'
              - 'pnpm-lock.yaml'
              - 'pnpm-workspace.yaml'
              - '.npmrc'
              - '.nvmrc'
              - '.github/workflows/web-tests.yml'
              - '.github/actions/setup-web/**'
            e2e:
              - 'api/**'
              - 'api/pyproject.toml'
              - 'api/uv.lock'
              - 'e2e/**'
              - 'web/**'
              - 'packages/**'
              - 'package.json'
              - 'pnpm-lock.yaml'
              - 'pnpm-workspace.yaml'
              - '.npmrc'
              - '.nvmrc'
              - 'docker/docker-compose.middleware.yaml'
              - 'docker/middleware.env.example'
              - '.github/workflows/web-e2e.yml'
              - '.github/actions/setup-web/**'
            vdb:
              - 'api/core/rag/datasource/**'
-              - 'docker/**'
+              - 'api/tests/integration_tests/vdb/**'
              - 'api/providers/vdb/*/tests/**'
              - '.github/workflows/vdb-tests.yml'
              - '.github/workflows/expose_service_ports.sh'
              - 'docker/.env.example'
              - 'docker/middleware.env.example'
              - 'docker/docker-compose.yaml'
              - 'docker/docker-compose-template.yaml'
              - 'docker/generate_docker_compose'
              - 'docker/certbot/**'
              - 'docker/couchbase-server/**'
              - 'docker/elasticsearch/**'
              - 'docker/iris/**'
              - 'docker/nginx/**'
              - 'docker/pgvector/**'
              - 'docker/ssrf_proxy/**'
              - 'docker/startupscripts/**'
              - 'docker/tidb/**'
              - 'docker/volumes/**'
              - 'api/uv.lock'
              - 'api/pyproject.toml'
            migration:
              - 'api/migrations/**'
              - 'api/.env.example'
              - '.github/workflows/db-migration-test.yml'
              - '.github/workflows/expose_service_ports.sh'
              - 'docker/.env.example'
              - 'docker/middleware.env.example'
              - 'docker/docker-compose.middleware.yaml'
              - 'docker/docker-compose-template.yaml'
              - 'docker/generate_docker_compose'
              - 'docker/ssrf_proxy/**'
              - 'docker/volumes/sandbox/conf/**'
-  # Run tests in parallel
+  # Run tests in parallel while always emitting stable required checks.
-  api-tests:
+  api-tests-run:
-    name: API Tests
+    name: Run API Tests
-    needs: check-changes
+    needs:
-    if: needs.check-changes.outputs.api-changed == 'true'
+      - pre_job
      - check-changes
    if: needs.pre_job.outputs.should_skip != 'true' && needs.check-changes.outputs.api-changed == 'true'
    uses: ./.github/workflows/api-tests.yml
    secrets: inherit
-  web-tests:
+  api-tests-skip:
-    name: Web Tests
+    name: Skip API Tests
-    needs: check-changes
+    needs:
-    if: needs.check-changes.outputs.web-changed == 'true'
+      - pre_job
      - check-changes
    if: needs.pre_job.outputs.should_skip != 'true' && needs.check-changes.outputs.api-changed != 'true'
    runs-on: ubuntu-latest
    steps:
      - name: Report skipped API tests
        run: echo "No API-related changes detected; skipping API tests."
  api-tests:
    name: API Tests
    if: ${{ always() }}
    needs:
      - pre_job
      - check-changes
      - api-tests-run
      - api-tests-skip
    runs-on: ubuntu-latest
    steps:
      - name: Finalize API Tests status
        env:
          SHOULD_SKIP_WORKFLOW: ${{ needs.pre_job.outputs.should_skip }}
          TESTS_CHANGED: ${{ needs.check-changes.outputs.api-changed }}
          RUN_RESULT: ${{ needs.api-tests-run.result }}
          SKIP_RESULT: ${{ needs.api-tests-skip.result }}
        run: |
          if [[ "$SHOULD_SKIP_WORKFLOW" == 'true' ]]; then
            echo "API tests were skipped because this workflow run duplicated a successful or newer run."
            exit 0
          fi
          if [[ "$TESTS_CHANGED" == 'true' ]]; then
            if [[ "$RUN_RESULT" == 'success' ]]; then
              echo "API tests ran successfully."
              exit 0
            fi
            echo "API tests were required but finished with result: $RUN_RESULT" >&2
            exit 1
          fi
          if [[ "$SKIP_RESULT" == 'success' ]]; then
            echo "API tests were skipped because no API-related files changed."
            exit 0
          fi
          echo "API tests were not required, but the skip job finished with result: $SKIP_RESULT" >&2
          exit 1
  web-tests-run:
    name: Run Web Tests
    needs:
      - pre_job
      - check-changes
    if: needs.pre_job.outputs.should_skip != 'true' && needs.check-changes.outputs.web-changed == 'true'
    uses: ./.github/workflows/web-tests.yml
    secrets: inherit
  web-tests-skip:
    name: Skip Web Tests
    needs:
      - pre_job
      - check-changes
    if: needs.pre_job.outputs.should_skip != 'true' && needs.check-changes.outputs.web-changed != 'true'
    runs-on: ubuntu-latest
    steps:
      - name: Report skipped web tests
        run: echo "No web-related changes detected; skipping web tests."
  web-tests:
    name: Web Tests
    if: ${{ always() }}
    needs:
      - pre_job
      - check-changes
      - web-tests-run
      - web-tests-skip
    runs-on: ubuntu-latest
    steps:
      - name: Finalize Web Tests status
        env:
          SHOULD_SKIP_WORKFLOW: ${{ needs.pre_job.outputs.should_skip }}
          TESTS_CHANGED: ${{ needs.check-changes.outputs.web-changed }}
          RUN_RESULT: ${{ needs.web-tests-run.result }}
          SKIP_RESULT: ${{ needs.web-tests-skip.result }}
        run: |
          if [[ "$SHOULD_SKIP_WORKFLOW" == 'true' ]]; then
            echo "Web tests were skipped because this workflow run duplicated a successful or newer run."
            exit 0
          fi
          if [[ "$TESTS_CHANGED" == 'true' ]]; then
            if [[ "$RUN_RESULT" == 'success' ]]; then
              echo "Web tests ran successfully."
              exit 0
            fi
            echo "Web tests were required but finished with result: $RUN_RESULT" >&2
            exit 1
          fi
          if [[ "$SKIP_RESULT" == 'success' ]]; then
            echo "Web tests were skipped because no web-related files changed."
            exit 0
          fi
          echo "Web tests were not required, but the skip job finished with result: $SKIP_RESULT" >&2
          exit 1
  web-e2e-run:
    name: Run Web Full-Stack E2E
    needs:
      - pre_job
      - check-changes
    if: needs.pre_job.outputs.should_skip != 'true' && needs.check-changes.outputs.e2e-changed == 'true'
    uses: ./.github/workflows/web-e2e.yml
  web-e2e-skip:
    name: Skip Web Full-Stack E2E
    needs:
      - pre_job
      - check-changes
    if: needs.pre_job.outputs.should_skip != 'true' && needs.check-changes.outputs.e2e-changed != 'true'
    runs-on: ubuntu-latest
    steps:
      - name: Report skipped web full-stack e2e
        run: echo "No E2E-related changes detected; skipping web full-stack E2E."
  web-e2e:
    name: Web Full-Stack E2E
    if: ${{ always() }}
    needs:
      - pre_job
      - check-changes
      - web-e2e-run
      - web-e2e-skip
    runs-on: ubuntu-latest
    steps:
      - name: Finalize Web Full-Stack E2E status
        env:
          SHOULD_SKIP_WORKFLOW: ${{ needs.pre_job.outputs.should_skip }}
          TESTS_CHANGED: ${{ needs.check-changes.outputs.e2e-changed }}
          RUN_RESULT: ${{ needs.web-e2e-run.result }}
          SKIP_RESULT: ${{ needs.web-e2e-skip.result }}
        run: |
          if [[ "$SHOULD_SKIP_WORKFLOW" == 'true' ]]; then
            echo "Web full-stack E2E was skipped because this workflow run duplicated a successful or newer run."
            exit 0
          fi
          if [[ "$TESTS_CHANGED" == 'true' ]]; then
            if [[ "$RUN_RESULT" == 'success' ]]; then
              echo "Web full-stack E2E ran successfully."
              exit 0
            fi
            echo "Web full-stack E2E was required but finished with result: $RUN_RESULT" >&2
            exit 1
          fi
          if [[ "$SKIP_RESULT" == 'success' ]]; then
            echo "Web full-stack E2E was skipped because no E2E-related files changed."
            exit 0
          fi
          echo "Web full-stack E2E was not required, but the skip job finished with result: $SKIP_RESULT" >&2
          exit 1
  style-check:
    name: Style Check
    needs: pre_job
    if: needs.pre_job.outputs.should_skip != 'true'
    uses: ./.github/workflows/style.yml
  vdb-tests-run:
    name: Run VDB Tests
    needs:
      - pre_job
      - check-changes
    if: needs.pre_job.outputs.should_skip != 'true' && needs.check-changes.outputs.vdb-changed == 'true'
    uses: ./.github/workflows/vdb-tests.yml
  vdb-tests-skip:
    name: Skip VDB Tests
    needs:
      - pre_job
      - check-changes
    if: needs.pre_job.outputs.should_skip != 'true' && needs.check-changes.outputs.vdb-changed != 'true'
    runs-on: ubuntu-latest
    steps:
      - name: Report skipped VDB tests
        run: echo "No VDB-related changes detected; skipping VDB tests."
  vdb-tests:
    name: VDB Tests
-    needs: check-changes
+    if: ${{ always() }}
-    if: needs.check-changes.outputs.vdb-changed == 'true'
+    needs:
-    uses: ./.github/workflows/vdb-tests.yml
+      - pre_job
      - check-changes
      - vdb-tests-run
      - vdb-tests-skip
    runs-on: ubuntu-latest
    steps:
      - name: Finalize VDB Tests status
        env:
          SHOULD_SKIP_WORKFLOW: ${{ needs.pre_job.outputs.should_skip }}
          TESTS_CHANGED: ${{ needs.check-changes.outputs.vdb-changed }}
          RUN_RESULT: ${{ needs.vdb-tests-run.result }}
          SKIP_RESULT: ${{ needs.vdb-tests-skip.result }}
        run: |
          if [[ "$SHOULD_SKIP_WORKFLOW" == 'true' ]]; then
            echo "VDB tests were skipped because this workflow run duplicated a successful or newer run."
            exit 0
          fi
          if [[ "$TESTS_CHANGED" == 'true' ]]; then
            if [[ "$RUN_RESULT" == 'success' ]]; then
              echo "VDB tests ran successfully."
              exit 0
            fi
            echo "VDB tests were required but finished with result: $RUN_RESULT" >&2
            exit 1
          fi
          if [[ "$SKIP_RESULT" == 'success' ]]; then
            echo "VDB tests were skipped because no VDB-related files changed."
            exit 0
          fi
          echo "VDB tests were not required, but the skip job finished with result: $SKIP_RESULT" >&2
          exit 1
  db-migration-test-run:
    name: Run DB Migration Test
    needs:
      - pre_job
      - check-changes
    if: needs.pre_job.outputs.should_skip != 'true' && needs.check-changes.outputs.migration-changed == 'true'
    uses: ./.github/workflows/db-migration-test.yml
  db-migration-test-skip:
    name: Skip DB Migration Test
    needs:
      - pre_job
      - check-changes
    if: needs.pre_job.outputs.should_skip != 'true' && needs.check-changes.outputs.migration-changed != 'true'
    runs-on: ubuntu-latest
    steps:
      - name: Report skipped DB migration tests
        run: echo "No migration-related changes detected; skipping DB migration tests."
  db-migration-test:
    name: DB Migration Test
-    needs: check-changes
+    if: ${{ always() }}
-    if: needs.check-changes.outputs.migration-changed == 'true'
+    needs:
-    uses: ./.github/workflows/db-migration-test.yml
+      - pre_job
      - check-changes
      - db-migration-test-run
      - db-migration-test-skip
    runs-on: ubuntu-latest
    steps:
      - name: Finalize DB Migration Test status
        env:
          SHOULD_SKIP_WORKFLOW: ${{ needs.pre_job.outputs.should_skip }}
          TESTS_CHANGED: ${{ needs.check-changes.outputs.migration-changed }}
          RUN_RESULT: ${{ needs.db-migration-test-run.result }}
          SKIP_RESULT: ${{ needs.db-migration-test-skip.result }}
        run: |
          if [[ "$SHOULD_SKIP_WORKFLOW" == 'true' ]]; then
            echo "DB migration tests were skipped because this workflow run duplicated a successful or newer run."
            exit 0
          fi
          if [[ "$TESTS_CHANGED" == 'true' ]]; then
            if [[ "$RUN_RESULT" == 'success' ]]; then
              echo "DB migration tests ran successfully."
              exit 0
            fi
            echo "DB migration tests were required but finished with result: $RUN_RESULT" >&2
            exit 1
          fi
          if [[ "$SKIP_RESULT" == 'success' ]]; then
            echo "DB migration tests were skipped because no migration-related files changed."
            exit 0
          fi
          echo "DB migration tests were not required, but the skip job finished with result: $SKIP_RESULT" >&2
          exit 1
--- a/.github/workflows/pyrefly-diff-comment.yml
+++ b/.github/workflows/pyrefly-diff-comment.yml
@ -21,7 +21,7 @@ jobs:
    if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.pull_requests[0].head.repo.full_name != github.repository }}
    steps:
      - name: Download pyrefly diff artifact
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
@ -49,7 +49,7 @@ jobs:
        run: unzip -o pyrefly_diff.zip
      - name: Post comment
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
--- a/.github/workflows/pyrefly-diff.yml
+++ b/.github/workflows/pyrefly-diff.yml
@ -22,7 +22,7 @@ jobs:
          fetch-depth: 0
      - name: Setup Python & UV
-        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          enable-cache: true
@ -50,12 +50,23 @@ jobs:
        run: |
          diff -u /tmp/pyrefly_base.txt /tmp/pyrefly_pr.txt > pyrefly_diff.txt || true
      - name: Check if line counts match
        id: line_count_check
        run: |
          base_lines=$(wc -l < /tmp/pyrefly_base.txt)
          pr_lines=$(wc -l < /tmp/pyrefly_pr.txt)
          if [ "$base_lines" -eq "$pr_lines" ]; then
            echo "same=true" >> $GITHUB_OUTPUT
          else
            echo "same=false" >> $GITHUB_OUTPUT
          fi
      - name: Save PR number
        run: |
          echo ${{ github.event.pull_request.number }} > pr_number.txt
      - name: Upload pyrefly diff
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: pyrefly_diff
          path: |
@ -63,8 +74,8 @@ jobs:
            pr_number.txt
      - name: Comment PR with pyrefly diff
-        if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
+        if: ${{ github.event.pull_request.head.repo.full_name == github.repository && steps.line_count_check.outputs.same == 'false' }}
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
--- a/.github/workflows/pyrefly-type-coverage-comment.yml
+++ b/.github/workflows/pyrefly-type-coverage-comment.yml
@ -0,0 +1,118 @@
 name: Comment with Pyrefly Type Coverage
 on:
  workflow_run:
    workflows:
      - Pyrefly Type Coverage
    types:
      - completed
 permissions: {}
 jobs:
  comment:
    name: Comment PR with type coverage
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      issues: write
      pull-requests: write
    if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.pull_requests[0].head.repo.full_name != github.repository }}
    steps:
      - name: Checkout default branch (trusted code)
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Python & UV
        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          enable-cache: true
      - name: Install dependencies
        run: uv sync --project api --dev
      - name: Download type coverage artifact
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const fs = require('fs');
            const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
              owner: context.repo.owner,
              repo: context.repo.repo,
              run_id: ${{ github.event.workflow_run.id }},
            });
            const match = artifacts.data.artifacts.find((artifact) =>
              artifact.name === 'pyrefly_type_coverage'
            );
            if (!match) {
              throw new Error('pyrefly_type_coverage artifact not found');
            }
            const download = await github.rest.actions.downloadArtifact({
              owner: context.repo.owner,
              repo: context.repo.repo,
              artifact_id: match.id,
              archive_format: 'zip',
            });
            fs.writeFileSync('pyrefly_type_coverage.zip', Buffer.from(download.data));
      - name: Unzip artifact
        run: unzip -o pyrefly_type_coverage.zip
      - name: Render coverage markdown from structured data
        id: render
        run: |
          comment_body="$(uv run --directory api python libs/pyrefly_type_coverage.py \
            --base base_report.json \
            < pr_report.json)"
          {
            echo "### Pyrefly Type Coverage"
            echo ""
            echo "$comment_body"
          } > /tmp/type_coverage_comment.md
      - name: Post comment
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const fs = require('fs');
            const body = fs.readFileSync('/tmp/type_coverage_comment.md', { encoding: 'utf8' });
            let prNumber = null;
            try {
              prNumber = parseInt(fs.readFileSync('pr_number.txt', { encoding: 'utf8' }), 10);
            } catch (err) {
              const prs = context.payload.workflow_run.pull_requests || [];
              if (prs.length > 0 && prs[0].number) {
                prNumber = prs[0].number;
              }
            }
            if (!prNumber) {
              throw new Error('PR number not found in artifact or workflow_run payload');
            }
            // Update existing comment if one exists, otherwise create new
            const { data: comments } = await github.rest.issues.listComments({
              issue_number: prNumber,
              owner: context.repo.owner,
              repo: context.repo.repo,
            });
            const marker = '### Pyrefly Type Coverage';
            const existing = comments.find(c => c.body.startsWith(marker));
            if (existing) {
              await github.rest.issues.updateComment({
                comment_id: existing.id,
                owner: context.repo.owner,
                repo: context.repo.repo,
                body,
              });
            } else {
              await github.rest.issues.createComment({
                issue_number: prNumber,
                owner: context.repo.owner,
                repo: context.repo.repo,
                body,
              });
            }
--- a/.github/workflows/pyrefly-type-coverage.yml
+++ b/.github/workflows/pyrefly-type-coverage.yml
@ -0,0 +1,120 @@
 name: Pyrefly Type Coverage
 on:
  pull_request:
    paths:
      - 'api/**/*.py'
 permissions:
  contents: read
 jobs:
  pyrefly-type-coverage:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      issues: write
      pull-requests: write
    steps:
      - name: Checkout PR branch
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
      - name: Setup Python & UV
        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          enable-cache: true
      - name: Install dependencies
        run: uv sync --project api --dev
      - name: Run pyrefly report on PR branch
        run: |
          uv run --directory api --dev pyrefly report 2>/dev/null > /tmp/pyrefly_report_pr.tmp && \
            mv /tmp/pyrefly_report_pr.tmp /tmp/pyrefly_report_pr.json || \
            echo '{}' > /tmp/pyrefly_report_pr.json
      - name: Save helper script from base branch
        run: |
          git show ${{ github.event.pull_request.base.sha }}:api/libs/pyrefly_type_coverage.py > /tmp/pyrefly_type_coverage.py 2>/dev/null \
            || cp api/libs/pyrefly_type_coverage.py /tmp/pyrefly_type_coverage.py
      - name: Checkout base branch
        run: git checkout ${{ github.base_ref }}
      - name: Run pyrefly report on base branch
        run: |
          uv run --directory api --dev pyrefly report 2>/dev/null > /tmp/pyrefly_report_base.tmp && \
            mv /tmp/pyrefly_report_base.tmp /tmp/pyrefly_report_base.json || \
            echo '{}' > /tmp/pyrefly_report_base.json
      - name: Generate coverage comparison
        id: coverage
        run: |
          comment_body="$(uv run --directory api python /tmp/pyrefly_type_coverage.py \
            --base /tmp/pyrefly_report_base.json \
            < /tmp/pyrefly_report_pr.json)"
          {
            echo "### Pyrefly Type Coverage"
            echo ""
            echo "$comment_body"
          } | tee -a "$GITHUB_STEP_SUMMARY" > /tmp/type_coverage_comment.md
          # Save structured data for the fork-PR comment workflow
          cp /tmp/pyrefly_report_pr.json pr_report.json
          cp /tmp/pyrefly_report_base.json base_report.json
      - name: Save PR number
        run: |
          echo ${{ github.event.pull_request.number }} > pr_number.txt
      - name: Upload type coverage artifact
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: pyrefly_type_coverage
          path: |
            pr_report.json
            base_report.json
            pr_number.txt
      - name: Comment PR with type coverage
        if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const fs = require('fs');
            const marker = '### Pyrefly Type Coverage';
            let body;
            try {
              body = fs.readFileSync('/tmp/type_coverage_comment.md', { encoding: 'utf8' });
            } catch {
              body = `${marker}\n\n_Coverage report unavailable._`;
            }
            const prNumber = context.payload.pull_request.number;
            // Update existing comment if one exists, otherwise create new
            const { data: comments } = await github.rest.issues.listComments({
              issue_number: prNumber,
              owner: context.repo.owner,
              repo: context.repo.repo,
            });
            const existing = comments.find(c => c.body.startsWith(marker));
            if (existing) {
              await github.rest.issues.updateComment({
                comment_id: existing.id,
                owner: context.repo.owner,
                repo: context.repo.repo,
                body,
              });
            } else {
              await github.rest.issues.createComment({
                issue_number: prNumber,
                owner: context.repo.owner,
                repo: context.repo.repo,
                body,
              });
            }
--- a/.github/workflows/semantic-pull-request.yml
+++ b/.github/workflows/semantic-pull-request.yml
@ -7,6 +7,9 @@ on:
      - edited
      - reopened
      - synchronize
  merge_group:
    branches: ["main"]
    types: [checks_requested]
 jobs:
  lint:
@ -15,7 +18,11 @@ jobs:
      pull-requests: read
    runs-on: ubuntu-latest
    steps:
      - name: Complete merge group check
        if: github.event_name == 'merge_group'
        run: echo "Semantic PR title validation is handled on pull requests."
      - name: Check title
        if: github.event_name == 'pull_request'
        uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -23,8 +23,8 @@ jobs:
          days-before-issue-stale: 15
          days-before-issue-close: 3
          repo-token: ${{ secrets.GITHUB_TOKEN }}
-          stale-issue-message: "Close due to it's no longer active, if you have any questions, you can reopen it."
+          stale-issue-message: "Closed due to inactivity. If you have any questions, you can reopen it."
-          stale-pr-message: "Close due to it's no longer active, if you have any questions, you can reopen it."
+          stale-pr-message: "Closed due to inactivity. If you have any questions, you can reopen it."
          stale-issue-label: 'no-issue-activity'
          stale-pr-label: 'no-pr-activity'
-          any-of-labels: 'duplicate,question,invalid,wontfix,no-issue-activity,no-pr-activity,enhancement,cant-reproduce,help-wanted'
+          any-of-labels: '🌚 invalid,🙋‍♂️ question,wont-fix,no-issue-activity,no-pr-activity,💪 enhancement,🤔 cant-reproduce,🙏 help wanted'
--- a/.github/workflows/style.yml
+++ b/.github/workflows/style.yml
@ -33,7 +33,7 @@ jobs:
      - name: Setup UV and Python
        if: steps.changed-files.outputs.any_changed == 'true'
-        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          enable-cache: false
          python-version: "3.12"
@ -49,7 +49,7 @@ jobs:
      - name: Run Type Checks
        if: steps.changed-files.outputs.any_changed == 'true'
-        run: make type-check
+        run: make type-check-core
      - name: Dotenv check
        if: steps.changed-files.outputs.any_changed == 'true'
@ -77,6 +77,12 @@ jobs:
        with:
          files: |
            web/**
            packages/**
            package.json
            pnpm-lock.yaml
            pnpm-workspace.yaml
            .npmrc
            .nvmrc
            .github/workflows/style.yml
            .github/actions/setup-web/**
@ -90,9 +96,9 @@ jobs:
        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: web/.eslintcache
-          key: ${{ runner.os }}-web-eslint-${{ hashFiles('web/package.json', 'web/pnpm-lock.yaml', 'web/eslint.config.mjs', 'web/eslint.constants.mjs', 'web/plugins/eslint/**') }}-${{ github.sha }}
+          key: ${{ runner.os }}-web-eslint-${{ hashFiles('web/package.json', 'pnpm-lock.yaml', 'web/eslint.config.mjs', 'web/eslint.constants.mjs', 'web/plugins/eslint/**') }}-${{ github.sha }}
          restore-keys: |
-            ${{ runner.os }}-web-eslint-${{ hashFiles('web/package.json', 'web/pnpm-lock.yaml', 'web/eslint.config.mjs', 'web/eslint.constants.mjs', 'web/plugins/eslint/**') }}-
+            ${{ runner.os }}-web-eslint-${{ hashFiles('web/package.json', 'pnpm-lock.yaml', 'web/eslint.config.mjs', 'web/eslint.constants.mjs', 'web/plugins/eslint/**') }}-
      - name: Web style check
        if: steps.changed-files.outputs.any_changed == 'true'
@ -114,6 +120,16 @@ jobs:
        working-directory: ./web
        run: vp run knip
      - name: dify-ui lint
        if: steps.changed-files.outputs.any_changed == 'true'
        working-directory: ./packages/dify-ui
        run: vp run lint
      - name: dify-ui type check
        if: steps.changed-files.outputs.any_changed == 'true'
        working-directory: ./packages/dify-ui
        run: vp run type-check
      - name: Save ESLint cache
        if: steps.changed-files.outputs.any_changed == 'true' && success() && steps.eslint-cache-restore.outputs.cache-hit != 'true'
        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
@ -145,7 +161,7 @@ jobs:
            .editorconfig
      - name: Super-linter
-        uses: super-linter/super-linter/slim@61abc07d755095a68f4987d1c2c3d1d64408f1f9 # v8.5.0
+        uses: super-linter/super-linter/slim@9e863354e3ff62e0727d37183162c4a88873df41 # v8.6.0
        if: steps.changed-files.outputs.any_changed == 'true'
        env:
          BASH_SEVERITY: warning
--- a/.github/workflows/tool-test-sdks.yaml
+++ b/.github/workflows/tool-test-sdks.yaml
@ -6,6 +6,10 @@ on:
      - main
    paths:
      - sdks/**
      - package.json
      - pnpm-lock.yaml
      - pnpm-workspace.yaml
      - .npmrc
 concurrency:
  group: sdk-tests-${{ github.head_ref || github.run_id }}
--- a/.github/workflows/translate-i18n-claude.yml
+++ b/.github/workflows/translate-i18n-claude.yml
@ -1,26 +1,24 @@
 name: Translate i18n Files with Claude Code
 # Note: claude-code-action doesn't support push events directly.
-# Push events are handled by trigger-i18n-sync.yml which sends repository_dispatch.
+# Push events are bridged by trigger-i18n-sync.yml via repository_dispatch.
 # See: https://github.com/langgenius/dify/issues/30743
 on:
  repository_dispatch:
    types: [i18n-sync]
  workflow_dispatch:
    inputs:
      files:
-        description: 'Specific files to translate (space-separated, e.g., "app common"). Leave empty for all files.'
+        description: 'Specific files to translate (space-separated, e.g., "app common"). Required for full mode; leave empty in incremental mode to use en-US files changed since HEAD~1.'
        required: false
        type: string
      languages:
-        description: 'Specific languages to translate (space-separated, e.g., "zh-Hans ja-JP"). Leave empty for all supported languages.'
+        description: 'Specific languages to translate (space-separated, e.g., "zh-Hans ja-JP"). Leave empty for all supported target languages except en-US.'
        required: false
        type: string
      mode:
-        description: 'Sync mode: incremental (only changes) or full (re-check all keys)'
+        description: 'Sync mode: incremental (compare with previous en-US revision) or full (sync all keys in scope)'
        required: false
-        default: 'incremental'
+        default: incremental
        type: choice
        options:
          - incremental
@ -30,11 +28,15 @@ permissions:
  contents: write
  pull-requests: write
 concurrency:
  group: translate-i18n-${{ github.event_name }}-${{ github.ref }}
  cancel-in-progress: false
 jobs:
  translate:
    if: github.repository == 'langgenius/dify'
    runs-on: ubuntu-latest
-    timeout-minutes: 60
+    timeout-minutes: 120
    steps:
      - name: Checkout repository
@ -51,380 +53,293 @@ jobs:
      - name: Setup web environment
        uses: ./.github/actions/setup-web
-      - name: Detect changed files and generate diff
+      - name: Prepare sync context
-        id: detect_changes
+        id: context
        shell: bash
        run: |
-          if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
+          DEFAULT_TARGET_LANGS=$(awk "
-            # Manual trigger
+            /value: '/ {
-            if [ -n "${{ github.event.inputs.files }}" ]; then
+              value=\$2
-              echo "CHANGED_FILES=${{ github.event.inputs.files }}" >> $GITHUB_OUTPUT
+              gsub(/[',]/, \"\", value)
-            else
+            }
-              # Get all JSON files in en-US directory
+            /supported: true/ && value != \"en-US\" {
-              files=$(ls web/i18n/en-US/*.json 2>/dev/null | xargs -n1 basename | sed 's/.json$//' | tr '\n' ' ')
+              printf \"%s \", value
-              echo "CHANGED_FILES=$files" >> $GITHUB_OUTPUT
+            }
-            fi
+          " web/i18n-config/languages.ts | sed 's/[[:space:]]*$//')
            echo "TARGET_LANGS=${{ github.event.inputs.languages }}" >> $GITHUB_OUTPUT
            echo "SYNC_MODE=${{ github.event.inputs.mode || 'incremental' }}" >> $GITHUB_OUTPUT
-            # For manual trigger with incremental mode, get diff from last commit
+          generate_changes_json() {
-            # For full mode, we'll do a complete check anyway
+            node .github/scripts/generate-i18n-changes.mjs
-            if [ "${{ github.event.inputs.mode }}" == "full" ]; then
+          }
              echo "Full mode: will check all keys" > /tmp/i18n-diff.txt
              echo "DIFF_AVAILABLE=false" >> $GITHUB_OUTPUT
            else
              git diff HEAD~1..HEAD -- 'web/i18n/en-US/*.json' > /tmp/i18n-diff.txt 2>/dev/null || echo "" > /tmp/i18n-diff.txt
              if [ -s /tmp/i18n-diff.txt ]; then
                echo "DIFF_AVAILABLE=true" >> $GITHUB_OUTPUT
              else
                echo "DIFF_AVAILABLE=false" >> $GITHUB_OUTPUT
              fi
            fi
          elif [ "${{ github.event_name }}" == "repository_dispatch" ]; then
            # Triggered by push via trigger-i18n-sync.yml workflow
            # Validate required payload fields
            if [ -z "${{ github.event.client_payload.changed_files }}" ]; then
              echo "Error: repository_dispatch payload missing required 'changed_files' field" >&2
              exit 1
            fi
            echo "CHANGED_FILES=${{ github.event.client_payload.changed_files }}" >> $GITHUB_OUTPUT
            echo "TARGET_LANGS=" >> $GITHUB_OUTPUT
            echo "SYNC_MODE=${{ github.event.client_payload.sync_mode || 'incremental' }}" >> $GITHUB_OUTPUT
-            # Decode the base64-encoded diff from the trigger workflow
+          if [ "${{ github.event_name }}" = "repository_dispatch" ]; then
-            if [ -n "${{ github.event.client_payload.diff_base64 }}" ]; then
+            BASE_SHA="${{ github.event.client_payload.base_sha }}"
-              if ! echo "${{ github.event.client_payload.diff_base64 }}" | base64 -d > /tmp/i18n-diff.txt 2>&1; then
+            HEAD_SHA="${{ github.event.client_payload.head_sha }}"
-                echo "Warning: Failed to decode base64 diff payload" >&2
+            CHANGED_FILES="${{ github.event.client_payload.changed_files }}"
-                echo "" > /tmp/i18n-diff.txt
+            TARGET_LANGS="$DEFAULT_TARGET_LANGS"
-                echo "DIFF_AVAILABLE=false" >> $GITHUB_OUTPUT
+            SYNC_MODE="${{ github.event.client_payload.sync_mode || 'incremental' }}"
-              elif [ -s /tmp/i18n-diff.txt ]; then
+
-                echo "DIFF_AVAILABLE=true" >> $GITHUB_OUTPUT
+            if [ -n "${{ github.event.client_payload.changes_base64 }}" ]; then
-              else
+              printf '%s' '${{ github.event.client_payload.changes_base64 }}' | base64 -d > /tmp/i18n-changes.json
-                echo "DIFF_AVAILABLE=false" >> $GITHUB_OUTPUT
+              CHANGES_AVAILABLE="true"
-              fi
+              CHANGES_SOURCE="embedded"
            elif [ -n "$BASE_SHA" ] && [ -n "$CHANGED_FILES" ]; then
              export BASE_SHA HEAD_SHA CHANGED_FILES
              generate_changes_json
              CHANGES_AVAILABLE="true"
              CHANGES_SOURCE="recomputed"
            else
-              echo "" > /tmp/i18n-diff.txt
+              printf '%s' '{"baseSha":"","headSha":"","files":[],"changes":{}}' > /tmp/i18n-changes.json
-              echo "DIFF_AVAILABLE=false" >> $GITHUB_OUTPUT
+              CHANGES_AVAILABLE="false"
              CHANGES_SOURCE="unavailable"
            fi
          else
-            echo "Unsupported event type: ${{ github.event_name }}"
+            BASE_SHA=""
-            exit 1
+            HEAD_SHA=$(git rev-parse HEAD)
            if [ -n "${{ github.event.inputs.languages }}" ]; then
              TARGET_LANGS="${{ github.event.inputs.languages }}"
            else
              TARGET_LANGS="$DEFAULT_TARGET_LANGS"
            fi
            SYNC_MODE="${{ github.event.inputs.mode || 'incremental' }}"
            if [ -n "${{ github.event.inputs.files }}" ]; then
              CHANGED_FILES="${{ github.event.inputs.files }}"
            elif [ "$SYNC_MODE" = "incremental" ]; then
              BASE_SHA=$(git rev-parse HEAD~1 2>/dev/null || true)
              if [ -n "$BASE_SHA" ]; then
                CHANGED_FILES=$(git diff --name-only "$BASE_SHA" "$HEAD_SHA" -- 'web/i18n/en-US/*.json' 2>/dev/null | sed -n 's@^.*/@@p' | sed 's/\.json$//' | tr '\n' ' ' | sed 's/[[:space:]]*$//')
              else
                CHANGED_FILES=$(find web/i18n/en-US -maxdepth 1 -type f -name '*.json' -print | sed -n 's@^.*/@@p' | sed 's/\.json$//' | sort | tr '\n' ' ' | sed 's/[[:space:]]*$//')
              fi
            elif [ "$SYNC_MODE" = "full" ]; then
              echo "workflow_dispatch full mode requires the files input to stay within CI limits." >&2
              exit 1
            else
              CHANGED_FILES=""
            fi
            if [ "$SYNC_MODE" = "incremental" ] && [ -n "$CHANGED_FILES" ]; then
              export BASE_SHA HEAD_SHA CHANGED_FILES
              generate_changes_json
              CHANGES_AVAILABLE="true"
              CHANGES_SOURCE="local"
            else
              printf '%s' '{"baseSha":"","headSha":"","files":[],"changes":{}}' > /tmp/i18n-changes.json
              CHANGES_AVAILABLE="false"
              CHANGES_SOURCE="unavailable"
            fi
          fi
-          # Truncate diff if too large (keep first 50KB)
+          FILE_ARGS=""
-          if [ -f /tmp/i18n-diff.txt ]; then
+          if [ -n "$CHANGED_FILES" ]; then
-            head -c 50000 /tmp/i18n-diff.txt > /tmp/i18n-diff-truncated.txt
+            FILE_ARGS="--file $CHANGED_FILES"
            mv /tmp/i18n-diff-truncated.txt /tmp/i18n-diff.txt
          fi
-          echo "Detected files: $(cat $GITHUB_OUTPUT | grep CHANGED_FILES || echo 'none')"
+          LANG_ARGS=""
          if [ -n "$TARGET_LANGS" ]; then
            LANG_ARGS="--lang $TARGET_LANGS"
          fi
          {
            echo "DEFAULT_TARGET_LANGS=$DEFAULT_TARGET_LANGS"
            echo "BASE_SHA=$BASE_SHA"
            echo "HEAD_SHA=$HEAD_SHA"
            echo "CHANGED_FILES=$CHANGED_FILES"
            echo "TARGET_LANGS=$TARGET_LANGS"
            echo "SYNC_MODE=$SYNC_MODE"
            echo "CHANGES_AVAILABLE=$CHANGES_AVAILABLE"
            echo "CHANGES_SOURCE=$CHANGES_SOURCE"
            echo "FILE_ARGS=$FILE_ARGS"
            echo "LANG_ARGS=$LANG_ARGS"
          } >> "$GITHUB_OUTPUT"
          echo "Files: ${CHANGED_FILES:-<none>}"
          echo "Languages: ${TARGET_LANGS:-<none>}"
          echo "Mode: $SYNC_MODE"
      - name: Run Claude Code for Translation Sync
-        if: steps.detect_changes.outputs.CHANGED_FILES != ''
+        if: steps.context.outputs.CHANGED_FILES != ''
-        uses: anthropics/claude-code-action@ff9acae5886d41a99ed4ec14b7dc147d55834722 # v1.0.77
+        uses: anthropics/claude-code-action@b47fd721da662d48c5680e154ad16a73ed74d2e0 # v1.0.93
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          github_token: ${{ secrets.GITHUB_TOKEN }}
          # Allow github-actions bot to trigger this workflow via repository_dispatch
          # See: https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
          allowed_bots: 'github-actions[bot]'
          show_full_output: ${{ github.event_name == 'workflow_dispatch' }}
          prompt: |
-            You are a professional i18n synchronization engineer for the Dify project.
+            You are the i18n sync agent for the Dify repository.
-            Your task is to keep all language translations in sync with the English source (en-US).
+            Your job is to keep translations synchronized with the English source files under `${{ github.workspace }}/web/i18n/en-US/`.
-            ## CRITICAL TOOL RESTRICTIONS
+            Use absolute paths at all times:
-            - Use **Read** tool to read files (NOT cat or bash)
+            - Repo root: `${{ github.workspace }}`
-            - Use **Edit** tool to modify JSON files (NOT node, jq, or bash scripts)
+            - Web directory: `${{ github.workspace }}/web`
-            - Use **Bash** ONLY for: git commands, gh commands, pnpm commands
+            - Language config: `${{ github.workspace }}/web/i18n-config/languages.ts`
            - Run bash commands ONE BY ONE, never combine with && or ||
            - NEVER use `$()` command substitution - it's not supported. Split into separate commands instead.
-            ## WORKING DIRECTORY & ABSOLUTE PATHS
+            Inputs:
-            Claude Code sandbox working directory may vary. Always use absolute paths:
+            - Files in scope: `${{ steps.context.outputs.CHANGED_FILES }}`
-            - For pnpm: `pnpm --dir ${{ github.workspace }}/web <command>`
+            - Target languages: `${{ steps.context.outputs.TARGET_LANGS }}`
-            - For git: `git -C ${{ github.workspace }} <command>`
+            - Sync mode: `${{ steps.context.outputs.SYNC_MODE }}`
-            - For gh: `gh --repo ${{ github.repository }} <command>`
+            - Base SHA: `${{ steps.context.outputs.BASE_SHA }}`
-            - For file paths: `${{ github.workspace }}/web/i18n/`
+            - Head SHA: `${{ steps.context.outputs.HEAD_SHA }}`
            - Scoped file args: `${{ steps.context.outputs.FILE_ARGS }}`
            - Scoped language args: `${{ steps.context.outputs.LANG_ARGS }}`
            - Structured change set available: `${{ steps.context.outputs.CHANGES_AVAILABLE }}`
            - Structured change set source: `${{ steps.context.outputs.CHANGES_SOURCE }}`
            - Structured change set file: `/tmp/i18n-changes.json`
-            ## EFFICIENCY RULES
+            Tool rules:
-            - **ONE Edit per language file** - batch all key additions into a single Edit
+            - Use Read for repository files.
-            - Insert new keys at the beginning of JSON (after `{`), lint:fix will sort them
+            - Use Edit for JSON updates.
-            - Translate ALL keys for a language mentally first, then do ONE Edit
+            - Use Bash only for `vp`.
-
+            - Do not use Bash for `git`, `gh`, or branch management.
            ## Context
            - Changed/target files: ${{ steps.detect_changes.outputs.CHANGED_FILES }}
            - Target languages (empty means all supported): ${{ steps.detect_changes.outputs.TARGET_LANGS }}
            - Sync mode: ${{ steps.detect_changes.outputs.SYNC_MODE }}
            - Translation files are located in: ${{ github.workspace }}/web/i18n/{locale}/{filename}.json
            - Language configuration is in: ${{ github.workspace }}/web/i18n-config/languages.ts
            - Git diff is available: ${{ steps.detect_changes.outputs.DIFF_AVAILABLE }}
            ## CRITICAL DESIGN: Verify First, Then Sync
            You MUST follow this three-phase approach:
            ═══════════════════════════════════════════════════════════════
            ║  PHASE 1: VERIFY - Analyze and Generate Change Report       ║
            ═══════════════════════════════════════════════════════════════
            ### Step 1.1: Analyze Git Diff (for incremental mode)
            Use the Read tool to read `/tmp/i18n-diff.txt` to see the git diff.
            Parse the diff to categorize changes:
            - Lines with `+` (not `+++`): Added or modified values
            - Lines with `-` (not `---`): Removed or old values
            - Identify specific keys for each category:
              * ADD: Keys that appear only in `+` lines (new keys)
              * UPDATE: Keys that appear in both `-` and `+` lines (value changed)
              * DELETE: Keys that appear only in `-` lines (removed keys)
            ### Step 1.2: Read Language Configuration
            Use the Read tool to read `${{ github.workspace }}/web/i18n-config/languages.ts`.
            Extract all languages with `supported: true`.
            ### Step 1.3: Run i18n:check for Each Language
            ```bash
            pnpm --dir ${{ github.workspace }}/web install --frozen-lockfile
            ```
            ```bash
            pnpm --dir ${{ github.workspace }}/web run i18n:check
            ```
            This will report:
            - Missing keys (need to ADD)
            - Extra keys (need to DELETE)
            ### Step 1.4: Generate Change Report
            Create a structured report identifying:
            ```
            ╔══════════════════════════════════════════════════════════════╗
            ║                    I18N SYNC CHANGE REPORT                   ║
            ╠══════════════════════════════════════════════════════════════╣
            ║ Files to process: [list]                                     ║
            ║ Languages to sync: [list]                                    ║
            ╠══════════════════════════════════════════════════════════════╣
            ║ ADD (New Keys):                                              ║
            ║   - [filename].[key]: "English value"                        ║
            ║   ...                                                        ║
            ╠══════════════════════════════════════════════════════════════╣
            ║ UPDATE (Modified Keys - MUST re-translate):                  ║
            ║   - [filename].[key]: "Old value" → "New value"              ║
            ║   ...                                                        ║
            ╠══════════════════════════════════════════════════════════════╣
            ║ DELETE (Extra Keys):                                         ║
            ║   - [language]/[filename].[key]                              ║
            ║   ...                                                        ║
            ╚══════════════════════════════════════════════════════════════╝
            ```
            **IMPORTANT**: For UPDATE detection, compare git diff to find keys where
            the English value changed. These MUST be re-translated even if target
            language already has a translation (it's now stale!).
            ═══════════════════════════════════════════════════════════════
            ║  PHASE 2: SYNC - Execute Changes Based on Report            ║
            ═══════════════════════════════════════════════════════════════
            ### Step 2.1: Process ADD Operations (BATCH per language file)
            **CRITICAL WORKFLOW for efficiency:**
            1. First, translate ALL new keys for ALL languages mentally
            2. Then, for EACH language file, do ONE Edit operation:
               - Read the file once
               - Insert ALL new keys at the beginning (right after the opening `{`)
               - Don't worry about alphabetical order - lint:fix will sort them later
            Example Edit (adding 3 keys to zh-Hans/app.json):
            ```
            old_string: '{\n  "accessControl"'
            new_string: '{\n  "newKey1": "translation1",\n  "newKey2": "translation2",\n  "newKey3": "translation3",\n  "accessControl"'
            ```
            **IMPORTANT**:
            - ONE Edit per language file (not one Edit per key!)
            - Always use the Edit tool. NEVER use bash scripts, node, or jq.
            ### Step 2.2: Process UPDATE Operations
            **IMPORTANT: Special handling for zh-Hans and ja-JP**
            If zh-Hans or ja-JP files were ALSO modified in the same push:
            - Run: `git -C ${{ github.workspace }} diff HEAD~1 --name-only` and check for zh-Hans or ja-JP files
            - If found, it means someone manually translated them. Apply these rules:
            1. **Missing keys**: Still ADD them (completeness required)
            2. **Existing translations**: Compare with the NEW English value:
               - If translation is **completely wrong** or **unrelated** → Update it
               - If translation is **roughly correct** (captures the meaning) → Keep it, respect manual work
               - When in doubt, **keep the manual translation**
            Example:
            - English changed: "Save" → "Save Changes"
            - Manual translation: "保存更改" → Keep it (correct meaning)
            - Manual translation: "删除" → Update it (completely wrong)
            For other languages:
            Use Edit tool to replace the old value with the new translation.
            You can batch multiple updates in one Edit if they are adjacent.
            ### Step 2.3: Process DELETE Operations
            For extra keys reported by i18n:check:
            - Run: `pnpm --dir ${{ github.workspace }}/web run i18n:check --auto-remove`
            - Or manually remove from target language JSON files
            ## Translation Guidelines
            - PRESERVE all placeholders exactly as-is:
              - `{{variable}}` - Mustache interpolation
              - `${variable}` - Template literal
              - `<tag>content</tag>` - HTML tags
              - `_one`, `_other` - Pluralization suffixes (these are KEY suffixes, not values)
              **CRITICAL: Variable names and tag names MUST stay in English - NEVER translate them**
              ✅ CORRECT examples:
              - English: "{{count}} items" → Japanese: "{{count}} 個のアイテム"
              - English: "{{name}} updated" → Korean: "{{name}} 업데이트됨"
              - English: "<email>{{email}}</email>" → Chinese: "<email>{{email}}</email>"
              - English: "<CustomLink>Marketplace</CustomLink>" → Japanese: "<CustomLink>マーケットプレイス</CustomLink>"
              ❌ WRONG examples (NEVER do this - will break the application):
              - "{{count}}" → "{{カウント}}" ❌ (variable name translated to Japanese)
              - "{{name}}" → "{{이름}}" ❌ (variable name translated to Korean)
              - "{{email}}" → "{{邮箱}}" ❌ (variable name translated to Chinese)
              - "<email>" → "<メール>" ❌ (tag name translated)
              - "<CustomLink>" → "<自定义链接>" ❌ (component name translated)
            - Use appropriate language register (formal/informal) based on existing translations
            - Match existing translation style in each language
            - Technical terms: check existing conventions per language
            - For CJK languages: no spaces between characters unless necessary
            - For RTL languages (ar-TN, fa-IR): ensure proper text handling
            ## Output Format Requirements
            - Alphabetical key ordering (if original file uses it)
            - 2-space indentation
            - Trailing newline at end of file
            - Valid JSON (use proper escaping for special characters)
            ═══════════════════════════════════════════════════════════════
            ║  PHASE 3: RE-VERIFY - Confirm All Issues Resolved           ║
            ═══════════════════════════════════════════════════════════════
            ### Step 3.1: Run Lint Fix (IMPORTANT!)
            ```bash
            pnpm --dir ${{ github.workspace }}/web lint:fix --quiet -- 'i18n/**/*.json'
            ```
            This ensures:
            - JSON keys are sorted alphabetically (jsonc/sort-keys rule)
            - Valid i18n keys (dify-i18n/valid-i18n-keys rule)
            - No extra keys (dify-i18n/no-extra-keys rule)
            ### Step 3.2: Run Final i18n Check
            ```bash
            pnpm --dir ${{ github.workspace }}/web run i18n:check
            ```
            ### Step 3.3: Fix Any Remaining Issues
            If check reports issues:
            - Go back to PHASE 2 for unresolved items
            - Repeat until check passes
            ### Step 3.4: Generate Final Summary
            ```
            ╔══════════════════════════════════════════════════════════════╗
            ║                    SYNC COMPLETED SUMMARY                    ║
            ╠══════════════════════════════════════════════════════════════╣
            ║ Language      │ Added │ Updated │ Deleted │ Status          ║
            ╠══════════════════════════════════════════════════════════════╣
            ║ zh-Hans       │  5    │   2     │    1    │ ✓ Complete      ║
            ║ ja-JP         │  5    │   2     │    1    │ ✓ Complete      ║
            ║ ...           │ ...   │  ...    │   ...   │ ...             ║
            ╠══════════════════════════════════════════════════════════════╣
            ║ i18n:check    │ PASSED - All keys in sync                   ║
            ╚══════════════════════════════════════════════════════════════╝
            ```
            ## Mode-Specific Behavior
            **SYNC_MODE = "incremental"** (default):
            - Focus on keys identified from git diff
            - Also check i18n:check output for any missing/extra keys
            - Efficient for small changes
            **SYNC_MODE = "full"**:
            - Compare ALL keys between en-US and each language
            - Run i18n:check to identify all discrepancies
            - Use for first-time sync or fixing historical issues
            ## Important Notes
            1. Always run i18n:check BEFORE and AFTER making changes
            2. The check script is the source of truth for missing/extra keys
            3. For UPDATE scenario: git diff is the source of truth for changed values
            4. Create a single commit with all translation changes
            5. If any translation fails, continue with others and report failures
            ═══════════════════════════════════════════════════════════════
            ║  PHASE 4: COMMIT AND CREATE PR                              ║
            ═══════════════════════════════════════════════════════════════
            After all translations are complete and verified:
            ### Step 4.1: Check for changes
            ```bash
            git -C ${{ github.workspace }} status --porcelain
            ```
            If there are changes:
            ### Step 4.2: Create a new branch and commit
            Run these git commands ONE BY ONE (not combined with &&).
            **IMPORTANT**: Do NOT use `$()` command substitution. Use two separate commands:
            1. First, get the timestamp:
            ```bash
            date +%Y%m%d-%H%M%S
            ```
            (Note the output, e.g., "20260115-143052")
            2. Then create branch using the timestamp value:
            ```bash
            git -C ${{ github.workspace }} checkout -b chore/i18n-sync-20260115-143052
            ```
            (Replace "20260115-143052" with the actual timestamp from step 1)
            3. Stage changes:
            ```bash
            git -C ${{ github.workspace }} add web/i18n/
            ```
            4. Commit:
            ```bash
            git -C ${{ github.workspace }} commit -m "chore(i18n): sync translations with en-US - Mode: ${{ steps.detect_changes.outputs.SYNC_MODE }}"
            ```
            5. Push:
            ```bash
            git -C ${{ github.workspace }} push origin HEAD
            ```
            ### Step 4.3: Create Pull Request
            ```bash
            gh pr create --repo ${{ github.repository }} --title "chore(i18n): sync translations with en-US" --body "## Summary
            This PR was automatically generated to sync i18n translation files.
            ### Changes
            - Mode: ${{ steps.detect_changes.outputs.SYNC_MODE }}
            - Files processed: ${{ steps.detect_changes.outputs.CHANGED_FILES }}
            ### Verification
            - [x] \`i18n:check\` passed
            - [x] \`lint:fix\` applied
            🤖 Generated with Claude Code GitHub Action" --base main
            ```
            Required execution plan:
            1. Resolve target languages.
               - Use the provided `Target languages` value as the source of truth.
               - If it is unexpectedly empty, read `${{ github.workspace }}/web/i18n-config/languages.ts` and use every language with `supported: true` except `en-US`.
            2. Stay strictly in scope.
               - Only process the files listed in `Files in scope`.
               - Only process the resolved target languages, never `en-US`.
               - Do not touch unrelated i18n files.
               - Do not modify `${{ github.workspace }}/web/i18n/en-US/`.
            3. Resolve source changes.
               - If `Structured change set available` is `true`, read `/tmp/i18n-changes.json` and use it as the source of truth for file-level and key-level changes.
               - For each file entry:
                 - `added` contains new English keys that need translations.
                 - `updated` contains stale keys whose English source changed; re-translate using the `after` value.
                 - `deleted` contains keys that should be removed from locale files.
                 - `fileDeleted: true` means the English file no longer exists; remove the matching locale file if present.
               - Read the current English JSON file for any file that still exists so wording, placeholders, and surrounding terminology stay accurate.
               - If `Structured change set available` is `false`, treat this as a scoped full sync and use the current English files plus scoped checks as the source of truth.
            4. Run a scoped pre-check before editing:
               - `vp run dify-web#i18n:check ${{ steps.context.outputs.FILE_ARGS }} ${{ steps.context.outputs.LANG_ARGS }}`
               - Use this command as the source of truth for missing and extra keys inside the current scope.
            5. Apply translations.
               - For every target language and scoped file:
                 - If `fileDeleted` is `true`, remove the locale file if it exists and skip the rest of that file.
                 - If the locale file does not exist yet, create it with `Write` and then continue with `Edit` as needed.
                 - ADD missing keys.
                 - UPDATE stale translations when the English value changed.
                 - DELETE removed keys. Prefer `vp run dify-web#i18n:check ${{ steps.context.outputs.FILE_ARGS }} ${{ steps.context.outputs.LANG_ARGS }} --auto-remove` for extra keys so deletions stay in scope.
               - Preserve placeholders exactly: `{{variable}}`, `${variable}`, HTML tags, component tags, and variable names.
               - Match the existing terminology and register used by each locale.
               - Prefer one Edit per file when stable, but prioritize correctness over batching.
            6. Verify only the edited files.
               - Run `vp run dify-web#lint:fix --quiet -- <relative edited i18n file paths under web/>`
               - Run `vp run dify-web#i18n:check ${{ steps.context.outputs.FILE_ARGS }} ${{ steps.context.outputs.LANG_ARGS }}`
               - If verification fails, fix the remaining problems before continuing.
            7. Stop after the scoped locale files are updated and verification passes.
               - Do not create branches, commits, or pull requests.
          claude_args: |
-            --max-turns 150
+            --max-turns 120
-            --allowedTools "Read,Write,Edit,Bash(git *),Bash(git:*),Bash(gh *),Bash(gh:*),Bash(pnpm *),Bash(pnpm:*),Bash(date *),Bash(date:*),Glob,Grep"
+            --allowedTools "Read,Write,Edit,Bash(vp *),Bash(vp:*),Glob,Grep"
      - name: Prepare branch metadata
        id: pr_meta
        if: steps.context.outputs.CHANGED_FILES != ''
        shell: bash
        run: |
          if [ -z "$(git -C "${{ github.workspace }}" status --porcelain -- web/i18n/)" ]; then
            echo "has_changes=false" >> "$GITHUB_OUTPUT"
            exit 0
          fi
          SCOPE_HASH=$(printf '%s|%s|%s' "${{ steps.context.outputs.CHANGED_FILES }}" "${{ steps.context.outputs.TARGET_LANGS }}" "${{ steps.context.outputs.SYNC_MODE }}" | sha256sum | cut -c1-8)
          HEAD_SHORT=$(printf '%s' "${{ steps.context.outputs.HEAD_SHA }}" | cut -c1-12)
          BRANCH_NAME="chore/i18n-sync-${HEAD_SHORT}-${SCOPE_HASH}"
          {
            echo "has_changes=true"
            echo "branch_name=$BRANCH_NAME"
          } >> "$GITHUB_OUTPUT"
      - name: Commit translation changes
        if: steps.pr_meta.outputs.has_changes == 'true'
        shell: bash
        run: |
          git -C "${{ github.workspace }}" checkout -B "${{ steps.pr_meta.outputs.branch_name }}"
          git -C "${{ github.workspace }}" add web/i18n/
          git -C "${{ github.workspace }}" commit -m "chore(i18n): sync translations with en-US"
      - name: Push translation branch
        if: steps.pr_meta.outputs.has_changes == 'true'
        shell: bash
        run: |
          if git -C "${{ github.workspace }}" ls-remote --exit-code --heads origin "${{ steps.pr_meta.outputs.branch_name }}" >/dev/null 2>&1; then
            git -C "${{ github.workspace }}" push --force-with-lease origin "${{ steps.pr_meta.outputs.branch_name }}"
          else
            git -C "${{ github.workspace }}" push --set-upstream origin "${{ steps.pr_meta.outputs.branch_name }}"
          fi
      - name: Create or update translation PR
        if: steps.pr_meta.outputs.has_changes == 'true'
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          BRANCH_NAME: ${{ steps.pr_meta.outputs.branch_name }}
          FILES_IN_SCOPE: ${{ steps.context.outputs.CHANGED_FILES }}
          TARGET_LANGS: ${{ steps.context.outputs.TARGET_LANGS }}
          SYNC_MODE: ${{ steps.context.outputs.SYNC_MODE }}
          CHANGES_SOURCE: ${{ steps.context.outputs.CHANGES_SOURCE }}
          BASE_SHA: ${{ steps.context.outputs.BASE_SHA }}
          HEAD_SHA: ${{ steps.context.outputs.HEAD_SHA }}
          REPO_NAME: ${{ github.repository }}
        shell: bash
        run: |
          PR_BODY_FILE=/tmp/i18n-pr-body.md
          LANG_COUNT=$(printf '%s\n' "$TARGET_LANGS" | wc -w | tr -d ' ')
          if [ "$LANG_COUNT" = "0" ]; then
            LANG_COUNT="0"
          fi
          export LANG_COUNT
          node <<'NODE' > "$PR_BODY_FILE"
          const fs = require('node:fs')
          const changesPath = '/tmp/i18n-changes.json'
          const changes = fs.existsSync(changesPath)
            ? JSON.parse(fs.readFileSync(changesPath, 'utf8'))
            : { changes: {} }
          const filesInScope = (process.env.FILES_IN_SCOPE || '').split(/\s+/).filter(Boolean)
          const lines = [
            '## Summary',
            '',
            `- **Files synced**: \`${process.env.FILES_IN_SCOPE || '<none>'}\``,
            `- **Languages updated**: ${process.env.TARGET_LANGS || '<none>'} (${process.env.LANG_COUNT} languages)`,
            `- **Sync mode**: ${process.env.SYNC_MODE}${process.env.BASE_SHA ? ` (base: \`${process.env.BASE_SHA.slice(0, 10)}\`, head: \`${process.env.HEAD_SHA.slice(0, 10)}\`)` : ` (head: \`${process.env.HEAD_SHA.slice(0, 10)}\`)`}`,
            '',
            '### Key changes',
          ]
          for (const fileName of filesInScope) {
            const fileChange = changes.changes?.[fileName] || { added: {}, updated: {}, deleted: [], fileDeleted: false }
            const addedKeys = Object.keys(fileChange.added || {})
            const updatedKeys = Object.keys(fileChange.updated || {})
            const deletedKeys = fileChange.deleted || []
            lines.push(`- \`${fileName}\`: +${addedKeys.length} / ~${updatedKeys.length} / -${deletedKeys.length}${fileChange.fileDeleted ? ' (file deleted in en-US)' : ''}`)
          }
          lines.push(
            '',
            '## Verification',
            '',
            `- \`vp run dify-web#i18n:check --file ${process.env.FILES_IN_SCOPE} --lang ${process.env.TARGET_LANGS}\``,
            `- \`vp run dify-web#lint:fix --quiet -- <edited i18n files under web/>\``,
            '',
            '## Notes',
            '',
            '- This PR was generated from structured en-US key changes produced by `trigger-i18n-sync.yml`.',
            `- Structured change source: ${process.env.CHANGES_SOURCE || 'unknown'}.`,
            '- Branch name is deterministic for the head SHA and scope, so reruns update the same PR instead of opening duplicates.',
            '',
            '🤖 Generated with [Claude Code](https://claude.com/claude-code)'
          )
          process.stdout.write(lines.join('\n'))
          NODE
          EXISTING_PR_NUMBER=$(gh pr list --repo "$REPO_NAME" --head "$BRANCH_NAME" --state open --json number --jq '.[0].number')
          if [ -n "$EXISTING_PR_NUMBER" ] && [ "$EXISTING_PR_NUMBER" != "null" ]; then
            gh pr edit "$EXISTING_PR_NUMBER" --repo "$REPO_NAME" --title "chore(i18n): sync translations with en-US" --body-file "$PR_BODY_FILE"
          else
            gh pr create --repo "$REPO_NAME" --head "$BRANCH_NAME" --base main --title "chore(i18n): sync translations with en-US" --body-file "$PR_BODY_FILE"
          fi
--- a/.github/workflows/trigger-i18n-sync.yml
+++ b/.github/workflows/trigger-i18n-sync.yml
@ -1,9 +1,5 @@
 name: Trigger i18n Sync on Push
 # This workflow bridges the push event to repository_dispatch
 # because claude-code-action doesn't support push events directly.
 # See: https://github.com/langgenius/dify/issues/30743
 on:
  push:
    branches: [main]
@ -13,6 +9,10 @@ on:
 permissions:
  contents: write
 concurrency:
  group: trigger-i18n-sync-${{ github.ref }}
  cancel-in-progress: true
 jobs:
  trigger:
    if: github.repository == 'langgenius/dify'
@ -25,42 +25,66 @@ jobs:
        with:
          fetch-depth: 0
-      - name: Detect changed files and generate diff
+      - name: Detect changed files and build structured change set
        id: detect
        shell: bash
        run: |
-          BEFORE_SHA="${{ github.event.before }}"
+          BASE_SHA="${{ github.event.before }}"
-          # Handle edge case: force push may have null/zero SHA
+          if [ -z "$BASE_SHA" ] || [ "$BASE_SHA" = "0000000000000000000000000000000000000000" ]; then
-          if [ -z "$BEFORE_SHA" ] || [ "$BEFORE_SHA" = "0000000000000000000000000000000000000000" ]; then
+            BASE_SHA=$(git rev-parse HEAD~1 2>/dev/null || true)
            BEFORE_SHA="HEAD~1"
          fi
          HEAD_SHA="${{ github.sha }}"
-          # Detect changed i18n files
+          if [ -n "$BASE_SHA" ]; then
-          changed=$(git diff --name-only "$BEFORE_SHA" "${{ github.sha }}" -- 'web/i18n/en-US/*.json' 2>/dev/null | xargs -n1 basename 2>/dev/null | sed 's/.json$//' | tr '\n' ' ' || echo "")
+            CHANGED_FILES=$(git diff --name-only "$BASE_SHA" "$HEAD_SHA" -- 'web/i18n/en-US/*.json' 2>/dev/null | sed -n 's@^.*/@@p' | sed 's/\.json$//' | tr '\n' ' ' | sed 's/[[:space:]]*$//')
          echo "changed_files=$changed" >> $GITHUB_OUTPUT
          # Generate diff for context
          git diff "$BEFORE_SHA" "${{ github.sha }}" -- 'web/i18n/en-US/*.json' > /tmp/i18n-diff.txt 2>/dev/null || echo "" > /tmp/i18n-diff.txt
          # Truncate if too large (keep first 50KB to match receiving workflow)
          head -c 50000 /tmp/i18n-diff.txt > /tmp/i18n-diff-truncated.txt
          mv /tmp/i18n-diff-truncated.txt /tmp/i18n-diff.txt
          # Base64 encode the diff for safe JSON transport (portable, single-line)
          diff_base64=$(base64 < /tmp/i18n-diff.txt | tr -d '\n')
          echo "diff_base64=$diff_base64" >> $GITHUB_OUTPUT
          if [ -n "$changed" ]; then
            echo "has_changes=true" >> $GITHUB_OUTPUT
            echo "Detected changed files: $changed"
          else
-            echo "has_changes=false" >> $GITHUB_OUTPUT
+            CHANGED_FILES=$(find web/i18n/en-US -maxdepth 1 -type f -name '*.json' -print | sed -n 's@^.*/@@p' | sed 's/\.json$//' | sort | tr '\n' ' ' | sed 's/[[:space:]]*$//')
            echo "No i18n changes detected"
          fi
          export BASE_SHA HEAD_SHA CHANGED_FILES
          node .github/scripts/generate-i18n-changes.mjs
          if [ -n "$CHANGED_FILES" ]; then
            echo "has_changes=true" >> "$GITHUB_OUTPUT"
          else
            echo "has_changes=false" >> "$GITHUB_OUTPUT"
          fi
          echo "base_sha=$BASE_SHA" >> "$GITHUB_OUTPUT"
          echo "head_sha=$HEAD_SHA" >> "$GITHUB_OUTPUT"
          echo "changed_files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"
      - name: Trigger i18n sync workflow
        if: steps.detect.outputs.has_changes == 'true'
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        env:
          BASE_SHA: ${{ steps.detect.outputs.base_sha }}
          HEAD_SHA: ${{ steps.detect.outputs.head_sha }}
          CHANGED_FILES: ${{ steps.detect.outputs.changed_files }}
        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
-          event-type: i18n-sync
+          script: |
-          client-payload: '{"changed_files": "${{ steps.detect.outputs.changed_files }}", "diff_base64": "${{ steps.detect.outputs.diff_base64 }}", "sync_mode": "incremental", "trigger_sha": "${{ github.sha }}"}'
+            const fs = require('fs')
            const changesJson = fs.readFileSync('/tmp/i18n-changes.json', 'utf8')
            const changesBase64 = Buffer.from(changesJson).toString('base64')
            const maxEmbeddedChangesChars = 48000
            const changesEmbedded = changesBase64.length <= maxEmbeddedChangesChars
            if (!changesEmbedded) {
              console.log(`Structured change set too large to embed safely (${changesBase64.length} chars). Downstream workflow will regenerate it from git history.`)
            }
            await github.rest.repos.createDispatchEvent({
              owner: context.repo.owner,
              repo: context.repo.repo,
              event_type: 'i18n-sync',
              client_payload: {
                changed_files: process.env.CHANGED_FILES,
                changes_base64: changesEmbedded ? changesBase64 : '',
                changes_embedded: changesEmbedded,
                sync_mode: 'incremental',
                base_sha: process.env.BASE_SHA,
                head_sha: process.env.HEAD_SHA,
              },
            })
--- a/.github/workflows/vdb-tests-full.yml
+++ b/.github/workflows/vdb-tests-full.yml
@ -0,0 +1,95 @@
 name: Run Full VDB Tests
 on:
  schedule:
    - cron: '0 3 * * 1'
  workflow_dispatch:
 permissions:
  contents: read
 concurrency:
  group: vdb-tests-full-${{ github.ref || github.run_id }}
  cancel-in-progress: true
 jobs:
  test:
    name: Full VDB Tests
    if: github.repository == 'langgenius/dify'
    runs-on: ubuntu-latest
    strategy:
      matrix:
        python-version:
          - "3.12"
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Free Disk Space
        uses: endersonmenezes/free-disk-space@7901478139cff6e9d44df5972fd8ab8fcade4db1 # v3.2.2
        with:
          remove_dotnet: true
          remove_haskell: true
          remove_tool_cache: true
      - name: Setup UV and Python
        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          enable-cache: true
          python-version: ${{ matrix.python-version }}
          cache-dependency-glob: api/uv.lock
      - name: Check UV lockfile
        run: uv lock --project api --check
      - name: Install dependencies
        run: uv sync --project api --dev
      - name: Set up dotenvs
        run: |
          cp docker/.env.example docker/.env
          cp docker/middleware.env.example docker/middleware.env
      - name: Expose Service Ports
        run: sh .github/workflows/expose_service_ports.sh
 #      - name: Set up Vector Store (TiDB)
 #        uses: hoverkraft-tech/compose-action@v2.0.2
 #        with:
 #          compose-file: docker/tidb/docker-compose.yaml
 #          services: |
 #            tidb
 #            tiflash
      - name: Set up Full Vector Store Matrix
        uses: hoverkraft-tech/compose-action@4894d2492015c1774ee5a13a95b1072093087ec3 # v2.5.0
        with:
          compose-file: |
            docker/docker-compose.yaml
          services: |
            weaviate
            qdrant
            couchbase-server
            etcd
            minio
            milvus-standalone
            pgvecto-rs
            pgvector
            chroma
            elasticsearch
            oceanbase
      - name: setup test config
        run: |
          echo $(pwd)
          ls -lah .
          cp api/tests/integration_tests/.env.example api/tests/integration_tests/.env
 #      - name: Check VDB Ready (TiDB)
 #        run: uv run --project api python api/providers/vdb/tidb-vector/tests/integration_tests/check_tiflash_ready.py
      - name: Test Vector Stores
        run: uv run --project api bash dev/pytest/pytest_vdb.sh
--- a/.github/workflows/vdb-tests.yml
+++ b/.github/workflows/vdb-tests.yml
@ -1,20 +1,22 @@
-name: Run VDB Tests
+name: Run VDB Smoke Tests
 on:
  workflow_call:
 permissions:
  contents: read
 concurrency:
  group: vdb-tests-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 jobs:
  test:
-    name: VDB Tests
+    name: VDB Smoke Tests
    runs-on: ubuntu-latest
    strategy:
      matrix:
        python-version:
          - "3.11"
          - "3.12"
    steps:
@ -31,7 +33,7 @@ jobs:
          remove_tool_cache: true
      - name: Setup UV and Python
-        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          enable-cache: true
          python-version: ${{ matrix.python-version }}
@ -59,23 +61,18 @@ jobs:
 #            tidb
 #            tiflash
-      - name: Set up Vector Stores (Weaviate, Qdrant, PGVector, Milvus, PgVecto-RS, Chroma, MyScale, ElasticSearch, Couchbase, OceanBase)
+      - name: Set up Vector Stores for Smoke Coverage
        uses: hoverkraft-tech/compose-action@4894d2492015c1774ee5a13a95b1072093087ec3 # v2.5.0
        with:
          compose-file: |
            docker/docker-compose.yaml
          services: |
            db_postgres
            redis
            weaviate
            qdrant
            couchbase-server
            etcd
            minio
            milvus-standalone
            pgvecto-rs
            pgvector
            chroma
            elasticsearch
            oceanbase
      - name: setup test config
        run: |
@ -84,7 +81,12 @@ jobs:
          cp api/tests/integration_tests/.env.example api/tests/integration_tests/.env
 #      - name: Check VDB Ready (TiDB)
-#        run: uv run --project api python api/tests/integration_tests/vdb/tidb_vector/check_tiflash_ready.py
+#        run: uv run --project api python api/providers/vdb/tidb-vector/tests/integration_tests/check_tiflash_ready.py
      - name: Test Vector Stores
-        run: uv run --project api bash dev/pytest/pytest_vdb.sh
+        run: |
          uv run --project api pytest --timeout "${PYTEST_TIMEOUT:-180}" \
            api/providers/vdb/vdb-chroma/tests/integration_tests \
            api/providers/vdb/vdb-pgvector/tests/integration_tests \
            api/providers/vdb/vdb-qdrant/tests/integration_tests \
            api/providers/vdb/vdb-weaviate/tests/integration_tests
--- a/.github/workflows/web-e2e.yml
+++ b/.github/workflows/web-e2e.yml
@ -0,0 +1,68 @@
 name: Web Full-Stack E2E
 on:
  workflow_call:
 permissions:
  contents: read
 concurrency:
  group: web-e2e-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 jobs:
  test:
    name: Web Full-Stack E2E
    runs-on: ubuntu-latest
    defaults:
      run:
        shell: bash
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Setup web dependencies
        uses: ./.github/actions/setup-web
      - name: Setup UV and Python
        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          enable-cache: true
          python-version: "3.12"
          cache-dependency-glob: api/uv.lock
      - name: Install API dependencies
        run: uv sync --project api --dev
      - name: Install Playwright browser
        working-directory: ./e2e
        run: vp run e2e:install
      - name: Run isolated source-api and built-web Cucumber E2E tests
        working-directory: ./e2e
        env:
          E2E_ADMIN_EMAIL: e2e-admin@example.com
          E2E_ADMIN_NAME: E2E Admin
          E2E_ADMIN_PASSWORD: E2eAdmin12345
          E2E_FORCE_WEB_BUILD: "1"
          E2E_INIT_PASSWORD: E2eInit12345
        run: vp run e2e:full
      - name: Upload Cucumber report
        if: ${{ !cancelled() }}
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: cucumber-report
          path: e2e/cucumber-report
          retention-days: 7
      - name: Upload E2E logs
        if: ${{ !cancelled() }}
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: e2e-logs
          path: e2e/.logs
          retention-days: 7
--- a/.github/workflows/web-tests.yml
+++ b/.github/workflows/web-tests.yml
@ -22,8 +22,8 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        shardIndex: [1, 2, 3, 4, 5, 6]
+        shardIndex: [1, 2, 3, 4]
-        shardTotal: [6]
+        shardTotal: [4]
    defaults:
      run:
        shell: bash
@ -43,7 +43,7 @@ jobs:
      - name: Upload blob report
        if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: blob-report-${{ matrix.shardIndex }}
          path: web/.vitest-reports/*
@ -66,7 +66,6 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false
      - name: Setup web environment
@ -84,40 +83,9 @@ jobs:
      - name: Report coverage
        if: ${{ env.CODECOV_TOKEN != '' }}
-        uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5.5.3
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
        with:
          directory: web/coverage
          flags: web
        env:
          CODECOV_TOKEN: ${{ env.CODECOV_TOKEN }}
  web-build:
    name: Web Build
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ./web
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Check changed files
        id: changed-files
        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            web/**
            .github/workflows/web-tests.yml
            .github/actions/setup-web/**
      - name: Setup web environment
        if: steps.changed-files.outputs.any_changed == 'true'
        uses: ./.github/actions/setup-web
      - name: Web build check
        if: steps.changed-files.outputs.any_changed == 'true'
        working-directory: ./web
        run: vp run build
--- a/.gitignore
+++ b/.gitignore
@ -209,10 +209,11 @@ api/.vscode
 .history
 .idea/
 web/migration/
 # pnpm
 /.pnpm-store
 node_modules
 .vite-hooks/_
 # plugin migrate
 plugins.jsonl
@ -222,7 +223,6 @@ mise.toml
 # AI Assistant
 .sisyphus/
 .roo/
 /.claude/worktrees/
 api/.env.backup
@ -241,4 +241,4 @@ scripts/stress-test/reports/
 *.local.md
 # Code Agent Folder
-.qoder/*
+.qoder/*
--- a/.npmrc
+++ b/.npmrc
@ -0,0 +1 @@
 save-exact=true
--- a/web/.nvmrc
+++ b/web/.nvmrc
--- a/.vite-hooks/pre-commit
+++ b/.vite-hooks/pre-commit
@ -0,0 +1,113 @@
 #!/bin/sh
 # get the list of modified files
 files=$(git diff --cached --name-only)
 # check if api or web directory is modified
 api_modified=false
 web_modified=false
 packages_modified=false
 skip_web_checks=false
 git_path() {
    git rev-parse --git-path "$1"
 }
 if [ -f "$(git_path MERGE_HEAD)" ] || \
   [ -f "$(git_path CHERRY_PICK_HEAD)" ] || \
   [ -f "$(git_path REVERT_HEAD)" ] || \
   [ -f "$(git_path SQUASH_MSG)" ] || \
   [ -d "$(git_path rebase-merge)" ] || \
   [ -d "$(git_path rebase-apply)" ]; then
    skip_web_checks=true
 fi
 for file in $files
 do
    # Use POSIX compliant pattern matching
    case "$file" in
        api/*.py)
            # set api_modified flag to true
            api_modified=true
            ;;
        web/*)
            web_modified=true
            ;;
        packages/*)
            packages_modified=true
            ;;
    esac
 done
 # run linters based on the modified modules
 if $api_modified; then
    echo "Running Ruff linter on api module"
    # run Ruff linter auto-fixing
    uv run --project api --dev ruff check --fix ./api
    # run Ruff linter checks
    uv run --project api --dev ruff check  ./api || status=$?
    status=${status:-0}
    if [ $status -ne 0 ]; then
      echo "Ruff linter on api module error, exit code: $status"
      echo "Please run 'dev/reformat' to fix the fixable linting errors."
      exit 1
    fi
 fi
 if $web_modified; then
    if $skip_web_checks; then
        echo "Git operation in progress, skipping web checks"
        exit 0
    fi
    echo "Running ESLint on web module"
    if git diff --cached --quiet -- 'web/**/*.ts' 'web/**/*.tsx'; then
        web_ts_modified=false
    else
        ts_diff_status=$?
        if [ $ts_diff_status -eq 1 ]; then
            web_ts_modified=true
        else
            echo "Unable to determine staged TypeScript changes (git exit code: $ts_diff_status)."
            exit $ts_diff_status
        fi
    fi
    cd ./web || exit 1
    vp staged
    if $web_ts_modified; then
        echo "Running TypeScript type-check:tsgo"
        if ! npm run type-check:tsgo; then
            echo "Type check failed. Please run 'npm run type-check:tsgo' to fix the errors."
            exit 1
        fi
    else
        echo "No staged TypeScript changes detected, skipping type-check:tsgo"
    fi
    echo "Running knip"
    if ! npm run knip; then
        echo "Knip check failed. Please run 'npm run knip' to fix the errors."
        exit 1
    fi
    cd ../
 fi
 if $packages_modified; then
    if $skip_web_checks; then
        echo "Git operation in progress, skipping packages checks"
    else
        echo "Running staged checks on packages/dify-ui"
        cd ./packages/dify-ui || exit 1
        vp staged
        cd ../../
    fi
 fi
--- a/.vscode/launch.json.template
+++ b/.vscode/launch.json.template
@ -2,21 +2,10 @@
    "version": "0.2.0",
    "configurations": [
        {
-            "name": "Python: Flask API",
+            "name": "Python: API (gevent)",
            "type": "debugpy",
            "request": "launch",
-            "module": "flask",
+            "program": "${workspaceFolder}/api/app.py",
            "env": {
                "FLASK_APP": "app.py",
                "FLASK_ENV": "development"
            },
            "args": [
                "run",
                "--host=0.0.0.0",
                "--port=5001",
                "--no-debugger",
                "--no-reload"
            ],
            "jinja": true,
            "justMyCode": true,
            "cwd": "${workspaceFolder}/api",
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -97,8 +97,3 @@ Feel free to reach out if you encounter any issues during the setup process.
 ## Getting Help
 If you ever get stuck or get a burning question while contributing, simply shoot your queries our way via the related GitHub issue, or hop onto our [Discord](https://discord.gg/8Tpq4AcN9c) for a quick chat.
 ## Automated Agent Contributions
 > [!NOTE]
 > If you are an automated agent， just add 🤖🤖🤖 to the end of the PR title to opt-in.
--- a/13
+++ b/13
@ -24,8 +24,8 @@ prepare-docker:
 # Step 2: Prepare web environment
 prepare-web:
 	@echo "🌐 Setting up web environment..."
-	@cp -n web/.env.example web/.env 2>/dev/null || echo "Web .env already exists"
+	@cp -n web/.env.example web/.env.local 2>/dev/null || echo "Web .env.local already exists"
-	@cd web && pnpm install
+	@pnpm install
 	@echo "✅ Web environment prepared (not started)"
 # Step 3: Prepare API environment
@ -74,6 +74,12 @@ type-check:
 	@uv --directory api run mypy --exclude-gitignore --exclude 'tests/' --exclude 'migrations/' --check-untyped-defs --disable-error-code=import-untyped .
 	@echo "✅ Type checks complete"
 type-check-core:
 	@echo "📝 Running core type checks (basedpyright + mypy)..."
 	@./dev/basedpyright-check $(PATH_TO_CHECK)
 	@uv --directory api run mypy --exclude-gitignore --exclude 'tests/' --exclude 'migrations/' --check-untyped-defs --disable-error-code=import-untyped .
 	@echo "✅ Core type checks complete"
 test:
 	@echo "🧪 Running backend unit tests..."
 	@if [ -n "$(TARGET_TESTS)" ]; then \
@ -87,7 +93,7 @@ test:
 # Build Docker images
 build-web:
 	@echo "Building web Docker image: $(WEB_IMAGE):$(VERSION)..."
-	docker build -t $(WEB_IMAGE):$(VERSION) ./web
+	docker build -f web/Dockerfile -t $(WEB_IMAGE):$(VERSION) .
 	@echo "Web Docker image built successfully: $(WEB_IMAGE):$(VERSION)"
 build-api:
@ -133,6 +139,7 @@ help:
 	@echo "  make check          - Check code with ruff"
 	@echo "  make lint           - Format, fix, and lint code (ruff, imports, dotenv)"
 	@echo "  make type-check     - Run type checks (basedpyright, pyrefly, mypy)"
 	@echo "  make type-check-core - Run core type checks (basedpyright, mypy)"
 	@echo "  make test           - Run backend unit tests (or TARGET_TESTS=./api/tests/<target_tests>)"
 	@echo ""
 	@echo "Docker Build Targets:"
--- a/README.md
+++ b/README.md
@ -53,7 +53,11 @@
  <a href="./docs/tr-TR/README.md"><img alt="Türkçe README" src="https://img.shields.io/badge/Türkçe-d9d9d9"></a>
  <a href="./docs/vi-VN/README.md"><img alt="README Tiếng Việt" src="https://img.shields.io/badge/Ti%E1%BA%BFng%20Vi%E1%BB%87t-d9d9d9"></a>
  <a href="./docs/de-DE/README.md"><img alt="README in Deutsch" src="https://img.shields.io/badge/German-d9d9d9"></a>
  <a href="./docs/it-IT/README.md"><img alt="README in Italiano" src="https://img.shields.io/badge/Italiano-d9d9d9"></a>
  <a href="./docs/pt-BR/README.md"><img alt="README em Português do Brasil" src="https://img.shields.io/badge/Portugu%C3%AAs%20do%20Brasil-d9d9d9"></a>
  <a href="./docs/sl-SI/README.md"><img alt="README Slovenščina" src="https://img.shields.io/badge/Sloven%C5%A1%C4%8Dina-d9d9d9"></a>
  <a href="./docs/bn-BD/README.md"><img alt="README in বাংলা" src="https://img.shields.io/badge/বাংলা-d9d9d9"></a>
  <a href="./docs/hi-IN/README.md"><img alt="README in हिन्दी" src="https://img.shields.io/badge/Hindi-d9d9d9"></a>
 </p>
 Dify is an open-source LLM app development platform. Its intuitive interface combines AI workflow, RAG pipeline, agent capabilities, model management, observability features (including [Opik](https://www.comet.com/docs/opik/integrations/dify), [Langfuse](https://docs.langfuse.com), and [Arize Phoenix](https://docs.arize.com/phoenix)) and more, letting you quickly go from prototype to production. Here's a list of the core features:
--- a/api/.env.example
+++ b/api/.env.example
@ -60,6 +60,9 @@ REDIS_SSL_CERTFILE=
 REDIS_SSL_KEYFILE=
 # Path to client private key file for SSL authentication
 REDIS_DB=0
 # Optional global prefix for Redis keys, topics, streams, and Celery Redis transport artifacts.
 # Leave empty to preserve current unprefixed behavior.
 REDIS_KEY_PREFIX=
 # redis Sentinel configuration.
 REDIS_USE_SENTINEL=false
@ -74,6 +77,13 @@ REDIS_USE_CLUSTERS=false
 REDIS_CLUSTERS=
 REDIS_CLUSTERS_PASSWORD=
 REDIS_RETRY_RETRIES=3
 REDIS_RETRY_BACKOFF_BASE=1.0
 REDIS_RETRY_BACKOFF_CAP=10.0
 REDIS_SOCKET_TIMEOUT=5.0
 REDIS_SOCKET_CONNECT_TIMEOUT=5.0
 REDIS_HEALTH_CHECK_INTERVAL=30
 # celery configuration
 CELERY_BROKER_URL=redis://:difyai123456@localhost:${REDIS_PORT}/1
 CELERY_BACKEND=redis
@ -105,6 +115,7 @@ S3_BUCKET_NAME=your-bucket-name
 S3_ACCESS_KEY=your-access-key
 S3_SECRET_KEY=your-secret-key
 S3_REGION=your-region
 S3_ADDRESS_STYLE=auto
 # Workflow run and Conversation archive storage (S3-compatible)
 ARCHIVE_STORAGE_ENABLED=false
@ -130,7 +141,8 @@ ALIYUN_OSS_AUTH_VERSION=v1
 ALIYUN_OSS_REGION=your-region
 # Don't start with '/'. OSS doesn't support leading slash in object names.
 ALIYUN_OSS_PATH=your-path
-ALIYUN_CLOUDBOX_ID=your-cloudbox-id
+# Optional CloudBox ID for Aliyun OSS, DO NOT enable it if you are not using CloudBox.
 #ALIYUN_CLOUDBOX_ID=your-cloudbox-id
 # Google Storage configuration
 GOOGLE_STORAGE_BUCKET_NAME=your-bucket-name
@ -647,11 +659,6 @@ INNER_API_KEY_FOR_PLUGIN=QaHbTe77CtuXmsfyhR7+vRjI/+XbV1AaFy691iy+kGDv2Jvy0/eAh8Y
 MARKETPLACE_ENABLED=true
 MARKETPLACE_API_URL=https://marketplace.dify.ai
 # Creators Platform configuration
 CREATORS_PLATFORM_FEATURES_ENABLED=true
 CREATORS_PLATFORM_API_URL=https://creators.dify.ai
 CREATORS_PLATFORM_OAUTH_CLIENT_ID=
 # Endpoint configuration
 ENDPOINT_URL_TEMPLATE=http://localhost:5002/e/{hook_id}
@ -747,34 +754,6 @@ SANDBOX_EXPIRED_RECORDS_CLEAN_BATCH_MAX_INTERVAL=200
 SANDBOX_EXPIRED_RECORDS_RETENTION_DAYS=30
 SANDBOX_EXPIRED_RECORDS_CLEAN_TASK_LOCK_TTL=90000
 # Sandbox Dify CLI configuration
 # Directory containing dify CLI binaries (dify-cli-<os>-<arch>). Defaults to api/bin when unset.
 SANDBOX_DIFY_CLI_ROOT=
 # CLI API URL for sandbox (dify-sandbox or e2b) to call back to Dify API.
 # This URL must be accessible from the sandbox environment.
 # For local development: use http://localhost:5001 or http://127.0.0.1:5001
 # For middleware docker stack (api on host): keep localhost/127.0.0.1 and use agentbox via 127.0.0.1:2222
 # For Docker deployment: use http://api:5001 (internal Docker network)
 # For external sandbox (e.g., e2b): use a publicly accessible URL
 CLI_API_URL=http://localhost:5001
 # Base URL for storage file ticket API endpoints (upload/download).
 # Used by sandbox containers (internal or external like e2b) that need an absolute,
 # routable address to reach the Dify API file endpoints.
 # Required for sandbox runtime file access.
 # For local development: http://localhost:5001
 # For all-in-one Docker deployment with nginx: http://localhost
 # For public/remote sandbox environments (e.g., e2b): use a public domain or IP
 FILES_API_URL=http://localhost:5001
 # Optional defaults for SSH sandbox provider setup (for manual config/CLI usage).
 # Middleware/local dev usually uses 127.0.0.1:2222; full docker deployment usually uses agentbox:22.
 SSH_SANDBOX_HOST=127.0.0.1
 SSH_SANDBOX_PORT=2222
 SSH_SANDBOX_USERNAME=agentbox
 SSH_SANDBOX_PASSWORD=agentbox
 SSH_SANDBOX_BASE_WORKING_PATH=/workspace/sandboxes
 # Redis URL used for event bus between API and
 # celery worker
--- a/api/.importlinter
+++ b/api/.importlinter
@ -1,242 +1,14 @@
 [importlinter]
 root_packages =
    core
-    dify_graph
+    constants
    context
    configs
    controllers
    extensions
    factories
    libs
    models
    tasks
    services
 include_external_packages = True
 [importlinter:contract:workflow]
 name = Workflow
 type=layers
 layers =
    graph_engine
    graph_events
    graph
    nodes
    node_events
    runtime
    entities
 containers =
    dify_graph
 ignore_imports =
    dify_graph.nodes.base.node -> dify_graph.graph_events
    dify_graph.nodes.iteration.iteration_node -> dify_graph.graph_events
    dify_graph.nodes.loop.loop_node -> dify_graph.graph_events
    dify_graph.nodes.iteration.iteration_node -> dify_graph.graph_engine
    dify_graph.nodes.loop.loop_node -> dify_graph.graph_engine
    # TODO(QuantumGhost): fix the import violation later
    dify_graph.entities.pause_reason -> dify_graph.nodes.human_input.entities
    dify_graph.nodes.base.node -> core.workflow.node_factory
    dify_graph.nodes.tool.tool_node -> core.workflow.node_factory
    dify_graph.file.file_manager -> models.model
    dify_graph.file.file_manager -> models.tools
    dify_graph.file.file_manager -> extensions.ext_database
 [importlinter:contract:workflow-infrastructure-dependencies]
 name = Workflow Infrastructure Dependencies
 type = forbidden
 source_modules =
    dify_graph
 forbidden_modules =
    extensions.ext_database
    extensions.ext_redis
 allow_indirect_imports = True
 ignore_imports =
    dify_graph.nodes.llm.node -> extensions.ext_database
    dify_graph.model_runtime.model_providers.__base.ai_model -> extensions.ext_redis
    dify_graph.model_runtime.model_providers.model_provider_factory -> extensions.ext_redis
    dify_graph.file.file_manager -> extensions.ext_database
    dify_graph.nodes.llm.llm_utils -> extensions.ext_database
 [importlinter:contract:workflow-external-imports]
 name = Workflow External Imports
 type = forbidden
 source_modules =
    dify_graph
 forbidden_modules =
    configs
    controllers
    extensions
    models
    services
    tasks
    core.agent
    core.app
    core.base
    core.callback_handler
    core.datasource
    core.db
    core.entities
    core.errors
    core.extension
    core.external_data_tool
    core.file
    core.helper
    core.hosting_configuration
    core.indexing_runner
    core.llm_generator
    core.logging
    core.mcp
    core.memory
    core.moderation
    core.ops
    core.plugin
    core.prompt
    core.provider_manager
    core.rag
    core.repositories
    core.schemas
    core.tools
    core.trigger
    core.variables
 ignore_imports =
    dify_graph.nodes.llm.llm_utils -> core.model_manager
    dify_graph.nodes.llm.protocols -> core.model_manager
    dify_graph.nodes.llm.llm_utils -> dify_graph.model_runtime.model_providers.__base.large_language_model
    dify_graph.nodes.llm.node -> core.tools.signature
    dify_graph.nodes.tool.tool_node -> core.callback_handler.workflow_tool_callback_handler
    dify_graph.nodes.tool.tool_node -> core.tools.tool_engine
    dify_graph.nodes.tool.tool_node -> core.tools.tool_manager
    dify_graph.nodes.parameter_extractor.parameter_extractor_node -> core.prompt.advanced_prompt_transform
    dify_graph.nodes.parameter_extractor.parameter_extractor_node -> core.prompt.simple_prompt_transform
    dify_graph.nodes.parameter_extractor.parameter_extractor_node -> dify_graph.model_runtime.model_providers.__base.large_language_model
    dify_graph.nodes.question_classifier.question_classifier_node -> core.prompt.simple_prompt_transform
    dify_graph.nodes.parameter_extractor.parameter_extractor_node -> core.model_manager
    dify_graph.nodes.question_classifier.question_classifier_node -> core.model_manager
    dify_graph.nodes.tool.tool_node -> core.tools.utils.message_transformer
    dify_graph.nodes.llm.node -> core.llm_generator.output_parser.errors
    dify_graph.nodes.llm.node -> core.llm_generator.output_parser.file_ref
    dify_graph.nodes.llm.node -> core.llm_generator.output_parser.structured_output
    dify_graph.nodes.llm.node -> core.model_manager
    dify_graph.nodes.llm.entities -> core.prompt.entities.advanced_prompt_entities
    dify_graph.nodes.llm.node -> core.prompt.entities.advanced_prompt_entities
    dify_graph.nodes.llm.node -> core.prompt.utils.prompt_message_util
    dify_graph.nodes.parameter_extractor.entities -> core.prompt.entities.advanced_prompt_entities
    dify_graph.nodes.parameter_extractor.parameter_extractor_node -> core.prompt.entities.advanced_prompt_entities
    dify_graph.nodes.parameter_extractor.parameter_extractor_node -> core.prompt.utils.prompt_message_util
    dify_graph.nodes.question_classifier.entities -> core.prompt.entities.advanced_prompt_entities
    dify_graph.nodes.question_classifier.question_classifier_node -> core.prompt.utils.prompt_message_util
    dify_graph.nodes.llm.node -> models.dataset
    dify_graph.nodes.llm.file_saver -> core.tools.signature
    dify_graph.nodes.llm.file_saver -> core.tools.tool_file_manager
    dify_graph.nodes.tool.tool_node -> core.tools.errors
    dify_graph.nodes.llm.node -> extensions.ext_database
    dify_graph.nodes.llm.node -> models.model
    dify_graph.nodes.llm.node -> configs
    dify_graph.nodes.llm.node -> core.agent.entities
    dify_graph.nodes.llm.node -> core.agent.patterns
    dify_graph.nodes.llm.node -> core.app.entities.app_invoke_entities
    dify_graph.nodes.llm.node -> core.helper.code_executor
    dify_graph.nodes.llm.node -> core.memory.base
    dify_graph.nodes.llm.node -> core.sandbox
    dify_graph.nodes.llm.node -> core.sandbox.bash.session
    dify_graph.nodes.llm.node -> core.sandbox.entities.config
    dify_graph.nodes.llm.node -> core.skill.assembler
    dify_graph.nodes.llm.node -> core.skill.constants
    dify_graph.nodes.llm.node -> core.skill.entities.skill_bundle
    dify_graph.nodes.llm.node -> core.skill.entities.skill_document
    dify_graph.nodes.llm.node -> core.skill.entities.skill_metadata
    dify_graph.nodes.llm.node -> core.skill.entities.tool_dependencies
    dify_graph.nodes.llm.node -> core.tools.tool_file_manager
    dify_graph.nodes.llm.node -> core.tools.tool_manager
    dify_graph.nodes.tool.tool_node -> services
    dify_graph.model_runtime.model_providers.__base.ai_model -> configs
    dify_graph.model_runtime.model_providers.__base.ai_model -> extensions.ext_redis
    dify_graph.model_runtime.model_providers.__base.large_language_model -> configs
    dify_graph.model_runtime.model_providers.__base.text_embedding_model -> core.entities.embedding_type
    dify_graph.model_runtime.model_providers.model_provider_factory -> configs
    dify_graph.model_runtime.model_providers.model_provider_factory -> extensions.ext_redis
    dify_graph.model_runtime.model_providers.model_provider_factory -> models.provider_ids
    dify_graph.file.file_manager -> configs
    dify_graph.file.file_manager -> extensions.ext_database
    dify_graph.file.file_manager -> models.model
    dify_graph.file.file_manager -> models.tools
    dify_graph.nodes.llm.llm_utils -> core.app.llm.model_access
    dify_graph.nodes.llm.llm_utils -> core.app.llm.quota
    dify_graph.nodes.llm.llm_utils -> core.memory
    dify_graph.nodes.llm.llm_utils -> core.memory.base
    dify_graph.nodes.llm.llm_utils -> extensions.ext_database
    dify_graph.nodes.llm.llm_utils -> models.model
    dify_graph.nodes.llm.llm_utils -> core.prompt.entities.advanced_prompt_entities
    dify_graph.nodes.llm.entities -> core.agent.entities
    dify_graph.nodes.base.node -> core.workflow.node_factory
    dify_graph.nodes.tool.tool_node -> core.workflow.node_factory
 [importlinter:contract:rsc]
 name = RSC
 type = layers
 layers =
    graph_engine
    response_coordinator
 containers =
    dify_graph.graph_engine
 [importlinter:contract:worker]
 name = Worker
 type = layers
 layers =
    graph_engine
    worker
 containers =
    dify_graph.graph_engine
 [importlinter:contract:graph-engine-architecture]
 name = Graph Engine Architecture
 type = layers
 layers =
    graph_engine
    orchestration
    command_processing
    event_management
    error_handler
    graph_traversal
    graph_state_manager
    worker_management
    domain
 containers =
    dify_graph.graph_engine
 [importlinter:contract:domain-isolation]
 name = Domain Model Isolation
 type = forbidden
 source_modules =
    dify_graph.graph_engine.domain
 forbidden_modules =
    dify_graph.graph_engine.worker_management
    dify_graph.graph_engine.command_channels
    dify_graph.graph_engine.layers
    dify_graph.graph_engine.protocols
 [importlinter:contract:worker-management]
 name = Worker Management
 type = forbidden
 source_modules =
    dify_graph.graph_engine.worker_management
 forbidden_modules =
    dify_graph.graph_engine.orchestration
    dify_graph.graph_engine.command_processing
    dify_graph.graph_engine.event_management
 [importlinter:contract:graph-traversal-components]
 name = Graph Traversal Components
 type = layers
 layers =
    edge_processor
    skip_propagator
 containers =
    dify_graph.graph_engine.graph_traversal
 [importlinter:contract:command-channels]
 name = Command Channels Independence
 type = independence
 modules =
    dify_graph.graph_engine.command_channels.in_memory_channel
    dify_graph.graph_engine.command_channels.redis_channel
--- a/api/.ruff.toml
+++ b/api/.ruff.toml
@ -69,8 +69,6 @@ ignore = [
    "FURB152", # math-constant
    "UP007",   # non-pep604-annotation
    "UP032",   # f-string
    "UP045",   # non-pep604-annotation-optional
    "B005",    # strip-with-multi-characters
    "B006",    # mutable-argument-default
    "B007",    # unused-loop-control-variable
    "B026",    # star-arg-unpacking-after-keyword-arg
@ -84,7 +82,6 @@ ignore = [
    "SIM102",  # collapsible-if
    "SIM103",  # needless-bool
    "SIM105",  # suppressible-exception
    "SIM107",  # return-in-try-except-finally
    "SIM108",  # if-else-block-instead-of-if-exp
    "SIM113",  # enumerate-for-loop
    "SIM117",  # multiple-with-statements
@ -93,35 +90,16 @@ ignore = [
 ]
 [lint.per-file-ignores]
 "__init__.py" = [
    "F401", # unused-import
    "F811", # redefined-while-unused
 ]
 "configs/*" = [
    "N802", # invalid-function-name
 ]
 "dify_graph/model_runtime/callbacks/base_callback.py" = ["T201"]
 "core/workflow/callbacks/workflow_logging_callback.py" = ["T201"]
 "libs/gmpy2_pkcs10aep_cipher.py" = [
    "N803", # invalid-argument-name
 ]
 "tests/*" = [
    "F811", # redefined-while-unused
    "T201", # allow print in tests,
    "S110", # allow ignoring exceptions in tests code (currently)
 ]
 "controllers/console/explore/trial.py" = ["TID251"]
 "controllers/console/human_input_form.py" = ["TID251"]
 "controllers/web/human_input_form.py" = ["TID251"]
 [lint.pyflakes]
 allowed-unused-imports = [
    "tests.integration_tests",
    "tests.unit_tests",
 ]
 [lint.flake8-tidy-imports]
 [lint.flake8-tidy-imports.banned-api."flask_restx.reqparse"]
 msg = "Use Pydantic payload/query models instead of reqparse."
--- a/api/.vscode/launch.json.example
+++ b/api/.vscode/launch.json.example
@ -3,29 +3,21 @@
    "compounds": [
        {
            "name": "Launch Flask and Celery",
-            "configurations": ["Python: Flask", "Python: Celery"]
+            "configurations": ["Python: API (gevent)", "Python: Celery"]
        }
    ],
    "configurations": [
        {
-            "name": "Python: Flask",
+            "name": "Python: API (gevent)",
-            "consoleName": "Flask",
+            "consoleName": "API",
            "type": "debugpy",
            "request": "launch",
            "python": "${workspaceFolder}/.venv/bin/python",
            "cwd": "${workspaceFolder}",
            "envFile": ".env",
-            "module": "flask",
+            "program": "${workspaceFolder}/app.py",
            "justMyCode": true,
-            "jinja": true,
+            "jinja": true
            "env": {
                "FLASK_APP": "app.py",
                "GEVENT_SUPPORT": "True"
            },
            "args": [
                "run",
                "--port=5001"
            ]
        },
        {
            "name": "Python: Celery",
--- a/api/Dockerfile
+++ b/api/Dockerfile
@ -21,8 +21,9 @@ RUN apt-get update \
          # for building gmpy2
          libmpfr-dev libmpc-dev
-# Install Python dependencies
+# Install Python dependencies (workspace members under providers/vdb/)
 COPY pyproject.toml uv.lock ./
 COPY providers ./providers
 RUN uv sync --locked --no-dev
 # production stage
--- a/api/README.md
+++ b/api/README.md
@ -40,6 +40,8 @@ The scripts resolve paths relative to their location, so you can run them from a
   ./dev/start-web
   ```
   `./dev/setup` and `./dev/start-web` install JavaScript dependencies through the repository root workspace, so you do not need a separate `cd web && pnpm install` step.
 1. Set up your application by visiting `http://localhost:3000`.
 1. Start the worker service (async and scheduler tasks, runs from `api`).
@ -54,86 +56,6 @@ The scripts resolve paths relative to their location, so you can run them from a
   ./dev/start-beat
   ```
 ### Manual commands
 <details>
 <summary>Show manual setup and run steps</summary>
 These commands assume you start from the repository root.
 1. Start the docker-compose stack.
   The backend requires middleware, including PostgreSQL, Redis, and Weaviate, which can be started together using `docker-compose`.
   ```bash
   cp docker/middleware.env.example docker/middleware.env
   # Use mysql or another vector database profile if you are not using postgres/weaviate.
   docker compose -f docker/docker-compose.middleware.yaml --profile postgresql --profile weaviate -p dify up -d
   ```
 1. Copy env files.
   ```bash
   cp api/.env.example api/.env
   cp web/.env.example web/.env.local
   ```
 1. Install UV if needed.
   ```bash
   pip install uv
   # Or on macOS
   brew install uv
   ```
 1. Install API dependencies.
   ```bash
   cd api
   uv sync --group dev
   ```
 1. Install web dependencies.
   ```bash
   cd web
   pnpm install
   cd ..
   ```
 1. Start backend (runs migrations first, in a new terminal).
   ```bash
   cd api
   uv run flask db upgrade
   uv run flask run --host 0.0.0.0 --port=5001 --debug
   ```
 1. Start Dify [web](../web) service (in a new terminal).
   ```bash
   cd web
   pnpm dev:inspect
   ```
 1. Set up your application by visiting `http://localhost:3000`.
 1. Optional: start the worker service (async tasks, in a new terminal).
   ```bash
   cd api
   uv run celery -A app.celery worker -P threads -c 2 --loglevel INFO -Q api_token,dataset,priority_dataset,priority_pipeline,pipeline,mail,ops_trace,app_deletion,plugin,workflow_storage,conversation,workflow,schedule_poller,schedule_executor,triggered_workflow_dispatcher,trigger_refresh_executor,retention,workflow_based_app_execution
   ```
 1. Optional: start Celery Beat (scheduled tasks, in a new terminal).
   ```bash
   cd api
   uv run celery -A app.celery beat
   ```
 </details>
 ### Environment notes
 > [!IMPORTANT]
--- a/api/agent-notes/configs/feature/init.py.md
+++ b/api/agent-notes/configs/feature/init.py.md
@ -1,9 +0,0 @@
 Summary:
 Summary:
 - Application configuration definitions, including file access settings.
 Invariants:
 - File access settings drive signed URL expiration and base URLs.
 Tests:
 - Config parsing tests under tests/unit_tests/configs.
--- a/api/agent-notes/controllers/files/init.py.md
+++ b/api/agent-notes/controllers/files/init.py.md
@ -1,9 +0,0 @@
 Summary:
 - Registers file-related API namespaces and routes for files service.
 - Includes app-assets and sandbox archive proxy controllers.
 Invariants:
 - files_ns must include all file controller modules to register routes.
 Tests:
 - Coverage via controller unit tests and route registration smoke checks.
--- a/api/agent-notes/controllers/files/app_assets_download.py.md
+++ b/api/agent-notes/controllers/files/app_assets_download.py.md
@ -1,14 +0,0 @@
 Summary:
 - App assets download proxy endpoint (signed URL verification, stream from storage).
 Invariants:
 - Validates AssetPath fields (UUIDs, asset_type allowlist).
 - Verifies tenant-scoped signature and expiration before reading storage.
 - URL uses expires_at/nonce/sign query params.
 Edge Cases:
 - Missing files return NotFound.
 - Invalid signature or expired link returns Forbidden.
 Tests:
 - Verify signature validation and invalid/expired cases.
--- a/api/agent-notes/controllers/files/app_assets_upload.py.md
+++ b/api/agent-notes/controllers/files/app_assets_upload.py.md
@ -1,13 +0,0 @@
 Summary:
 - App assets upload proxy endpoint (signed URL verification, upload to storage).
 Invariants:
 - Validates AssetPath fields (UUIDs, asset_type allowlist).
 - Verifies tenant-scoped signature and expiration before writing storage.
 - URL uses expires_at/nonce/sign query params.
 Edge Cases:
 - Invalid signature or expired link returns Forbidden.
 Tests:
 - Verify signature validation and invalid/expired cases.
--- a/api/agent-notes/controllers/files/sandbox_archive.py.md
+++ b/api/agent-notes/controllers/files/sandbox_archive.py.md
@ -1,14 +0,0 @@
 Summary:
 - Sandbox archive upload/download proxy endpoints (signed URL verification, stream to storage).
 Invariants:
 - Validates tenant_id and sandbox_id UUIDs.
 - Verifies tenant-scoped signature and expiration before storage access.
 - URL uses expires_at/nonce/sign query params.
 Edge Cases:
 - Missing archive returns NotFound.
 - Invalid signature or expired link returns Forbidden.
 Tests:
 - Add unit tests for signature validation if needed.
--- a/api/agent-notes/core/app_assets/builder/file_builder.py.md
+++ b/api/agent-notes/core/app_assets/builder/file_builder.py.md
@ -1,9 +0,0 @@
 Summary:
 Summary:
 - Collects file assets and emits FileAsset entries with storage keys.
 Invariants:
 - Storage keys are derived via AppAssetStorage for draft files.
 Tests:
 - Covered by asset build pipeline tests.
--- a/api/agent-notes/core/app_assets/builder/skill_builder.py.md
+++ b/api/agent-notes/core/app_assets/builder/skill_builder.py.md
@ -1,14 +0,0 @@
 Summary:
 Summary:
 - Builds skill artifacts from markdown assets and uploads resolved outputs.
 Invariants:
 - Reads draft asset content via AppAssetStorage refs.
 - Writes resolved artifacts via AppAssetStorage refs.
 - FileAsset storage keys are derived via AppAssetStorage.
 Edge Cases:
 - Missing or invalid JSON content yields empty skill content/metadata.
 Tests:
 - Build pipeline unit tests covering compile/upload paths.
--- a/api/agent-notes/core/app_assets/converters.py.md
+++ b/api/agent-notes/core/app_assets/converters.py.md
@ -1,9 +0,0 @@
 Summary:
 Summary:
 - Converts AppAssetFileTree to FileAsset items for packaging.
 Invariants:
 - Storage keys for assets are derived via AppAssetStorage.
 Tests:
 - Used in packaging/service tests for asset bundles.
--- a/api/agent-notes/core/app_assets/packager/zip_packager.py.md
+++ b/api/agent-notes/core/app_assets/packager/zip_packager.py.md
@ -1,14 +0,0 @@
 # Zip Packager Notes
 ## Purpose
 - Builds a ZIP archive of asset contents stored via the configured storage backend.
 ## Key Decisions
 - Packaging writes assets into an in-memory zip buffer returned as bytes.
 - Asset fetch + zip writing are executed via a thread pool with a lock guarding `ZipFile` writes.
 ## Edge Cases
 - ZIP writes are serialized by the lock; storage reads still run in parallel.
 ## Tests/Verification
 - None yet.
--- a/api/agent-notes/core/app_assets/parser/asset_parser.py.md
+++ b/api/agent-notes/core/app_assets/parser/asset_parser.py.md
@ -1,9 +0,0 @@
 Summary:
 Summary:
 - Builds AssetItem entries for asset trees using AssetPath-derived storage keys.
 Invariants:
 - Uses AssetPath to compute draft storage keys.
 Tests:
 - Covered by asset parsing and packaging tests.
--- a/api/agent-notes/core/app_assets/storage.py.md
+++ b/api/agent-notes/core/app_assets/storage.py.md
@ -1,20 +0,0 @@
 Summary:
 - Defines AssetPath facade + typed asset path classes for app-asset storage access.
 - Maps asset paths to storage keys and generates presigned or signed-proxy URLs.
 - Signs proxy URLs using tenant private keys and enforces expiration.
 - Exposes app_asset_storage singleton for reuse.
 Invariants:
 - AssetPathBase fields (tenant_id/app_id/resource_id/node_id) must be UUIDs.
 - AssetPath.from_components enforces valid types and resolved node_id presence.
 - Storage keys are derived internally via AssetPathBase.get_storage_key; callers never supply raw paths.
 - AppAssetStorage.storage returns the cached presign wrapper (not the raw storage).
 Edge Cases:
 - Storage backends without presign support must fall back to signed proxy URLs.
 - Signed proxy verification enforces expiration and tenant-scoped signing keys.
 - Upload URLs also fall back to signed proxy endpoints when presign is unsupported.
 - load_or_none treats SilentStorage "File Not Found" bytes as missing.
 Tests:
 - Unit tests for ref validation, storage key mapping, and signed URL verification.
--- a/api/agent-notes/core/app_bundle/source_zip_extractor.py.md
+++ b/api/agent-notes/core/app_bundle/source_zip_extractor.py.md
@ -1,10 +0,0 @@
 Summary:
 Summary:
 - Extracts asset files from a zip and persists them into app asset storage.
 Invariants:
 - Rejects path traversal/absolute/backslash paths.
 - Saves extracted files via AppAssetStorage draft refs.
 Tests:
 - Zip security edge cases and tree construction tests.
--- a/api/agent-notes/core/sandbox/initializer/app_assets_initializer.py.md
+++ b/api/agent-notes/core/sandbox/initializer/app_assets_initializer.py.md
@ -1,9 +0,0 @@
 Summary:
 Summary:
 - Downloads published app asset zip into sandbox and extracts it.
 Invariants:
 - Uses AppAssetStorage to generate download URLs for build zips (internal URL).
 Tests:
 - Sandbox initialization integration tests.
--- a/api/agent-notes/core/sandbox/initializer/draft_app_assets_initializer.py.md
+++ b/api/agent-notes/core/sandbox/initializer/draft_app_assets_initializer.py.md
@ -1,12 +0,0 @@
 Summary:
 Summary:
 - Downloads draft/resolved assets into sandbox for draft execution.
 Invariants:
 - Uses AppAssetStorage to generate download URLs for draft/resolved refs (internal URL).
 Edge Cases:
 - No nodes -> returns early.
 Tests:
 - Sandbox draft initialization tests.
--- a/api/agent-notes/core/sandbox/sandbox.py.md
+++ b/api/agent-notes/core/sandbox/sandbox.py.md
@ -1,9 +0,0 @@
 Summary:
 - Sandbox lifecycle wrapper (ready/cancel/fail signals, mount/unmount, release).
 Invariants:
 - wait_ready raises with the original initialization error as the cause.
 - release always attempts unmount and environment release, logging failures.
 Tests:
 - Covered by sandbox lifecycle/unit tests and workflow execution error handling.
--- a/api/agent-notes/core/sandbox/security/init.py.md
+++ b/api/agent-notes/core/sandbox/security/init.py.md
@ -1,2 +0,0 @@
 Summary:
 - Sandbox security helper modules.
--- a/api/agent-notes/core/sandbox/security/archive_signer.py.md
+++ b/api/agent-notes/core/sandbox/security/archive_signer.py.md
@ -1,13 +0,0 @@
 Summary:
 - Generates and verifies signed URLs for sandbox archive upload/download.
 Invariants:
 - tenant_id and sandbox_id must be UUIDs.
 - Signatures are tenant-scoped and include operation, expiry, and nonce.
 Edge Cases:
 - Missing tenant private key raises ValueError.
 - Expired or tampered signatures are rejected.
 Tests:
 - Add unit tests if sandbox archive signature behavior expands.
--- a/api/agent-notes/core/sandbox/storage/archive_storage.py.md
+++ b/api/agent-notes/core/sandbox/storage/archive_storage.py.md
@ -1,12 +0,0 @@
 Summary:
 - Manages sandbox archive uploads/downloads for workspace persistence.
 Invariants:
 - Archive storage key is sandbox/<tenant_id>/<sandbox_id>.tar.gz.
 - Signed URLs are tenant-scoped and use external files URL.
 Edge Cases:
 - Missing archive skips mount.
 Tests:
 - Covered indirectly via sandbox integration tests.
--- a/api/agent-notes/core/skill/skill_manager.py.md
+++ b/api/agent-notes/core/skill/skill_manager.py.md
@ -1,9 +0,0 @@
 Summary:
 Summary:
 - Loads/saves skill bundles to app asset storage.
 Invariants:
 - Skill bundles use AppAssetStorage refs and JSON serialization.
 Tests:
 - Covered by skill bundle build/load unit tests.
--- a/api/agent-notes/core/virtual_environment/providers/e2b_sandbox.py.md
+++ b/api/agent-notes/core/virtual_environment/providers/e2b_sandbox.py.md
@ -1,16 +0,0 @@
 # E2B Sandbox Provider Notes
 ## Purpose
 - Implements the E2B-backed `VirtualEnvironment` provider and bootstraps sandbox metadata, file I/O, and command execution.
 ## Key Decisions
 - Sandbox metadata is gathered during `_construct_environment` using the E2B SDK before returning `Metadata`.
 - Architecture/OS detection uses a single `uname -m -s` call split by whitespace to reduce round-trips.
 - Command execution streams stdout/stderr through `QueueTransportReadCloser`; stdin is unsupported.
 ## Edge Cases
 - `release_environment` raises when sandbox termination fails.
 - `execute_command` runs in a background thread; consumers must read stdout/stderr until EOF.
 ## Tests/Verification
 - None yet. Add targeted service tests when behavior changes.
--- a/api/agent-notes/services/app_asset_service.py.md
+++ b/api/agent-notes/services/app_asset_service.py.md
@ -1,14 +0,0 @@
 Summary:
 - App asset CRUD, publish/build pipeline, and presigned URL generation.
 Invariants:
 - Asset storage access goes through AppAssetStorage + AssetPath, using app_asset_storage singleton.
 - Tree operations require tenant/app scoping and lock for mutation.
 - Asset zips are packaged via raw storage with storage keys from AppAssetStorage.
 Edge Cases:
 - File nodes larger than preview limit are rejected.
 - Deletion runs asynchronously; storage failures are logged.
 Tests:
 - Unit tests for storage URL generation and publish/build flows.
--- a/api/agent-notes/services/app_bundle_service.py.md
+++ b/api/agent-notes/services/app_bundle_service.py.md
@ -1,10 +0,0 @@
 Summary:
 Summary:
 - Imports app bundles, including asset extraction into app asset storage.
 Invariants:
 - Asset imports respect zip security checks and tenant/app scoping.
 - Draft asset packaging uses AppAssetStorage for key mapping.
 Tests:
 - Bundle import unit tests and zip validation coverage.
--- a/api/agent-notes/tests/unit_tests/core/app_assets/test_storage.py.md
+++ b/api/agent-notes/tests/unit_tests/core/app_assets/test_storage.py.md
@ -1,6 +0,0 @@
 Summary:
 Summary:
 - Unit tests for AppAssetStorage ref validation, key mapping, and signing.
 Tests:
 - Covers valid/invalid refs, signature verify, expiration handling, and proxy URL generation.
--- a/api/app.py
+++ b/api/app.py
@ -1,6 +1,6 @@
 from __future__ import annotations
-import os
+import logging
 import sys
 from typing import TYPE_CHECKING, cast
@ -10,12 +10,25 @@ if TYPE_CHECKING:
    celery: Celery
 HOST = "0.0.0.0"
 PORT = 5001
 logger = logging.getLogger(__name__)
 def is_db_command() -> bool:
    if len(sys.argv) > 1 and sys.argv[0].endswith("flask") and sys.argv[1] == "db":
        return True
    return False
 def log_startup_banner(host: str, port: int) -> None:
    debugger_attached = sys.gettrace() is not None
    logger.info("Serving Dify API via gevent WebSocket server")
    logger.info("Bound to http://%s:%s", host, port)
    logger.info("Debugger attached: %s", "on" if debugger_attached else "off")
    logger.info("Press CTRL+C to quit")
 # create app
 flask_app = None
 socketio_app = None
@ -38,13 +51,12 @@ else:
    socketio_app, flask_app = create_app()
    app = flask_app
-    celery = cast("Celery", flask_app.extensions["celery"])
+    celery = cast("Celery", app.extensions["celery"])
 if __name__ == "__main__":
    from gevent import pywsgi
    from geventwebsocket.handler import WebSocketHandler  # type: ignore[reportMissingTypeStubs]
-    host = os.environ.get("HOST", "0.0.0.0")
+    log_startup_banner(HOST, PORT)
-    port = int(os.environ.get("PORT", 5001))
+    server = pywsgi.WSGIServer((HOST, PORT), socketio_app, handler_class=WebSocketHandler)
    server = pywsgi.WSGIServer((host, port), socketio_app, handler_class=WebSocketHandler)
    server.serve_forever()
--- a/api/app_factory.py
+++ b/api/app_factory.py
@ -149,6 +149,7 @@ def initialize_extensions(app: DifyApp):
        ext_commands,
        ext_compress,
        ext_database,
        ext_enterprise_telemetry,
        ext_fastopenapi,
        ext_forward_refs,
        ext_hosting_provider,
@ -199,6 +200,7 @@ def initialize_extensions(app: DifyApp):
        ext_commands,
        ext_fastopenapi,
        ext_otel,
        ext_enterprise_telemetry,
        ext_request_logging,
        ext_session_factory,
    ]
--- a/api/bin/dify-cli-darwin-amd64
+++ b/api/bin/dify-cli-darwin-amd64
--- a/api/bin/dify-cli-darwin-arm64
+++ b/api/bin/dify-cli-darwin-arm64
--- a/api/bin/dify-cli-linux-amd64
+++ b/api/bin/dify-cli-linux-amd64
--- a/api/bin/dify-cli-linux-arm64
+++ b/api/bin/dify-cli-linux-arm64
--- a/api/celery_healthcheck.py
+++ b/api/celery_healthcheck.py
@ -0,0 +1,18 @@
 # This module provides a lightweight Celery instance for use in Docker health checks.
 # Unlike celery_entrypoint.py, this does NOT import app.py and therefore avoids
 # initializing all Flask extensions (DB, Redis, storage, blueprints, etc.).
 # Using this module keeps the health check fast and low-cost.
 from celery import Celery
 from configs import dify_config
 from extensions.ext_celery import get_celery_broker_transport_options, get_celery_ssl_options
 celery = Celery(broker=dify_config.CELERY_BROKER_URL)
 broker_transport_options = get_celery_broker_transport_options()
 if broker_transport_options:
    celery.conf.update(broker_transport_options=broker_transport_options)
 ssl_options = get_celery_ssl_options()
 if ssl_options:
    celery.conf.update(broker_use_ssl=ssl_options)
--- a/api/commands/account.py
+++ b/api/commands/account.py
@ -2,7 +2,6 @@ import base64
 import secrets
 import click
 from sqlalchemy.orm import sessionmaker
 from constants.languages import languages
 from extensions.ext_database import db
@ -25,30 +24,31 @@ def reset_password(email, new_password, password_confirm):
        return
    normalized_email = email.strip().lower()
-    with sessionmaker(db.engine, expire_on_commit=False).begin() as session:
+    account = AccountService.get_account_by_email_with_case_fallback(email.strip())
        account = AccountService.get_account_by_email_with_case_fallback(email.strip(), session=session)
-        if not account:
+    if not account:
-            click.echo(click.style(f"Account not found for email: {email}", fg="red"))
+        click.echo(click.style(f"Account not found for email: {email}", fg="red"))
-            return
+        return
-        try:
+    try:
-            valid_password(new_password)
+        valid_password(new_password)
-        except:
+    except:
-            click.echo(click.style(f"Invalid password. Must match {password_pattern}", fg="red"))
+        click.echo(click.style(f"Invalid password. Must match {password_pattern}", fg="red"))
-            return
+        return
-        # generate password salt
+    # generate password salt
-        salt = secrets.token_bytes(16)
+    salt = secrets.token_bytes(16)
-        base64_salt = base64.b64encode(salt).decode()
+    base64_salt = base64.b64encode(salt).decode()
-        # encrypt password with salt
+    # encrypt password with salt
-        password_hashed = hash_password(new_password, salt)
+    password_hashed = hash_password(new_password, salt)
-        base64_password_hashed = base64.b64encode(password_hashed).decode()
+    base64_password_hashed = base64.b64encode(password_hashed).decode()
-        account.password = base64_password_hashed
+    account = db.session.merge(account)
-        account.password_salt = base64_salt
+    account.password = base64_password_hashed
-        AccountService.reset_login_error_rate_limit(normalized_email)
+    account.password_salt = base64_salt
-        click.echo(click.style("Password reset successfully.", fg="green"))
+    db.session.commit()
    AccountService.reset_login_error_rate_limit(normalized_email)
    click.echo(click.style("Password reset successfully.", fg="green"))
@click.command("reset-email", help="Reset the account email.")
@ -65,21 +65,22 @@ def reset_email(email, new_email, email_confirm):
        return
    normalized_new_email = new_email.strip().lower()
-    with sessionmaker(db.engine, expire_on_commit=False).begin() as session:
+    account = AccountService.get_account_by_email_with_case_fallback(email.strip())
        account = AccountService.get_account_by_email_with_case_fallback(email.strip(), session=session)
-        if not account:
+    if not account:
-            click.echo(click.style(f"Account not found for email: {email}", fg="red"))
+        click.echo(click.style(f"Account not found for email: {email}", fg="red"))
-            return
+        return
-        try:
+    try:
-            email_validate(normalized_new_email)
+        email_validate(normalized_new_email)
-        except:
+    except:
-            click.echo(click.style(f"Invalid email: {new_email}", fg="red"))
+        click.echo(click.style(f"Invalid email: {new_email}", fg="red"))
-            return
+        return
-        account.email = normalized_new_email
+    account = db.session.merge(account)
-        click.echo(click.style("Email updated successfully.", fg="green"))
+    account.email = normalized_new_email
    db.session.commit()
    click.echo(click.style("Email updated successfully.", fg="green"))
@click.command("create-tenant", help="Create account and tenant.")
--- a/api/commands/plugin.py
+++ b/api/commands/plugin.py
@ -11,7 +11,7 @@ from configs import dify_config
 from core.helper import encrypter
 from core.plugin.entities.plugin_daemon import CredentialType
 from core.plugin.impl.plugin import PluginInstaller
-from core.tools.utils.system_encryption import encrypt_system_params as encrypt_system_oauth_params
+from core.tools.utils.system_oauth_encryption import encrypt_system_oauth_params
 from extensions.ext_database import db
 from models import Tenant
 from models.oauth import DatasourceOauthParamConfig, DatasourceProvider
--- a/api/commands/retention.py
+++ b/api/commands/retention.py
@ -1,7 +1,7 @@
 import datetime
 import logging
 import time
-from typing import Any
+from typing import TypedDict
 import click
 import sqlalchemy as sa
@ -503,7 +503,19 @@ def _find_orphaned_draft_variables(batch_size: int = 1000) -> list[str]:
        return [row[0] for row in result]
-def _count_orphaned_draft_variables() -> dict[str, Any]:
+class _AppOrphanCounts(TypedDict):
    variables: int
    files: int
 class OrphanedDraftVariableStatsDict(TypedDict):
    total_orphaned_variables: int
    total_orphaned_files: int
    orphaned_app_count: int
    orphaned_by_app: dict[str, _AppOrphanCounts]
 def _count_orphaned_draft_variables() -> OrphanedDraftVariableStatsDict:
    """
    Count orphaned draft variables by app, including associated file counts.
@ -526,7 +538,7 @@ def _count_orphaned_draft_variables() -> dict[str, Any]:
    with db.engine.connect() as conn:
        result = conn.execute(sa.text(variables_query))
-        orphaned_by_app = {}
+        orphaned_by_app: dict[str, _AppOrphanCounts] = {}
        total_files = 0
        for row in result:
--- a/api/commands/vector.py
+++ b/api/commands/vector.py
@ -341,11 +341,10 @@ def add_qdrant_index(field: str):
            click.echo(click.style("No dataset collection bindings found.", fg="red"))
            return
        import qdrant_client
        from dify_vdb_qdrant.qdrant_vector import PathQdrantParams, QdrantConfig
        from qdrant_client.http.exceptions import UnexpectedResponse
        from qdrant_client.http.models import PayloadSchemaType
        from core.rag.datasource.vdb.qdrant.qdrant_vector import PathQdrantParams, QdrantConfig
        for binding in bindings:
            if dify_config.QDRANT_URL is None:
                raise ValueError("Qdrant URL is required.")
--- a/api/configs/app_config.py
+++ b/api/configs/app_config.py
@ -2,14 +2,13 @@ import logging
 from pathlib import Path
 from typing import Any
 from pydantic import Field
 from pydantic.fields import FieldInfo
 from pydantic_settings import BaseSettings, PydanticBaseSettingsSource, SettingsConfigDict, TomlConfigSettingsSource
 from libs.file_utils import search_file_upwards
 from .deploy import DeploymentConfig
-from .enterprise import EnterpriseFeatureConfig
+from .enterprise import EnterpriseFeatureConfig, EnterpriseTelemetryConfig
 from .extra import ExtraServiceConfig
 from .feature import FeatureConfig
 from .middleware import MiddlewareConfig
@ -74,6 +73,8 @@ class DifyConfig(
    # Enterprise feature configs
    # **Before using, please contact business@dify.ai by email to inquire about licensing matters.**
    EnterpriseFeatureConfig,
    # Enterprise telemetry configs
    EnterpriseTelemetryConfig,
 ):
    model_config = SettingsConfigDict(
        # read from dotenv format config file
@ -83,17 +84,6 @@ class DifyConfig(
        extra="ignore",
    )
    SANDBOX_DIFY_CLI_ROOT: str | None = Field(
        default=None,
        description=(
            "Filesystem directory containing dify CLI binaries named dify-cli-<os>-<arch>. "
            "Defaults to api/bin when unset."
        ),
    )
    DIFY_PORT: int = Field(
        default=5001,
        description="Port used by Dify to communicate with the host machine.",
    )
    # Before adding any config,
    # please consider to arrange it in the proper config group of existed or added
    # for better readability and maintainability.
--- a/api/configs/enterprise/init.py
+++ b/api/configs/enterprise/init.py
@ -22,3 +22,52 @@ class EnterpriseFeatureConfig(BaseSettings):
    ENTERPRISE_REQUEST_TIMEOUT: int = Field(
        ge=1, description="Maximum timeout in seconds for enterprise requests", default=5
    )
 class EnterpriseTelemetryConfig(BaseSettings):
    """
    Configuration for enterprise telemetry.
    """
    ENTERPRISE_TELEMETRY_ENABLED: bool = Field(
        description="Enable enterprise telemetry collection (also requires ENTERPRISE_ENABLED=true).",
        default=False,
    )
    ENTERPRISE_OTLP_ENDPOINT: str = Field(
        description="Enterprise OTEL collector endpoint.",
        default="",
    )
    ENTERPRISE_OTLP_HEADERS: str = Field(
        description="Auth headers for OTLP export (key=value,key2=value2).",
        default="",
    )
    ENTERPRISE_OTLP_PROTOCOL: str = Field(
        description="OTLP protocol: 'http' or 'grpc' (default: http).",
        default="http",
    )
    ENTERPRISE_OTLP_API_KEY: str = Field(
        description="Bearer token for enterprise OTLP export authentication.",
        default="",
    )
    ENTERPRISE_INCLUDE_CONTENT: bool = Field(
        description="Include input/output content in traces (privacy toggle).",
        # Setting the default value to False to avoid accidentally log PII data in traces.
        default=False,
    )
    ENTERPRISE_SERVICE_NAME: str = Field(
        description="Service name for OTEL resource.",
        default="dify",
    )
    ENTERPRISE_OTEL_SAMPLING_RATE: float = Field(
        description="Sampling rate for enterprise traces (0.0 to 1.0, default 1.0 = 100%).",
        default=1.0,
        ge=0.0,
        le=1.0,
    )
--- a/api/configs/feature/init.py
+++ b/api/configs/feature/init.py
@ -271,17 +271,6 @@ class PluginConfig(BaseSettings):
    )
 class CliApiConfig(BaseSettings):
    """
    Configuration for CLI API (for dify-cli to call back from external sandbox environments)
    """
    CLI_API_URL: str = Field(
        description="CLI API URL for external sandbox (e.g., e2b) to call back.",
        default="http://localhost:5001",
    )
 class MarketplaceConfig(BaseSettings):
    """
    Configuration for marketplace
@ -298,27 +287,6 @@ class MarketplaceConfig(BaseSettings):
    )
 class CreatorsPlatformConfig(BaseSettings):
    """
    Configuration for creators platform
    """
    CREATORS_PLATFORM_FEATURES_ENABLED: bool = Field(
        description="Enable or disable creators platform features",
        default=True,
    )
    CREATORS_PLATFORM_API_URL: HttpUrl = Field(
        description="Creators Platform API URL",
        default=HttpUrl("https://creators.dify.ai"),
    )
    CREATORS_PLATFORM_OAUTH_CLIENT_ID: str = Field(
        description="OAuth client_id for the Creators Platform app registered in Dify",
        default="",
    )
 class EndpointConfig(BaseSettings):
    """
    Configuration for various application endpoints and URLs
@ -373,15 +341,6 @@ class FileAccessConfig(BaseSettings):
        default="",
    )
    FILES_API_URL: str = Field(
        description="Base URL for storage file ticket API endpoints."
        " Used by sandbox containers (internal or external like e2b) that need"
        " an absolute, routable address to upload/download files via the API."
        " For all-in-one Docker deployments, set to http://localhost."
        " For public sandbox environments, set to a public domain or IP.",
        default="",
    )
    FILES_ACCESS_TIMEOUT: int = Field(
        description="Expiration time in seconds for file access URLs",
        default=300,
@ -1423,9 +1382,7 @@ class FeatureConfig(
    TriggerConfig,
    AsyncWorkflowConfig,
    PluginConfig,
    CliApiConfig,
    MarketplaceConfig,
    CreatorsPlatformConfig,
    DataSetConfig,
    EndpointConfig,
    FileAccessConfig,
--- a/api/configs/middleware/init.py
+++ b/api/configs/middleware/init.py
@ -1,5 +1,5 @@
 import os
-from typing import Any, Literal
+from typing import Any, Literal, TypedDict
 from urllib.parse import parse_qsl, quote_plus
 from pydantic import Field, NonNegativeFloat, NonNegativeInt, PositiveFloat, PositiveInt, computed_field
@ -107,6 +107,17 @@ class KeywordStoreConfig(BaseSettings):
    )
 class SQLAlchemyEngineOptionsDict(TypedDict):
    pool_size: int
    max_overflow: int
    pool_recycle: int
    pool_pre_ping: bool
    connect_args: dict[str, str]
    pool_use_lifo: bool
    pool_reset_on_return: None
    pool_timeout: int
 class DatabaseConfig(BaseSettings):
    # Database type selector
    DB_TYPE: Literal["postgresql", "mysql", "oceanbase", "seekdb"] = Field(
@ -149,6 +160,16 @@ class DatabaseConfig(BaseSettings):
        default="",
    )
    DB_SESSION_TIMEZONE_OVERRIDE: str = Field(
        description=(
            "PostgreSQL session timezone override injected via startup options."
            " Default is 'UTC' for out-of-the-box consistency."
            " Set to empty string to disable app-level timezone injection, for example when using RDS Proxy"
            " together with a database-side default timezone."
        ),
        default="UTC",
    )
    @computed_field  # type: ignore[prop-decorator]
    @property
    def SQLALCHEMY_DATABASE_URI_SCHEME(self) -> str:
@ -209,21 +230,22 @@ class DatabaseConfig(BaseSettings):
    @computed_field  # type: ignore[prop-decorator]
    @property
-    def SQLALCHEMY_ENGINE_OPTIONS(self) -> dict[str, Any]:
+    def SQLALCHEMY_ENGINE_OPTIONS(self) -> SQLAlchemyEngineOptionsDict:
        # Parse DB_EXTRAS for 'options'
        db_extras_dict = dict(parse_qsl(self.DB_EXTRAS))
        options = db_extras_dict.get("options", "")
-        connect_args = {}
+        connect_args: dict[str, str] = {}
        # Use the dynamic SQLALCHEMY_DATABASE_URI_SCHEME property
        if self.SQLALCHEMY_DATABASE_URI_SCHEME.startswith("postgresql"):
-            timezone_opt = "-c timezone=UTC"
+            merged_options = options.strip()
-            if options:
+            session_timezone_override = self.DB_SESSION_TIMEZONE_OVERRIDE.strip()
-                merged_options = f"{options} {timezone_opt}"
+            if session_timezone_override:
-            else:
+                timezone_opt = f"-c timezone={session_timezone_override}"
-                merged_options = timezone_opt
+                merged_options = f"{merged_options} {timezone_opt}".strip() if merged_options else timezone_opt
-            connect_args = {"options": merged_options}
+            if merged_options:
                connect_args = {"options": merged_options}
-        return {
+        result: SQLAlchemyEngineOptionsDict = {
            "pool_size": self.SQLALCHEMY_POOL_SIZE,
            "max_overflow": self.SQLALCHEMY_MAX_OVERFLOW,
            "pool_recycle": self.SQLALCHEMY_POOL_RECYCLE,
@ -233,6 +255,7 @@ class DatabaseConfig(BaseSettings):
            "pool_reset_on_return": None,
            "pool_timeout": self.SQLALCHEMY_POOL_TIMEOUT,
        }
        return result
 class CeleryConfig(DatabaseConfig):
--- a/api/configs/middleware/cache/redis_config.py
+++ b/api/configs/middleware/cache/redis_config.py
@ -32,6 +32,11 @@ class RedisConfig(BaseSettings):
        default=0,
    )
    REDIS_KEY_PREFIX: str = Field(
        description="Optional global prefix for Redis keys, topics, and transport artifacts",
        default="",
    )
    REDIS_USE_SSL: bool = Field(
        description="Enable SSL/TLS for the Redis connection",
        default=False,
@ -117,6 +122,37 @@ class RedisConfig(BaseSettings):
        default=None,
    )
    REDIS_RETRY_RETRIES: NonNegativeInt = Field(
        description="Maximum number of retries per Redis command on "
        "transient failures (ConnectionError, TimeoutError, socket.timeout)",
        default=3,
    )
    REDIS_RETRY_BACKOFF_BASE: PositiveFloat = Field(
        description="Base delay in seconds for exponential backoff between retries",
        default=1.0,
    )
    REDIS_RETRY_BACKOFF_CAP: PositiveFloat = Field(
        description="Maximum backoff delay in seconds between retries",
        default=10.0,
    )
    REDIS_SOCKET_TIMEOUT: PositiveFloat | None = Field(
        description="Socket timeout in seconds for Redis read/write operations",
        default=5.0,
    )
    REDIS_SOCKET_CONNECT_TIMEOUT: PositiveFloat | None = Field(
        description="Socket timeout in seconds for Redis connection establishment",
        default=5.0,
    )
    REDIS_HEALTH_CHECK_INTERVAL: NonNegativeInt = Field(
        description="Interval in seconds between Redis connection health checks (0 to disable)",
        default=30,
    )
    @field_validator("REDIS_MAX_CONNECTIONS", mode="before")
    @classmethod
    def _empty_string_to_none_for_max_conns(cls, v):
--- a/api/configs/middleware/vdb/hologres_config.py
+++ b/api/configs/middleware/vdb/hologres_config.py
@ -1,4 +1,3 @@
 from holo_search_sdk.types import BaseQuantizationType, DistanceType, TokenizerType
 from pydantic import Field
 from pydantic_settings import BaseSettings
@ -42,17 +41,17 @@ class HologresConfig(BaseSettings):
        default="public",
    )
-    HOLOGRES_TOKENIZER: TokenizerType = Field(
+    HOLOGRES_TOKENIZER: str = Field(
        description="Tokenizer for full-text search index (e.g., 'jieba', 'ik', 'standard', 'simple').",
        default="jieba",
    )
-    HOLOGRES_DISTANCE_METHOD: DistanceType = Field(
+    HOLOGRES_DISTANCE_METHOD: str = Field(
        description="Distance method for vector index (e.g., 'Cosine', 'Euclidean', 'InnerProduct').",
        default="Cosine",
    )
-    HOLOGRES_BASE_QUANTIZATION_TYPE: BaseQuantizationType = Field(
+    HOLOGRES_BASE_QUANTIZATION_TYPE: str = Field(
        description="Base quantization type for vector index (e.g., 'rabitq', 'sq8', 'fp16', 'fp32').",
        default="rabitq",
    )
--- a/api/configs/middleware/vdb/iris_config.py
+++ b/api/configs/middleware/vdb/iris_config.py
@ -1,5 +1,7 @@
 """Configuration for InterSystems IRIS vector database."""
 from typing import Any
 from pydantic import Field, PositiveInt, model_validator
 from pydantic_settings import BaseSettings
@ -64,7 +66,7 @@ class IrisVectorConfig(BaseSettings):
    @model_validator(mode="before")
    @classmethod
-    def validate_config(cls, values: dict) -> dict:
+    def validate_config(cls, values: dict[str, Any]) -> dict[str, Any]:
        """Validate IRIS configuration values.
        Args:
--- a/api/constants/init.py
+++ b/api/constants/init.py
@ -7,15 +7,16 @@ UUID_NIL = "00000000-0000-0000-0000-000000000000"
 DEFAULT_FILE_NUMBER_LIMITS = 3
-IMAGE_EXTENSIONS = convert_to_lower_and_upper_set({"jpg", "jpeg", "png", "webp", "gif", "svg"})
+_IMAGE_EXTENSION_BASE: frozenset[str] = frozenset(("jpg", "jpeg", "png", "webp", "gif", "svg"))
 _VIDEO_EXTENSION_BASE: frozenset[str] = frozenset(("mp4", "mov", "mpeg", "webm"))
 _AUDIO_EXTENSION_BASE: frozenset[str] = frozenset(("mp3", "m4a", "wav", "amr", "mpga"))
-VIDEO_EXTENSIONS = convert_to_lower_and_upper_set({"mp4", "mov", "mpeg", "webm"})
+IMAGE_EXTENSIONS: frozenset[str] = frozenset(convert_to_lower_and_upper_set(_IMAGE_EXTENSION_BASE))
 VIDEO_EXTENSIONS: frozenset[str] = frozenset(convert_to_lower_and_upper_set(_VIDEO_EXTENSION_BASE))
 AUDIO_EXTENSIONS: frozenset[str] = frozenset(convert_to_lower_and_upper_set(_AUDIO_EXTENSION_BASE))
-AUDIO_EXTENSIONS = convert_to_lower_and_upper_set({"mp3", "m4a", "wav", "amr", "mpga"})
+_UNSTRUCTURED_DOCUMENT_EXTENSION_BASE: frozenset[str] = frozenset(
-
+    (
 _doc_extensions: set[str]
 if dify_config.ETL_TYPE == "Unstructured":
    _doc_extensions = {
        "txt",
        "markdown",
        "md",
@ -35,11 +36,10 @@ if dify_config.ETL_TYPE == "Unstructured":
        "pptx",
        "xml",
        "epub",
-    }
+    )
-    if dify_config.UNSTRUCTURED_API_URL:
+)
-        _doc_extensions.add("ppt")
+_DEFAULT_DOCUMENT_EXTENSION_BASE: frozenset[str] = frozenset(
-else:
+    (
    _doc_extensions = {
        "txt",
        "markdown",
        "md",
@ -53,8 +53,17 @@ else:
        "csv",
        "vtt",
        "properties",
-    }
+    )
-DOCUMENT_EXTENSIONS: set[str] = convert_to_lower_and_upper_set(_doc_extensions)
+)
 _doc_extensions: set[str]
 if dify_config.ETL_TYPE == "Unstructured":
    _doc_extensions = set(_UNSTRUCTURED_DOCUMENT_EXTENSION_BASE)
    if dify_config.UNSTRUCTURED_API_URL:
        _doc_extensions.add("ppt")
 else:
    _doc_extensions = set(_DEFAULT_DOCUMENT_EXTENSION_BASE)
 DOCUMENT_EXTENSIONS: frozenset[str] = frozenset(convert_to_lower_and_upper_set(_doc_extensions))
 # console
 COOKIE_NAME_ACCESS_TOKEN = "access_token"
--- a/api/context/init.py
+++ b/api/context/init.py
@ -1,74 +1,36 @@
 """
-Core Context - Framework-agnostic context management.
+Application-layer context adapters.
-This module provides context management that is independent of any specific
+Concrete execution-context implementations live here so `graphon` only
-web framework. Framework-specific implementations register their context
+depends on injected context managers rather than framework state capture.
 capture functions at application initialization time.
 This ensures the workflow layer remains completely decoupled from Flask
 or any other web framework.
 """
-import contextvars
+from context.execution_context import (
-from collections.abc import Callable
+    AppContext,
-
+    ContextProviderNotFoundError,
 from dify_graph.context.execution_context import (
    ExecutionContext,
    ExecutionContextBuilder,
    IExecutionContext,
    NullAppContext,
    capture_current_context,
    read_context,
    register_context,
    register_context_capturer,
    reset_context_provider,
 )
-
+from context.models import SandboxContext
 # Global capturer function - set by framework-specific modules
 _capturer: Callable[[], IExecutionContext] | None = None
 def register_context_capturer(capturer: Callable[[], IExecutionContext]) -> None:
    """
    Register a context capture function.
    This should be called by framework-specific modules (e.g., Flask)
    during application initialization.
    Args:
        capturer: Function that captures current context and returns IExecutionContext
    """
    global _capturer
    _capturer = capturer
 def capture_current_context() -> IExecutionContext:
    """
    Capture current execution context.
    This function uses the registered context capturer. If no capturer
    is registered, it returns a minimal context with only contextvars
    (suitable for non-framework environments like tests or standalone scripts).
    Returns:
        IExecutionContext with captured context
    """
    if _capturer is None:
        # No framework registered - return minimal context
        return ExecutionContext(
            app_context=NullAppContext(),
            context_vars=contextvars.copy_context(),
        )
    return _capturer()
 def reset_context_provider() -> None:
    """
    Reset the context capturer.
    This is primarily useful for testing to ensure a clean state.
    """
    global _capturer
    _capturer = None
 __all__ = [
    "AppContext",
    "ContextProviderNotFoundError",
    "ExecutionContext",
    "ExecutionContextBuilder",
    "IExecutionContext",
    "NullAppContext",
    "SandboxContext",
    "capture_current_context",
    "read_context",
    "register_context",
    "register_context_capturer",
    "reset_context_provider",
 ]
--- a/api/context/execution_context.py
+++ b/api/context/execution_context.py
@ -0,0 +1,251 @@
 """
 Application-layer execution context adapters.
 Concrete context capture lives outside `graphon` so the graph package only
 consumes injected context managers when it needs to preserve thread-local state.
 """
 import contextvars
 import threading
 from abc import ABC, abstractmethod
 from collections.abc import Callable, Generator
 from contextlib import AbstractContextManager, contextmanager
 from typing import Any, Protocol, final, runtime_checkable
 from pydantic import BaseModel
 class AppContext(ABC):
    """
    Abstract application context interface.
    Application adapters can implement this to restore framework-specific state
    such as Flask app context around worker execution.
    """
    @abstractmethod
    def get_config(self, key: str, default: Any = None) -> Any:
        """Get configuration value by key."""
        raise NotImplementedError
    @abstractmethod
    def get_extension(self, name: str) -> Any:
        """Get application extension by name."""
        raise NotImplementedError
    @abstractmethod
    def enter(self) -> AbstractContextManager[None]:
        """Enter the application context."""
        raise NotImplementedError
@runtime_checkable
 class IExecutionContext(Protocol):
    """
    Protocol for enterable execution context objects.
    Concrete implementations may carry extra framework state, but callers only
    depend on standard context-manager behavior plus optional user metadata.
    """
    def __enter__(self) -> "IExecutionContext":
        """Enter the execution context."""
        ...
    def __exit__(self, *args: Any) -> None:
        """Exit the execution context."""
        ...
    @property
    def user(self) -> Any:
        """Get user object."""
        ...
@final
 class ExecutionContext:
    """
    Generic execution context used by application-layer adapters.
    It restores captured `contextvars` and optionally enters an application
    context before the worker executes graph logic.
    """
    def __init__(
        self,
        app_context: AppContext | None = None,
        context_vars: contextvars.Context | None = None,
        user: Any = None,
    ) -> None:
        self._app_context = app_context
        self._context_vars = context_vars
        self._user = user
        self._local = threading.local()
    @property
    def app_context(self) -> AppContext | None:
        """Get application context."""
        return self._app_context
    @property
    def context_vars(self) -> contextvars.Context | None:
        """Get captured context variables."""
        return self._context_vars
    @property
    def user(self) -> Any:
        """Get captured user object."""
        return self._user
    @contextmanager
    def enter(self) -> Generator[None, None, None]:
        """Enter this execution context."""
        if self._context_vars:
            for var, val in self._context_vars.items():
                var.set(val)
        if self._app_context is not None:
            with self._app_context.enter():
                yield
        else:
            yield
    def __enter__(self) -> "ExecutionContext":
        """Enter the execution context."""
        cm = self.enter()
        self._local.cm = cm
        cm.__enter__()
        return self
    def __exit__(self, *args: Any) -> None:
        """Exit the execution context."""
        cm = getattr(self._local, "cm", None)
        if cm is not None:
            cm.__exit__(*args)
 class NullAppContext(AppContext):
    """
    Null application context for non-framework environments.
    """
    def __init__(self, config: dict[str, Any] | None = None) -> None:
        self._config = config or {}
        self._extensions: dict[str, Any] = {}
    def get_config(self, key: str, default: Any = None) -> Any:
        """Get configuration value by key."""
        return self._config.get(key, default)
    def get_extension(self, name: str) -> Any:
        """Get extension by name."""
        return self._extensions.get(name)
    def set_extension(self, name: str, extension: Any) -> None:
        """Register an extension for tests or standalone execution."""
        self._extensions[name] = extension
    @contextmanager
    def enter(self) -> Generator[None, None, None]:
        """Enter null context (no-op)."""
        yield
 class ExecutionContextBuilder:
    """
    Builder for creating `ExecutionContext` instances.
    """
    def __init__(self) -> None:
        self._app_context: AppContext | None = None
        self._context_vars: contextvars.Context | None = None
        self._user: Any = None
    def with_app_context(self, app_context: AppContext) -> "ExecutionContextBuilder":
        """Set application context."""
        self._app_context = app_context
        return self
    def with_context_vars(self, context_vars: contextvars.Context) -> "ExecutionContextBuilder":
        """Set context variables."""
        self._context_vars = context_vars
        return self
    def with_user(self, user: Any) -> "ExecutionContextBuilder":
        """Set user."""
        self._user = user
        return self
    def build(self) -> ExecutionContext:
        """Build the execution context."""
        return ExecutionContext(
            app_context=self._app_context,
            context_vars=self._context_vars,
            user=self._user,
        )
 _capturer: Callable[[], IExecutionContext] | None = None
 _tenant_context_providers: dict[tuple[str, str], Callable[[], BaseModel]] = {}
 class ContextProviderNotFoundError(KeyError):
    """Raised when a tenant-scoped context provider is missing."""
    pass
 def register_context_capturer(capturer: Callable[[], IExecutionContext]) -> None:
    """Register an enterable execution context capturer."""
    global _capturer
    _capturer = capturer
 def register_context(name: str, tenant_id: str, provider: Callable[[], BaseModel]) -> None:
    """Register a tenant-specific provider for a named context."""
    _tenant_context_providers[(name, tenant_id)] = provider
 def read_context(name: str, *, tenant_id: str) -> BaseModel:
    """Read a context value for a specific tenant."""
    provider = _tenant_context_providers.get((name, tenant_id))
    if provider is None:
        raise ContextProviderNotFoundError(f"Context provider '{name}' not registered for tenant '{tenant_id}'")
    return provider()
 def capture_current_context() -> IExecutionContext:
    """
    Capture current execution context from the calling environment.
    If no framework adapter is registered, return a minimal context that only
    restores `contextvars`.
    """
    if _capturer is None:
        return ExecutionContext(
            app_context=NullAppContext(),
            context_vars=contextvars.copy_context(),
        )
    return _capturer()
 def reset_context_provider() -> None:
    """Reset the capturer and tenant-scoped providers."""
    global _capturer
    _capturer = None
    _tenant_context_providers.clear()
 __all__ = [
    "AppContext",
    "ContextProviderNotFoundError",
    "ExecutionContext",
    "ExecutionContextBuilder",
    "IExecutionContext",
    "NullAppContext",
    "capture_current_context",
    "read_context",
    "register_context",
    "register_context_capturer",
    "reset_context_provider",
 ]
--- a/api/context/flask_app_context.py
+++ b/api/context/flask_app_context.py
@ -10,11 +10,7 @@ from typing import Any, final
 from flask import Flask, current_app, g
-from dify_graph.context import register_context_capturer
+from context.execution_context import AppContext, IExecutionContext, register_context_capturer
 from dify_graph.context.execution_context import (
    AppContext,
    IExecutionContext,
 )
@final
--- a/api/context/models.py
+++ b/api/context/models.py
@ -0,0 +1,13 @@
 from __future__ import annotations
 from pydantic import AnyHttpUrl, BaseModel
 class SandboxContext(BaseModel):
    """Typed context for sandbox integration. All fields optional by design."""
    sandbox_url: AnyHttpUrl | None = None
    sandbox_token: str | None = None  # optional, if later needed for auth
 __all__ = ["SandboxContext"]
--- a/api/contexts/init.py
+++ b/api/contexts/init.py
@ -6,7 +6,6 @@ from contexts.wrapper import RecyclableContextVar
 if TYPE_CHECKING:
    from core.datasource.__base.datasource_provider import DatasourcePluginProviderController
    from core.plugin.entities.plugin_daemon import PluginModelProviderEntity
    from core.tools.plugin_tool.provider import PluginToolProviderController
    from core.trigger.provider import PluginTriggerProviderController
@ -20,14 +19,6 @@ plugin_tool_providers: RecyclableContextVar[dict[str, "PluginToolProviderControl
 plugin_tool_providers_lock: RecyclableContextVar[Lock] = RecyclableContextVar(ContextVar("plugin_tool_providers_lock"))
 plugin_model_providers: RecyclableContextVar[list["PluginModelProviderEntity"] | None] = RecyclableContextVar(
    ContextVar("plugin_model_providers")
 )
 plugin_model_providers_lock: RecyclableContextVar[Lock] = RecyclableContextVar(
    ContextVar("plugin_model_providers_lock")
 )
 datasource_plugin_providers: RecyclableContextVar[dict[str, "DatasourcePluginProviderController"]] = (
    RecyclableContextVar(ContextVar("datasource_plugin_providers"))
 )
--- a/api/contexts/wrapper.py
+++ b/api/contexts/wrapper.py
@ -1,7 +1,4 @@
 from contextvars import ContextVar
 from typing import Generic, TypeVar
 T = TypeVar("T")
 class HiddenValue:
@ -11,7 +8,7 @@ class HiddenValue:
 _default = HiddenValue()
-class RecyclableContextVar(Generic[T]):
+class RecyclableContextVar[T]:
    """
    RecyclableContextVar is a wrapper around ContextVar
    It's safe to use in gunicorn with thread recycling, but features like `reset` are not available for now
--- a/api/controllers/cli_api/init.py
+++ b/api/controllers/cli_api/init.py
@ -1,27 +0,0 @@
 from flask import Blueprint
 from flask_restx import Namespace
 from libs.external_api import ExternalApi
 bp = Blueprint("cli_api", __name__, url_prefix="/cli/api")
 api = ExternalApi(
    bp,
    version="1.0",
    title="CLI API",
    description="APIs for Dify CLI to call back from external sandbox environments (e.g., e2b)",
 )
 # Create namespace
 cli_api_ns = Namespace("cli_api", description="CLI API operations", path="/")
 from .dify_cli import cli_api as _plugin
 api.add_namespace(cli_api_ns)
 __all__ = [
    "_plugin",
    "api",
    "bp",
    "cli_api_ns",
 ]
--- a/api/controllers/cli_api/dify_cli/cli_api.py
+++ b/api/controllers/cli_api/dify_cli/cli_api.py
@ -1,192 +0,0 @@
 from flask import abort
 from flask_restx import Resource
 from pydantic import BaseModel
 from controllers.cli_api import cli_api_ns
 from controllers.cli_api.dify_cli.wraps import get_cli_user_tenant, plugin_data
 from controllers.cli_api.wraps import cli_api_only
 from controllers.console.wraps import setup_required
 from core.app.entities.app_invoke_entities import InvokeFrom
 from core.plugin.backwards_invocation.app import PluginAppBackwardsInvocation
 from core.plugin.backwards_invocation.base import BaseBackwardsInvocationResponse
 from core.plugin.backwards_invocation.model import PluginModelBackwardsInvocation
 from core.plugin.backwards_invocation.tool import PluginToolBackwardsInvocation
 from core.plugin.entities.request import (
    RequestInvokeApp,
    RequestInvokeLLM,
    RequestInvokeTool,
    RequestRequestUploadFile,
 )
 from core.sandbox.bash.dify_cli import DifyCliToolConfig
 from core.session.cli_api import CliContext
 from core.skill.entities import ToolInvocationRequest
 from core.tools.entities.tool_entities import ToolProviderType
 from core.tools.tool_manager import ToolManager
 from dify_graph.file.helpers import get_signed_file_url_for_plugin
 from libs.helper import length_prefixed_response
 from models.account import Account
 from models.model import EndUser, Tenant
 class FetchToolItem(BaseModel):
    tool_type: str
    tool_provider: str
    tool_name: str
    credential_id: str | None = None
 class FetchToolBatchRequest(BaseModel):
    tools: list[FetchToolItem]
@cli_api_ns.route("/invoke/llm")
 class CliInvokeLLMApi(Resource):
    @cli_api_only
    @get_cli_user_tenant
    @setup_required
    @plugin_data(payload_type=RequestInvokeLLM)
    def post(
        self,
        user_model: Account | EndUser,
        tenant_model: Tenant,
        payload: RequestInvokeLLM,
        cli_context: CliContext,
    ):
        def generator():
            response = PluginModelBackwardsInvocation.invoke_llm(user_model.id, tenant_model, payload)
            return PluginModelBackwardsInvocation.convert_to_event_stream(response)
        return length_prefixed_response(0xF, generator())
@cli_api_ns.route("/invoke/tool")
 class CliInvokeToolApi(Resource):
    @cli_api_only
    @get_cli_user_tenant
    @setup_required
    @plugin_data(payload_type=RequestInvokeTool)
    def post(
        self,
        user_model: Account | EndUser,
        tenant_model: Tenant,
        payload: RequestInvokeTool,
        cli_context: CliContext,
    ):
        tool_type = ToolProviderType.value_of(payload.tool_type)
        request = ToolInvocationRequest(
            tool_type=tool_type,
            provider=payload.provider,
            tool_name=payload.tool,
            credential_id=payload.credential_id,
        )
        if cli_context.tool_access and not cli_context.tool_access.is_allowed(request):
            abort(403, description=f"Access denied for tool: {payload.provider}/{payload.tool}")
        def generator():
            return PluginToolBackwardsInvocation.convert_to_event_stream(
                PluginToolBackwardsInvocation.invoke_tool(
                    tenant_id=tenant_model.id,
                    user_id=user_model.id,
                    tool_type=tool_type,
                    provider=payload.provider,
                    tool_name=payload.tool,
                    tool_parameters=payload.tool_parameters,
                    credential_id=payload.credential_id,
                ),
            )
        return length_prefixed_response(0xF, generator())
@cli_api_ns.route("/invoke/app")
 class CliInvokeAppApi(Resource):
    @cli_api_only
    @get_cli_user_tenant
    @setup_required
    @plugin_data(payload_type=RequestInvokeApp)
    def post(
        self,
        user_model: Account | EndUser,
        tenant_model: Tenant,
        payload: RequestInvokeApp,
        cli_context: CliContext,
    ):
        response = PluginAppBackwardsInvocation.invoke_app(
            app_id=payload.app_id,
            user_id=user_model.id,
            tenant_id=tenant_model.id,
            conversation_id=payload.conversation_id,
            query=payload.query,
            stream=payload.response_mode == "streaming",
            inputs=payload.inputs,
            files=payload.files,
        )
        return length_prefixed_response(0xF, PluginAppBackwardsInvocation.convert_to_event_stream(response))
@cli_api_ns.route("/upload/file/request")
 class CliUploadFileRequestApi(Resource):
    @cli_api_only
    @get_cli_user_tenant
    @setup_required
    @plugin_data(payload_type=RequestRequestUploadFile)
    def post(
        self,
        user_model: Account | EndUser,
        tenant_model: Tenant,
        payload: RequestRequestUploadFile,
        cli_context: CliContext,
    ):
        url = get_signed_file_url_for_plugin(
            filename=payload.filename,
            mimetype=payload.mimetype,
            tenant_id=tenant_model.id,
            user_id=user_model.id,
        )
        return BaseBackwardsInvocationResponse(data={"url": url}).model_dump()
@cli_api_ns.route("/fetch/tools/batch")
 class CliFetchToolsBatchApi(Resource):
    @cli_api_only
    @get_cli_user_tenant
    @setup_required
    @plugin_data(payload_type=FetchToolBatchRequest)
    def post(
        self,
        user_model: Account | EndUser,
        tenant_model: Tenant,
        payload: FetchToolBatchRequest,
        cli_context: CliContext,
    ):
        tools: list[dict] = []
        for item in payload.tools:
            provider_type = ToolProviderType.value_of(item.tool_type)
            request = ToolInvocationRequest(
                tool_type=provider_type,
                provider=item.tool_provider,
                tool_name=item.tool_name,
                credential_id=item.credential_id,
            )
            if cli_context.tool_access and not cli_context.tool_access.is_allowed(request):
                abort(403, description=f"Access denied for tool: {item.tool_provider}/{item.tool_name}")
            try:
                tool_runtime = ToolManager.get_tool_runtime(
                    tenant_id=tenant_model.id,
                    provider_type=provider_type,
                    provider_id=item.tool_provider,
                    tool_name=item.tool_name,
                    invoke_from=InvokeFrom.AGENT,
                    credential_id=item.credential_id,
                )
                tool_config = DifyCliToolConfig.create_from_tool(tool_runtime)
                tools.append(tool_config.model_dump())
            except Exception:
                continue
        return BaseBackwardsInvocationResponse(data={"tools": tools}).model_dump()
--- a/api/controllers/cli_api/dify_cli/wraps.py
+++ b/api/controllers/cli_api/dify_cli/wraps.py
@ -1,137 +0,0 @@
 from collections.abc import Callable
 from functools import wraps
 from typing import ParamSpec, TypeVar
 from flask import current_app, g, request
 from flask_login import user_logged_in
 from pydantic import BaseModel
 from sqlalchemy.orm import Session
 from core.session.cli_api import CliApiSession, CliContext
 from extensions.ext_database import db
 from libs.login import current_user
 from models.account import Tenant
 from models.model import DefaultEndUserSessionID, EndUser
 P = ParamSpec("P")
 R = TypeVar("R")
 class TenantUserPayload(BaseModel):
    tenant_id: str
    user_id: str
 def get_user(tenant_id: str, user_id: str | None) -> EndUser:
    """
    Get current user
    NOTE: user_id is not trusted, it could be maliciously set to any value.
    As a result, it could only be considered as an end user id.
    """
    if not user_id:
        user_id = DefaultEndUserSessionID.DEFAULT_SESSION_ID
    is_anonymous = user_id == DefaultEndUserSessionID.DEFAULT_SESSION_ID
    try:
        with Session(db.engine) as session:
            user_model = None
            if is_anonymous:
                user_model = (
                    session.query(EndUser)
                    .where(
                        EndUser.session_id == user_id,
                        EndUser.tenant_id == tenant_id,
                    )
                    .first()
                )
            else:
                user_model = (
                    session.query(EndUser)
                    .where(
                        EndUser.id == user_id,
                        EndUser.tenant_id == tenant_id,
                    )
                    .first()
                )
            if not user_model:
                user_model = EndUser(
                    tenant_id=tenant_id,
                    type="service_api",
                    is_anonymous=is_anonymous,
                    session_id=user_id,
                )
                session.add(user_model)
                session.commit()
                session.refresh(user_model)
    except Exception:
        raise ValueError("user not found")
    return user_model
 def get_cli_user_tenant(view_func: Callable[P, R]):
    @wraps(view_func)
    def decorated_view(*args: P.args, **kwargs: P.kwargs):
        session: CliApiSession | None = getattr(g, "cli_api_session", None)
        if session is None:
            raise ValueError("session not found")
        user_id = session.user_id
        tenant_id = session.tenant_id
        cli_context = CliContext.model_validate(session.context)
        if not user_id:
            user_id = DefaultEndUserSessionID.DEFAULT_SESSION_ID
        try:
            tenant_model = (
                db.session.query(Tenant)
                .where(
                    Tenant.id == tenant_id,
                )
                .first()
            )
        except Exception:
            raise ValueError("tenant not found")
        if not tenant_model:
            raise ValueError("tenant not found")
        kwargs["tenant_model"] = tenant_model
        kwargs["user_model"] = get_user(tenant_id, user_id)
        kwargs["cli_context"] = cli_context
        current_app.login_manager._update_request_context_with_user(kwargs["user_model"])  # type: ignore
        user_logged_in.send(current_app._get_current_object(), user=current_user)  # type: ignore
        return view_func(*args, **kwargs)
    return decorated_view
 def plugin_data(view: Callable[P, R] | None = None, *, payload_type: type[BaseModel]):
    def decorator(view_func: Callable[P, R]):
        @wraps(view_func)
        def decorated_view(*args: P.args, **kwargs: P.kwargs):
            try:
                data = request.get_json()
            except Exception:
                raise ValueError("invalid json")
            try:
                payload = payload_type.model_validate(data)
            except Exception as e:
                raise ValueError(f"invalid payload: {str(e)}")
            kwargs["payload"] = payload
            return view_func(*args, **kwargs)
        return decorated_view
    if view is None:
        return decorator
    else:
        return decorator(view)
--- a/api/controllers/cli_api/wraps.py
+++ b/api/controllers/cli_api/wraps.py
@ -1,56 +0,0 @@
 import hashlib
 import hmac
 import time
 from collections.abc import Callable
 from functools import wraps
 from typing import ParamSpec, TypeVar
 from flask import abort, g, request
 from core.session.cli_api import CliApiSessionManager
 P = ParamSpec("P")
 R = TypeVar("R")
 SIGNATURE_TTL_SECONDS = 300
 def _verify_signature(session_secret: str, timestamp: str, body: bytes, signature: str) -> bool:
    expected = hmac.new(
        session_secret.encode(),
        f"{timestamp}.".encode() + body,
        hashlib.sha256,
    ).hexdigest()
    return hmac.compare_digest(f"sha256={expected}", signature)
 def cli_api_only(view: Callable[P, R]):
    @wraps(view)
    def decorated(*args: P.args, **kwargs: P.kwargs):
        session_id = request.headers.get("X-Cli-Api-Session-Id")
        timestamp = request.headers.get("X-Cli-Api-Timestamp")
        signature = request.headers.get("X-Cli-Api-Signature")
        if not session_id or not timestamp or not signature:
            abort(401)
        try:
            ts = int(timestamp)
            if abs(time.time() - ts) > SIGNATURE_TTL_SECONDS:
                abort(401)
        except ValueError:
            abort(401)
        session = CliApiSessionManager().get(session_id)
        if not session:
            abort(401)
        body = request.get_data()
        if not _verify_signature(session.secret, timestamp, body, signature):
            abort(401)
        g.cli_api_session = session
        return view(*args, **kwargs)
    return decorated
--- a/api/controllers/common/controller_schemas.py
+++ b/api/controllers/common/controller_schemas.py
@ -0,0 +1,104 @@
 from typing import Any, Literal
 from uuid import UUID
 from pydantic import BaseModel, Field, model_validator
 from libs.helper import UUIDStrOrEmpty
 # --- Conversation schemas ---
 class ConversationRenamePayload(BaseModel):
    name: str | None = None
    auto_generate: bool = False
    @model_validator(mode="after")
    def validate_name_requirement(self):
        if not self.auto_generate:
            if self.name is None or not self.name.strip():
                raise ValueError("name is required when auto_generate is false")
        return self
 # --- Message schemas ---
 class MessageListQuery(BaseModel):
    conversation_id: UUIDStrOrEmpty = Field(description="Conversation UUID")
    first_id: UUIDStrOrEmpty | None = Field(default=None, description="First message ID for pagination")
    limit: int = Field(default=20, ge=1, le=100, description="Number of messages to return (1-100)")
 class MessageFeedbackPayload(BaseModel):
    rating: Literal["like", "dislike"] | None = None
    content: str | None = None
 # --- Saved message schemas ---
 class SavedMessageListQuery(BaseModel):
    last_id: UUIDStrOrEmpty | None = None
    limit: int = Field(default=20, ge=1, le=100)
 class SavedMessageCreatePayload(BaseModel):
    message_id: UUIDStrOrEmpty
 # --- Workflow schemas ---
 class DefaultBlockConfigQuery(BaseModel):
    q: str | None = None
 class WorkflowListQuery(BaseModel):
    page: int = Field(default=1, ge=1, le=99999)
    limit: int = Field(default=10, ge=1, le=100)
    user_id: str | None = None
    named_only: bool = False
 class WorkflowRunPayload(BaseModel):
    inputs: dict[str, Any]
    files: list[dict[str, Any]] | None = None
 class WorkflowUpdatePayload(BaseModel):
    marked_name: str | None = Field(default=None, max_length=20)
    marked_comment: str | None = Field(default=None, max_length=100)
 # --- Dataset schemas ---
 DOCUMENT_BATCH_DOWNLOAD_ZIP_MAX_DOCS = 100
 class ChildChunkCreatePayload(BaseModel):
    content: str
 class ChildChunkUpdatePayload(BaseModel):
    content: str
 class DocumentBatchDownloadZipPayload(BaseModel):
    """Request payload for bulk downloading documents as a zip archive."""
    document_ids: list[UUID] = Field(..., min_length=1, max_length=DOCUMENT_BATCH_DOWNLOAD_ZIP_MAX_DOCS)
 class MetadataUpdatePayload(BaseModel):
    name: str
 # --- Audio schemas ---
 class TextToAudioPayload(BaseModel):
    message_id: str | None = Field(default=None, description="Message ID")
    voice: str | None = Field(default=None, description="Voice to use for TTS")
    text: str | None = Field(default=None, description="Text to convert to audio")
    streaming: bool | None = Field(default=None, description="Enable streaming response")
--- a/api/controllers/common/fields.py
+++ b/api/controllers/common/fields.py
@ -1,14 +1,14 @@
 from __future__ import annotations
-from typing import Any, TypeAlias
+from typing import Any
 from graphon.file import helpers as file_helpers
 from pydantic import BaseModel, ConfigDict, computed_field
 from dify_graph.file import helpers as file_helpers
 from models.model import IconType
-JSONValue: TypeAlias = str | int | float | bool | None | dict[str, Any] | list[Any]
+type JSONValue = str | int | float | bool | None | dict[str, Any] | list[Any]
-JSONObject: TypeAlias = dict[str, Any]
+type JSONObject = dict[str, Any]
 class SystemParameters(BaseModel):
--- a/Show More
+++ b/Show More
		`@ -0,0 +1 @@`
							`../../.agents/skills/e2e-cucumber-playwright`
		`@ -1,2 +0,0 @@`
			`Summary:`
			`- Sandbox security helper modules.`