Merge remote-tracking branch 'origin/main' into codex/dify-ui-package-migration

remove
fix(web): support lint tooling package exports
2026-05-20 16:57:01 +08:00 · 2026-04-03 12:14:22 +08:00 · 2026-04-02 18:35:02 +08:00 · 2026-04-02 18:29:44 +08:00 · 2026-04-02 18:25:16 +08:00
6370 changed files with 146852 additions and 376910 deletions
--- a/.agents/skills/component-refactoring/SKILL.md
+++ b/.agents/skills/component-refactoring/SKILL.md
@ -63,7 +63,7 @@ pnpm analyze-component <path> --json
 ```typescript
 // ❌ Before: Complex state logic in component
-function Configuration() {
+const Configuration: FC = () => {
  const [modelConfig, setModelConfig] = useState<ModelConfig>(...)
  const [datasetConfigs, setDatasetConfigs] = useState<DatasetConfigs>(...)
  const [completionParams, setCompletionParams] = useState<FormValue>({})
@ -85,7 +85,7 @@ export const useModelConfig = (appId: string) => {
 }
 // Component becomes cleaner
-function Configuration() {
+const Configuration: FC = () => {
  const { modelConfig, setModelConfig } = useModelConfig(appId)
  return <div>...</div>
 }
@ -189,6 +189,8 @@ const Template = useMemo(() => {
 **Dify Convention**:
 - This skill is for component decomposition, not query/mutation design.
 - When refactoring data fetching, follow `web/AGENTS.md`.
 - Use `frontend-query-mutation` for contracts, query shape, data-fetching wrappers, query/mutation call-site patterns, conditional queries, invalidation, and mutation error handling.
 - Do not introduce deprecated `useInvalid` / `useReset`.
 - Do not add thin passthrough `useQuery` wrappers during refactoring; only extract a custom hook when it truly orchestrates multiple queries/mutations or shared derived state.
@ -365,7 +367,7 @@ For each extraction:
  ┌────────────────────────────────────────┐
  │ 1. Extract code                        │
  │ 2. Run: pnpm lint:fix                  │
-  │ 3. Run: pnpm type-check                │
+  │ 3. Run: pnpm type-check:tsgo           │
  │ 4. Run: pnpm test                      │
  │ 5. Test functionality manually         │
  │ 6. PASS? → Next extraction             │
--- a/.agents/skills/component-refactoring/references/complexity-patterns.md
+++ b/.agents/skills/component-refactoring/references/complexity-patterns.md
@ -60,10 +60,8 @@ const Template = useMemo(() => {
 **After** (complexity: ~3):
 ```typescript
 import type { ComponentType } from 'react'
 // Define lookup table outside component
-const TEMPLATE_MAP: Record<AppModeEnum, Record<string, ComponentType<TemplateProps>>> = {
+const TEMPLATE_MAP: Record<AppModeEnum, Record<string, FC<TemplateProps>>> = {
  [AppModeEnum.CHAT]: {
    [LanguagesSupported[1]]: TemplateChatZh,
    [LanguagesSupported[7]]: TemplateChatJa,
--- a/.agents/skills/component-refactoring/references/component-splitting.md
+++ b/.agents/skills/component-refactoring/references/component-splitting.md
@ -65,10 +65,10 @@ interface ConfigurationHeaderProps {
  onPublish: () => void
 }
-function ConfigurationHeader({
+const ConfigurationHeader: FC<ConfigurationHeaderProps> = ({
  isAdvancedMode,
  onPublish,
-}: ConfigurationHeaderProps) {
+}) => {
  const { t } = useTranslation()
  return (
@ -136,7 +136,7 @@ const AppInfo = () => {
 }
 // ✅ After: Separate view components
-function AppInfoExpanded({ appDetail, onAction }: AppInfoViewProps) {
+const AppInfoExpanded: FC<AppInfoViewProps> = ({ appDetail, onAction }) => {
  return (
    <div className="expanded">
      {/* Clean, focused expanded view */}
@ -144,7 +144,7 @@ function AppInfoExpanded({ appDetail, onAction }: AppInfoViewProps) {
  )
 }
-function AppInfoCollapsed({ appDetail, onAction }: AppInfoViewProps) {
+const AppInfoCollapsed: FC<AppInfoViewProps> = ({ appDetail, onAction }) => {
  return (
    <div className="collapsed">
      {/* Clean, focused collapsed view */}
@ -203,12 +203,12 @@ interface AppInfoModalsProps {
  onSuccess: () => void
 }
-function AppInfoModals({
+const AppInfoModals: FC<AppInfoModalsProps> = ({
  appDetail,
  activeModal,
  onClose,
  onSuccess,
-}: AppInfoModalsProps) {
+}) => {
  const handleEdit = async (data) => { /* logic */ }
  const handleDuplicate = async (data) => { /* logic */ }
  const handleDelete = async () => { /* logic */ }
@ -296,7 +296,7 @@ interface OperationItemProps {
  onAction: (id: string) => void
 }
-function OperationItem({ operation, onAction }: OperationItemProps) {
+const OperationItem: FC<OperationItemProps> = ({ operation, onAction }) => {
  return (
    <div className="operation-item">
      <span className="icon">{operation.icon}</span>
@ -435,7 +435,7 @@ interface ChildProps {
  onSubmit: () => void
 }
-function Child({ value, onChange, onSubmit }: ChildProps) {
+const Child: FC<ChildProps> = ({ value, onChange, onSubmit }) => {
  return (
    <div>
      <input value={value} onChange={e => onChange(e.target.value)} />
--- a/.agents/skills/component-refactoring/references/hook-extraction.md
+++ b/.agents/skills/component-refactoring/references/hook-extraction.md
@ -112,13 +112,13 @@ export const useModelConfig = ({
 ```typescript
 // Before: 50+ lines of state management
-function Configuration() {
+const Configuration: FC = () => {
  const [modelConfig, setModelConfig] = useState<ModelConfig>(...)
  // ... lots of related state and effects
 }
 // After: Clean component
-function Configuration() {
+const Configuration: FC = () => {
  const {
    modelConfig,
    setModelConfig,
@ -159,6 +159,8 @@ function Configuration() {
 When hook extraction touches query or mutation code, do not use this reference as the source of truth for data-layer patterns.
 - Follow `web/AGENTS.md` first.
 - Use `frontend-query-mutation` for contracts, query shape, data-fetching wrappers, query/mutation call-site patterns, conditional queries, invalidation, and mutation error handling.
 - Do not introduce deprecated `useInvalid` / `useReset`.
 - Do not extract thin passthrough `useQuery` hooks; only extract orchestration hooks.
--- a/.agents/skills/e2e-cucumber-playwright/SKILL.md
+++ b/.agents/skills/e2e-cucumber-playwright/SKILL.md
@ -1,79 +0,0 @@
 ---
 name: e2e-cucumber-playwright
 description: Write, update, or review Dify end-to-end tests under `e2e/` that use Cucumber, Gherkin, and Playwright. Use when the task involves `.feature` files, `features/step-definitions/`, `features/support/`, `DifyWorld`, scenario tags, locator/assertion choices, or E2E testing best practices for this repository.
 ---
 # Dify E2E Cucumber + Playwright
 Use this skill for Dify's repository-level E2E suite in `e2e/`. Use [`e2e/AGENTS.md`](../../../e2e/AGENTS.md) as the canonical guide for local architecture and conventions, then apply Playwright/Cucumber best practices only where they fit the current suite.
 ## Scope
 - Use this skill for `.feature` files, Cucumber step definitions, `DifyWorld`, hooks, tags, and E2E review work under `e2e/`.
 - Do not use this skill for Vitest or React Testing Library work under `web/`; use `frontend-testing` instead.
 - Do not use this skill for backend test or API review tasks under `api/`.
 ## Read Order
 1. Read [`e2e/AGENTS.md`](../../../e2e/AGENTS.md) first.
 2. Read only the files directly involved in the task:
   - target `.feature` files under `e2e/features/`
   - related step files under `e2e/features/step-definitions/`
   - `e2e/features/support/hooks.ts` and `e2e/features/support/world.ts` when session lifecycle or shared state matters
   - `e2e/scripts/run-cucumber.ts` and `e2e/cucumber.config.ts` when tags or execution flow matter
 3. Read [`references/playwright-best-practices.md`](references/playwright-best-practices.md) only when locator, assertion, isolation, or waiting choices are involved.
 4. Read [`references/cucumber-best-practices.md`](references/cucumber-best-practices.md) only when scenario wording, step granularity, tags, or expression design are involved.
 5. Re-check official Playwright or Cucumber docs with the available documentation tools before introducing a new framework pattern.
 ## Local Rules
 - `e2e/` uses Cucumber for scenarios and Playwright as the browser layer.
 - `DifyWorld` is the per-scenario context object. Type `this` as `DifyWorld` and use `async function`, not arrow functions.
 - Keep glue organized by capability under `e2e/features/step-definitions/`; use `common/` only for broadly reusable steps.
 - Browser session behavior comes from `features/support/hooks.ts`:
  - default: authenticated session with shared storage state
  - `@unauthenticated`: clean browser context
  - `@authenticated`: readability/selective-run tag only unless implementation changes
  - `@fresh`: only for `e2e:full*` flows
 - Do not import Playwright Test runner patterns that bypass the current Cucumber + `DifyWorld` architecture unless the task is explicitly about changing that architecture.
 ## Workflow
 1. Rebuild local context.
   - Inspect the target feature area.
   - Reuse an existing step when wording and behavior already match.
   - Add a new step only for a genuinely new user action or assertion.
   - Keep edits close to the current capability folder unless the step is broadly reusable.
 2. Write behavior-first scenarios.
   - Describe user-observable behavior, not DOM mechanics.
   - Keep each scenario focused on one workflow or outcome.
   - Keep scenarios independent and re-runnable.
 3. Write step definitions in the local style.
   - Keep one step to one user-visible action or one assertion.
   - Prefer Cucumber Expressions such as `{string}` and `{int}`.
   - Scope locators to stable containers when the page has repeated elements.
   - Avoid page-object layers or extra helper abstractions unless repeated complexity clearly justifies them.
 4. Use Playwright in the local style.
   - Prefer user-facing locators: `getByRole`, `getByLabel`, `getByPlaceholder`, `getByText`, then `getByTestId` for explicit contracts.
   - Use web-first `expect(...)` assertions.
   - Do not use `waitForTimeout`, manual polling, or raw visibility checks when a locator action or retrying assertion already expresses the behavior.
 5. Validate narrowly.
   - Run the narrowest tagged scenario or flow that exercises the change.
   - Run `pnpm -C e2e check`.
   - Broaden verification only when the change affects hooks, tags, setup, or shared step semantics.
 ## Review Checklist
 - Does the scenario describe behavior rather than implementation?
 - Does it fit the current session model, tags, and `DifyWorld` usage?
 - Should an existing step be reused instead of adding a new one?
 - Are locators user-facing and assertions web-first?
 - Does the change introduce hidden coupling across scenarios, tags, or instance state?
 - Does it document or implement behavior that differs from the real hooks or configuration?
 Lead findings with correctness, flake risk, and architecture drift.
 ## References
 - [`references/playwright-best-practices.md`](references/playwright-best-practices.md)
 - [`references/cucumber-best-practices.md`](references/cucumber-best-practices.md)
--- a/.agents/skills/e2e-cucumber-playwright/agents/openai.yaml
+++ b/.agents/skills/e2e-cucumber-playwright/agents/openai.yaml
@ -1,4 +0,0 @@
 interface:
  display_name: "E2E Cucumber + Playwright"
  short_description: "Write and review Dify E2E scenarios."
  default_prompt: "Use $e2e-cucumber-playwright to write or review a Dify E2E scenario under e2e/."
--- a/.agents/skills/e2e-cucumber-playwright/references/cucumber-best-practices.md
+++ b/.agents/skills/e2e-cucumber-playwright/references/cucumber-best-practices.md
@ -1,93 +0,0 @@
 # Cucumber Best Practices For Dify E2E
 Use this reference when writing or reviewing Gherkin scenarios, step definitions, parameter expressions, and step reuse in Dify's `e2e/` suite.
 Official sources:
 - https://cucumber.io/docs/guides/10-minute-tutorial/
 - https://cucumber.io/docs/cucumber/step-definitions/
 - https://cucumber.io/docs/cucumber/cucumber-expressions/
 ## What Matters Most
 ### 1. Treat scenarios as executable specifications
 Cucumber scenarios should describe examples of behavior, not test implementation recipes.
 Apply it like this:
 - write what the user does and what should happen
 - avoid UI-internal wording such as selector details, DOM structure, or component names
 - keep language concrete enough that the scenario reads like living documentation
 ### 2. Keep scenarios focused
 A scenario should usually prove one workflow or business outcome. If a scenario wanders across several unrelated behaviors, split it.
 In Dify's suite, this means:
 - one capability-focused scenario per feature path
 - no long setup chains when existing bootstrap or reusable steps already cover them
 - no hidden dependency on another scenario's side effects
 ### 3. Reuse steps, but only when behavior really matches
 Good reuse reduces duplication. Bad reuse hides meaning.
 Prefer reuse when:
 - the user action is genuinely the same
 - the expected outcome is genuinely the same
 - the wording stays natural across features
 Write a new step when:
 - the behavior is materially different
 - reusing the old wording would make the scenario misleading
 - a supposedly generic step would become an implementation-detail wrapper
 ### 4. Prefer Cucumber Expressions
 Use Cucumber Expressions for parameters unless regex is clearly necessary.
 Common examples:
 - `{string}` for labels, names, and visible text
 - `{int}` for counts
 - `{float}` for decimal values
 - `{word}` only when the value is truly a single token
 Keep expressions readable. If a step needs complicated parsing logic, first ask whether the scenario wording should be simpler.
 ### 5. Keep step definitions thin and meaningful
 Step definitions are glue between Gherkin and automation, not a second abstraction language.
 For Dify:
 - type `this` as `DifyWorld`
 - use `async function`
 - keep each step to one user-visible action or assertion
 - rely on `DifyWorld` and existing support code for shared context
 - avoid leaking cross-scenario state
 ### 6. Use tags intentionally
 Tags should communicate run scope or session semantics, not become ad hoc metadata.
 In Dify's current suite:
 - capability tags group related scenarios
 - `@unauthenticated` changes session behavior
 - `@authenticated` is descriptive/selective, not a behavior switch by itself
 - `@fresh` belongs to reset/full-install flows only
 If a proposed tag implies behavior, verify that hooks or runner configuration actually implement it.
 ## Review Questions
 - Does the scenario read like a real example of product behavior?
 - Are the steps behavior-oriented instead of implementation-oriented?
 - Is a reused step still truthful in this feature?
 - Is a new tag documenting real behavior, or inventing semantics that the suite does not implement?
 - Would a new reader understand the outcome without opening the step-definition file?
--- a/.agents/skills/e2e-cucumber-playwright/references/playwright-best-practices.md
+++ b/.agents/skills/e2e-cucumber-playwright/references/playwright-best-practices.md
@ -1,96 +0,0 @@
 # Playwright Best Practices For Dify E2E
 Use this reference when writing or reviewing locator, assertion, isolation, or synchronization logic for Dify's Cucumber-based E2E suite.
 Official sources:
 - https://playwright.dev/docs/best-practices
 - https://playwright.dev/docs/locators
 - https://playwright.dev/docs/test-assertions
 - https://playwright.dev/docs/browser-contexts
 ## What Matters Most
 ### 1. Keep scenarios isolated
 Playwright's model is built around clean browser contexts so one test does not leak into another. In Dify's suite, that principle maps to per-scenario session setup in `features/support/hooks.ts` and `DifyWorld`.
 Apply it like this:
 - do not depend on another scenario having run first
 - do not persist ad hoc scenario state outside `DifyWorld`
 - do not couple ordinary scenarios to `@fresh` behavior
 - when a flow needs special auth/session semantics, express that through the existing tag model or explicit hook changes
 ### 2. Prefer user-facing locators
 Playwright recommends built-in locators that reflect what users perceive on the page.
 Preferred order in this repository:
 1. `getByRole`
 2. `getByLabel`
 3. `getByPlaceholder`
 4. `getByText`
 5. `getByTestId` when an explicit test contract is the most stable option
 Avoid raw CSS/XPath selectors unless no stable user-facing contract exists and adding one is not practical.
 Also remember:
 - repeated content usually needs scoping to a stable container
 - exact text matching is often too brittle when role/name or label already exists
 - `getByTestId` is acceptable when semantics are weak but the contract is intentional
 ### 3. Use web-first assertions
 Playwright assertions auto-wait and retry. Prefer them over manual state inspection.
 Prefer:
 - `await expect(page).toHaveURL(...)`
 - `await expect(locator).toBeVisible()`
 - `await expect(locator).toBeHidden()`
 - `await expect(locator).toBeEnabled()`
 - `await expect(locator).toHaveText(...)`
 Avoid:
 - `expect(await locator.isVisible()).toBe(true)`
 - custom polling loops for DOM state
 - `waitForTimeout` as synchronization
 If a condition genuinely needs custom retry logic, use Playwright's polling/assertion tools deliberately and keep that choice local and explicit.
 ### 4. Let actions wait for actionability
 Locator actions already wait for the element to be actionable. Do not preface every click/fill with extra timing logic unless the action needs a specific visible/ready assertion for clarity.
 Good pattern:
 - assert a meaningful visible state when that is part of the behavior
 - then click/fill/select via locator APIs
 Bad pattern:
 - stack arbitrary waits before every action
 - wait on unstable implementation details instead of the visible state the user cares about
 ### 5. Match debugging to the current suite
 Playwright's wider ecosystem supports traces and rich debugging tools. Dify's current suite already captures:
 - full-page screenshots
 - page HTML
 - console errors
 - page errors
 Use the existing artifact flow by default. If a task is specifically about improving diagnostics, confirm the change fits the current Cucumber architecture before importing broader Playwright tooling.
 ## Review Questions
 - Would this locator survive DOM refactors that do not change user-visible behavior?
 - Is this assertion using Playwright's retrying semantics?
 - Is any explicit wait masking a real readiness problem?
 - Does this code preserve per-scenario isolation?
 - Is a new abstraction really needed, or does it bypass the existing `DifyWorld` + step-definition model?
--- a/.agents/skills/frontend-code-review/references/performance.md
+++ b/.agents/skills/frontend-code-review/references/performance.md
@ -9,18 +9,18 @@ Category: Performance
 When rendering React Flow, prefer `useNodes`/`useEdges` for UI consumption and rely on `useStoreApi` inside callbacks that mutate or read node/edge state. Avoid manually pulling Flow data outside of these hooks.
-## Complex prop stability
+## Complex prop memoization
-IsUrgent: False
+IsUrgent: True
 Category: Performance
 ### Description
-Only require stable object, array, or map props when there is a clear reason: the child is memoized, the value participates in effect/query dependencies, the value is part of a stable-reference API contract, or profiling/local behavior shows avoidable re-renders. Do not request `useMemo` for every inline object by default; `how-to-write-component` treats memoization as a targeted optimization.
+Wrap complex prop values (objects, arrays, maps) in `useMemo` prior to passing them into child components to guarantee stable references and prevent unnecessary renders.
 Update this file when adding, editing, or removing Performance rules so the catalog remains accurate.
-Risky:
+Wrong:
 ```tsx
 <HeavyComp
@ -31,7 +31,7 @@ Risky:
 />
 ```
-Better when stable identity matters:
+Right:
 ```tsx
 const config = useMemo(() => ({
--- a/.agents/skills/frontend-query-mutation/SKILL.md
+++ b/.agents/skills/frontend-query-mutation/SKILL.md
@ -0,0 +1,44 @@
 ---
 name: frontend-query-mutation
 description: Guide for implementing Dify frontend query and mutation patterns with TanStack Query and oRPC. Trigger when creating or updating contracts in web/contract, wiring router composition, consuming consoleQuery or marketplaceQuery in components or services, deciding whether to call queryOptions() directly or extract a helper or use-* hook, handling conditional queries, cache invalidation, mutation error handling, or migrating legacy service calls to contract-first query and mutation helpers.
 ---
 # Frontend Query & Mutation
 ## Intent
 - Keep contract as the single source of truth in `web/contract/*`.
 - Prefer contract-shaped `queryOptions()` and `mutationOptions()`.
 - Keep invalidation and mutation flow knowledge in the service layer.
 - Keep abstractions minimal to preserve TypeScript inference.
 ## Workflow
 1. Identify the change surface.
   - Read `references/contract-patterns.md` for contract files, router composition, client helpers, and query or mutation call-site shape.
   - Read `references/runtime-rules.md` for conditional queries, invalidation, error handling, and legacy migrations.
   - Read both references when a task spans contract shape and runtime behavior.
 2. Implement the smallest abstraction that fits the task.
   - Default to direct `useQuery(...)` or `useMutation(...)` calls with oRPC helpers at the call site.
   - Extract a small shared query helper only when multiple call sites share the same extra options.
   - Create `web/service/use-{domain}.ts` only for orchestration or shared domain behavior.
 3. Preserve Dify conventions.
   - Keep contract inputs in `{ params, query?, body? }` shape.
   - Bind invalidation in the service-layer mutation definition.
   - Prefer `mutate(...)`; use `mutateAsync(...)` only when Promise semantics are required.
 ## Files Commonly Touched
 - `web/contract/console/*.ts`
 - `web/contract/marketplace.ts`
 - `web/contract/router.ts`
 - `web/service/client.ts`
 - `web/service/use-*.ts`
 - component and hook call sites using `consoleQuery` or `marketplaceQuery`
 ## References
 - Use `references/contract-patterns.md` for contract shape, router registration, query and mutation helpers, and anti-patterns that degrade inference.
 - Use `references/runtime-rules.md` for conditional queries, invalidation, `mutate` versus `mutateAsync`, and legacy migration rules.
 Treat this skill as the single query and mutation entry point for Dify frontend work. Keep detailed rules in the reference files instead of duplicating them in project docs.
--- a/.agents/skills/frontend-query-mutation/agents/openai.yaml
+++ b/.agents/skills/frontend-query-mutation/agents/openai.yaml
@ -0,0 +1,4 @@
 interface:
  display_name: "Frontend Query & Mutation"
  short_description: "Dify TanStack Query and oRPC patterns"
  default_prompt: "Use this skill when implementing or reviewing Dify frontend contracts, query and mutation call sites, conditional queries, invalidation, or legacy query/mutation migrations."
--- a/.agents/skills/frontend-query-mutation/references/contract-patterns.md
+++ b/.agents/skills/frontend-query-mutation/references/contract-patterns.md
@ -0,0 +1,98 @@
 # Contract Patterns
 ## Table of Contents
 - Intent
 - Minimal structure
 - Core workflow
 - Query usage decision rule
 - Mutation usage decision rule
 - Anti-patterns
 - Contract rules
 - Type export
 ## Intent
 - Keep contract as the single source of truth in `web/contract/*`.
 - Default query usage to call-site `useQuery(consoleQuery|marketplaceQuery.xxx.queryOptions(...))` when endpoint behavior maps 1:1 to the contract.
 - Keep abstractions minimal and preserve TypeScript inference.
 ## Minimal Structure
 ```text
 web/contract/
 ├── base.ts
 ├── router.ts
 ├── marketplace.ts
 └── console/
    ├── billing.ts
    └── ...other domains
 web/service/client.ts
 ```
 ## Core Workflow
 1. Define contract in `web/contract/console/{domain}.ts` or `web/contract/marketplace.ts`.
   - Use `base.route({...}).output(type<...>())` as the baseline.
   - Add `.input(type<...>())` only when the request has `params`, `query`, or `body`.
   - For `GET` without input, omit `.input(...)`; do not use `.input(type<unknown>())`.
 2. Register contract in `web/contract/router.ts`.
   - Import directly from domain files and nest by API prefix.
 3. Consume from UI call sites via oRPC query utilities.
 ```typescript
 import { useQuery } from '@tanstack/react-query'
 import { consoleQuery } from '@/service/client'
 const invoiceQuery = useQuery(consoleQuery.billing.invoices.queryOptions({
  staleTime: 5 * 60 * 1000,
  throwOnError: true,
  select: invoice => invoice.url,
 }))
 ```
 ## Query Usage Decision Rule
 1. Default to direct `*.queryOptions(...)` usage at the call site.
 2. If 3 or more call sites share the same extra options, extract a small query helper, not a `use-*` passthrough hook.
 3. Create `web/service/use-{domain}.ts` only for orchestration.
   - Combine multiple queries or mutations.
   - Share domain-level derived state or invalidation helpers.
 ```typescript
 const invoicesBaseQueryOptions = () =>
  consoleQuery.billing.invoices.queryOptions({ retry: false })
 const invoiceQuery = useQuery({
  ...invoicesBaseQueryOptions(),
  throwOnError: true,
 })
 ```
 ## Mutation Usage Decision Rule
 1. Default to mutation helpers from `consoleQuery` or `marketplaceQuery`, for example `useMutation(consoleQuery.billing.bindPartnerStack.mutationOptions(...))`.
 2. If the mutation flow is heavily custom, use oRPC clients as `mutationFn`, for example `consoleClient.xxx` or `marketplaceClient.xxx`, instead of handwritten non-oRPC mutation logic.
 ## Anti-Patterns
 - Do not wrap `useQuery` with `options?: Partial<UseQueryOptions>`.
 - Do not split local `queryKey` and `queryFn` when oRPC `queryOptions` already exists and fits the use case.
 - Do not create thin `use-*` passthrough hooks for a single endpoint.
 - These patterns can degrade inference, especially around `throwOnError` and `select`, and add unnecessary indirection.
 ## Contract Rules
 - Input structure: always use `{ params, query?, body? }`.
 - No-input `GET`: omit `.input(...)`; do not use `.input(type<unknown>())`.
 - Path params: use `{paramName}` in the path and match it in the `params` object.
 - Router nesting: group by API prefix, for example `/billing/*` becomes `billing: {}`.
 - No barrel files: import directly from specific files.
 - Types: import from `@/types/` and use the `type<T>()` helper.
 - Mutations: prefer `mutationOptions`; use explicit `mutationKey` mainly for defaults, filtering, and devtools.
 ## Type Export
 ```typescript
 export type ConsoleInputs = InferContractRouterInputs<typeof consoleRouterContract>
 ```
--- a/.agents/skills/frontend-query-mutation/references/runtime-rules.md
+++ b/.agents/skills/frontend-query-mutation/references/runtime-rules.md
@ -0,0 +1,130 @@
 # Runtime Rules
 ## Table of Contents
 - Conditional queries
 - Cache invalidation
 - Key API guide
 - `mutate` vs `mutateAsync`
 - Legacy migration
 ## Conditional Queries
 Prefer contract-shaped `queryOptions(...)`.
 When required input is missing, prefer `input: skipToken` instead of placeholder params or non-null assertions.
 Use `enabled` only for extra business gating after the input itself is already valid.
 ```typescript
 import { skipToken, useQuery } from '@tanstack/react-query'
 // Disable the query by skipping input construction.
 function useAccessMode(appId: string | undefined) {
  return useQuery(consoleQuery.accessControl.appAccessMode.queryOptions({
    input: appId
      ? { params: { appId } }
      : skipToken,
  }))
 }
 // Avoid runtime-only guards that bypass type checking.
 function useBadAccessMode(appId: string | undefined) {
  return useQuery(consoleQuery.accessControl.appAccessMode.queryOptions({
    input: { params: { appId: appId! } },
    enabled: !!appId,
  }))
 }
 ```
 ## Cache Invalidation
 Bind invalidation in the service-layer mutation definition.
 Components may add UI feedback in call-site callbacks, but they should not decide which queries to invalidate.
 Use:
 - `.key()` for namespace or prefix invalidation
 - `.queryKey(...)` only for exact cache reads or writes such as `getQueryData` and `setQueryData`
 - `queryClient.invalidateQueries(...)` in mutation `onSuccess`
 Do not use deprecated `useInvalid` from `use-base.ts`.
 ```typescript
 // Service layer owns cache invalidation.
 export const useUpdateAccessMode = () => {
  const queryClient = useQueryClient()
  return useMutation(consoleQuery.accessControl.updateAccessMode.mutationOptions({
    onSuccess: () => {
      queryClient.invalidateQueries({
        queryKey: consoleQuery.accessControl.appWhitelistSubjects.key(),
      })
    },
  }))
 }
 // Component only adds UI behavior.
 updateAccessMode({ appId, mode }, {
  onSuccess: () => toast.success('...'),
 })
 // Avoid putting invalidation knowledge in the component.
 mutate({ appId, mode }, {
  onSuccess: () => {
    queryClient.invalidateQueries({
      queryKey: consoleQuery.accessControl.appWhitelistSubjects.key(),
    })
  },
 })
 ```
 ## Key API Guide
 - `.key(...)`
  - Use for partial matching operations.
  - Prefer it for invalidation, refetch, and cancel patterns.
  - Example: `queryClient.invalidateQueries({ queryKey: consoleQuery.billing.key() })`
 - `.queryKey(...)`
  - Use for a specific query's full key.
  - Prefer it for exact cache addressing and direct reads or writes.
 - `.mutationKey(...)`
  - Use for a specific mutation's full key.
  - Prefer it for mutation defaults registration, mutation-status filtering, and devtools grouping.
 ## `mutate` vs `mutateAsync`
 Prefer `mutate` by default.
 Use `mutateAsync` only when Promise semantics are truly required, such as parallel mutations or sequential steps with result dependencies.
 Rules:
 - Event handlers should usually call `mutate(...)` with `onSuccess` or `onError`.
 - Every `await mutateAsync(...)` must be wrapped in `try/catch`.
 - Do not use `mutateAsync` when callbacks already express the flow clearly.
 ```typescript
 // Default case.
 mutation.mutate(data, {
  onSuccess: result => router.push(result.url),
 })
 // Promise semantics are required.
 try {
  const order = await createOrder.mutateAsync(orderData)
  await confirmPayment.mutateAsync({ orderId: order.id, token })
  router.push(`/orders/${order.id}`)
 }
 catch (error) {
  toast.error(error instanceof Error ? error.message : 'Unknown error')
 }
 ```
 ## Legacy Migration
 When touching old code, migrate it toward these rules:
 | Old pattern | New pattern |
 |---|---|
 | `useInvalid(key)` in service layer | `queryClient.invalidateQueries(...)` inside mutation `onSuccess` |
 | component-triggered invalidation after mutation | move invalidation into the service-layer mutation definition |
 | imperative fetch plus manual invalidation | wrap it in `useMutation(...mutationOptions(...))` |
 | `await mutateAsync()` without `try/catch` | switch to `mutate(...)` or add `try/catch` |
--- a/.agents/skills/frontend-testing/SKILL.md
+++ b/.agents/skills/frontend-testing/SKILL.md
@ -5,7 +5,7 @@ description: Generate Vitest + React Testing Library tests for Dify frontend com
 # Dify Frontend Testing Skill
-This skill enables Codex to generate high-quality, comprehensive frontend tests for the Dify project following established conventions and best practices.
+This skill enables Claude to generate high-quality, comprehensive frontend tests for the Dify project following established conventions and best practices.
 > **⚠️ Authoritative Source**: This skill is derived from `web/docs/test.md`. Use Vitest mock/timer APIs (`vi.*`).
@ -24,27 +24,35 @@ Apply this skill when the user:
 **Do NOT apply** when:
 - User is asking about backend/API tests (Python/pytest)
- User is asking about E2E tests (Cucumber + Playwright under `e2e/`)
+- User is asking about E2E tests (Playwright/Cypress)
 - User is only asking conceptual questions without code context
 ## Quick Reference
-### Key Commands
+### Tech Stack
-Run these commands from `web/`. From the repository root, prefix them with `pnpm -C web`.
+| Tool | Version | Purpose |
 |------|---------|---------|
 | Vitest | 4.0.16 | Test runner |
 | React Testing Library | 16.0 | Component testing |
 | jsdom | - | Test environment |
 | nock | 14.0 | HTTP mocking |
 | TypeScript | 5.x | Type safety |
 ### Key Commands
 ```bash
 # Run all tests
 pnpm test
 # Watch mode
-pnpm test --watch
+pnpm test:watch
 # Run specific file
 pnpm test path/to/file.spec.tsx
 # Generate coverage report
-pnpm test --coverage
+pnpm test:coverage
 # Analyze component complexity
 pnpm analyze-component <path>
@ -192,7 +200,7 @@ When assigned to test a directory/path, test **ALL content** within that path:
 - ✅ **Import real project components** directly (including base components and siblings)
 - ✅ **Only mock**: API services (`@/service/*`), `next/navigation`, complex context providers
- ❌ **DO NOT mock** base components (`@/app/components/base/*`) or dify-ui primitives (`@langgenius/dify-ui/*`)
+- ❌ **DO NOT mock** base components (`@/app/components/base/*`)
 - ❌ **DO NOT mock** sibling/child components in the same directory
 > See [Test Structure Template](#test-structure-template) for correct import/mock patterns.
@ -220,10 +228,7 @@ Every test should clearly separate:
 ### 2. Black-Box Testing
 - Test observable behavior, not implementation details
- Use semantic queries (`getByRole` with accessible `name`, `getByLabelText`, `getByPlaceholderText`, `getByText`, and scoped `within(...)`)
+- Use semantic queries (getByRole, getByLabelText)
 - Treat `getByTestId` as a last resort. If a control cannot be found by role/name, label, landmark, or dialog scope, fix the component accessibility first instead of adding or relying on `data-testid`.
 - Remove production `data-testid` attributes when semantic selectors can cover the behavior. Keep them only for non-visual mocked boundaries, editor/browser shims such as Monaco, canvas/chart output, or third-party widgets with no accessible DOM in the test environment.
 - Do not assert decorative icons by test id. Assert the named control that contains them, or mark decorative icons `aria-hidden`.
 - Avoid testing internal state directly
 - **Prefer pattern matching over hardcoded strings** in assertions:
@ -320,12 +325,12 @@ For more detailed information, refer to:
 ### Reference Examples in Codebase
 - `web/utils/classnames.spec.ts` - Utility function tests
- `web/app/components/base/radio/__tests__/index.spec.tsx` - Component tests
+- `web/app/components/base/button/index.spec.tsx` - Component tests
 - `web/__mocks__/provider-context.ts` - Mock factory example
 ### Project Configuration
- `web/vite.config.ts` - Vite/Vitest configuration
+- `web/vitest.config.ts` - Vitest configuration
 - `web/vitest.setup.ts` - Test environment setup
 - `web/scripts/analyze-component.js` - Component analysis tool
 - Modules are not mocked automatically. Global mocks live in `web/vitest.setup.ts` (for example `react-i18next`, `next/image`); mock other modules like `ky` or `mime` locally in test files.
--- a/.agents/skills/frontend-testing/references/checklist.md
+++ b/.agents/skills/frontend-testing/references/checklist.md
@ -36,7 +36,7 @@ Use this checklist when generating or reviewing tests for Dify frontend componen
 ### Integration vs Mocking
- [ ] **DO NOT mock base components or dify-ui primitives** (base `Loading`, `Input`, `Badge`; dify-ui `Button`, `Tooltip`, `Dialog`, etc.)
+- [ ] **DO NOT mock base components** (`Loading`, `Button`, `Tooltip`, etc.)
 - [ ] Import real project components instead of mocking
 - [ ] Only mock: API calls, complex context providers, third-party libs with side effects
 - [ ] Prefer integration testing when using single spec file
@ -73,7 +73,7 @@ Use this checklist when generating or reviewing tests for Dify frontend componen
 ### Mocks
- [ ] **DO NOT mock base components or dify-ui primitives** (`@/app/components/base/*` or `@langgenius/dify-ui/*`)
+- [ ] **DO NOT mock base components** (`@/app/components/base/*`)
 - [ ] `vi.clearAllMocks()` in `beforeEach` (not `afterEach`)
 - [ ] Shared mock state reset in `beforeEach`
 - [ ] i18n uses global mock (auto-loaded in `web/vitest.setup.ts`); only override locally for custom translations
@ -127,7 +127,7 @@ For the current file being tested:
 - [ ] Run full directory test: `pnpm test path/to/directory/`
 - [ ] Check coverage report: `pnpm test:coverage`
 - [ ] Run `pnpm lint:fix` on all test files
- [ ] Run `pnpm type-check`
+- [ ] Run `pnpm type-check:tsgo`
 ## Common Issues to Watch
--- a/.agents/skills/frontend-testing/references/mocking.md
+++ b/.agents/skills/frontend-testing/references/mocking.md
@ -2,27 +2,29 @@
 ## ⚠️ Important: What NOT to Mock
-### DO NOT Mock Base Components or dify-ui Primitives
+### DO NOT Mock Base Components
-**Never mock components from `@/app/components/base/` or from `@langgenius/dify-ui/*`** such as:
+**Never mock components from `@/app/components/base/`** such as:
- Legacy base (`@/app/components/base/*`): `Loading`, `Spinner`, `Input`, `Badge`, `Tag`
+- `Loading`, `Spinner`
- dify-ui primitives (`@langgenius/dify-ui/*`): `Button`, `Tooltip`, `Dialog`, `Popover`, `DropdownMenu`, `ContextMenu`, `Select`, `AlertDialog`, `Toast`
+- `Button`, `Input`, `Select`
 - `Tooltip`, `Modal`, `Dropdown`
 - `Icon`, `Badge`, `Tag`
 **Why?**
- These components have their own dedicated tests
+- Base components will have their own dedicated tests
 - Mocking them creates false positives (tests pass but real integration fails)
 - Using real components tests actual integration behavior
 ```typescript
-// ❌ WRONG: Don't mock base components or dify-ui primitives
+// ❌ WRONG: Don't mock base components
 vi.mock('@/app/components/base/loading', () => () => <div>Loading</div>)
-vi.mock('@langgenius/dify-ui/button', () => ({ Button: ({ children }: any) => <button>{children}</button> }))
+vi.mock('@/app/components/base/button', () => ({ children }: any) => <button>{children}</button>)
-// ✅ CORRECT: Import and use the real components
+// ✅ CORRECT: Import and use real base components
 import Loading from '@/app/components/base/loading'
-import { Button } from '@langgenius/dify-ui/button'
+import Button from '@/app/components/base/button'
 // They will render normally in tests
 ```
@ -56,7 +58,7 @@ See [Zustand Store Testing](#zustand-store-testing) section for full details.
 | Location | Purpose |
 |----------|---------|
-| `web/vitest.setup.ts` | Global mocks shared by all tests (`react-i18next`, `zustand`, clipboard, FloatingPortal, Monaco, localStorage`) |
+| `web/vitest.setup.ts` | Global mocks shared by all tests (`react-i18next`, `next/image`, `zustand`) |
 | `web/__mocks__/zustand.ts` | Zustand mock implementation (auto-resets stores after each test) |
 | `web/__mocks__/` | Reusable mock factories shared across multiple test files |
 | Test file | Test-specific mocks, inline with `vi.mock()` |
@ -216,21 +218,28 @@ describe('Component', () => {
 })
 ```
-### 5. HTTP and `fetch` Mocking
+### 5. HTTP Mocking with Nock
 ```typescript
 import nock from 'nock'
 const GITHUB_HOST = 'https://api.github.com'
 const GITHUB_PATH = '/repos/owner/repo'
 const mockGithubApi = (status: number, body: Record<string, unknown>, delayMs = 0) => {
  return nock(GITHUB_HOST)
    .get(GITHUB_PATH)
    .delay(delayMs)
    .reply(status, body)
 }
 describe('GithubComponent', () => {
-  beforeEach(() => {
+  afterEach(() => {
-    vi.clearAllMocks()
+    nock.cleanAll()
  })
  it('should display repo info', async () => {
-    vi.mocked(globalThis.fetch).mockResolvedValueOnce(
+    mockGithubApi(200, { name: 'dify', stars: 1000 })
      new Response(JSON.stringify({ name: 'dify', stars: 1000 }), {
        status: 200,
        headers: { 'Content-Type': 'application/json' },
      }),
    )
    render(<GithubComponent />)
@ -240,12 +249,7 @@ describe('GithubComponent', () => {
  })
  it('should handle API error', async () => {
-    vi.mocked(globalThis.fetch).mockResolvedValueOnce(
+    mockGithubApi(500, { message: 'Server error' })
      new Response(JSON.stringify({ message: 'Server error' }), {
        status: 500,
        headers: { 'Content-Type': 'application/json' },
      }),
    )
    render(<GithubComponent />)
@ -256,8 +260,6 @@ describe('GithubComponent', () => {
 })
 ```
 Prefer mocking `@/service/*` modules or spying on `global.fetch` / `ky` clients with deterministic responses. Do not introduce an HTTP interception dependency such as `nock` or MSW unless it is already declared in the workspace or adding it is part of the task.
 ### 6. Context Providers
 ```typescript
@ -317,7 +319,7 @@ const renderWithQueryClient = (ui: React.ReactElement) => {
 ### ✅ DO
-1. **Use real base components and dify-ui primitives** - Import from `@/app/components/base/` or `@langgenius/dify-ui/*` directly
+1. **Use real base components** - Import from `@/app/components/base/` directly
 1. **Use real project components** - Prefer importing over mocking
 1. **Use real Zustand stores** - Set test state via `store.setState()`
 1. **Reset mocks in `beforeEach`**, not `afterEach`
@ -328,11 +330,11 @@ const renderWithQueryClient = (ui: React.ReactElement) => {
 ### ❌ DON'T
-1. **Don't mock base components or dify-ui primitives** (`Loading`, `Input`, `Button`, `Tooltip`, `Dialog`, etc.)
+1. **Don't mock base components** (`Loading`, `Button`, `Tooltip`, etc.)
 1. **Don't mock Zustand store modules** - Use real stores with `setState()`
 1. Don't mock components you can import directly
 1. Don't create overly simplified mocks that miss conditional logic
-1. Don't leave HTTP mocks or service mock state leaking between tests
+1. Don't forget to clean up nock after each test
 1. Don't use `any` types in mocks without necessity
 ### Mock Decision Tree
@ -340,7 +342,7 @@ const renderWithQueryClient = (ui: React.ReactElement) => {
 ```
 Need to use a component in test?
 │
-├─ Is it from @/app/components/base/* or @langgenius/dify-ui/*?
+├─ Is it from @/app/components/base/*?
 │  └─ YES → Import real component, DO NOT mock
 │
 ├─ Is it a project component?
--- a/.agents/skills/frontend-testing/references/workflow.md
+++ b/.agents/skills/frontend-testing/references/workflow.md
@ -227,12 +227,12 @@ Failing tests compound:
 **Fix failures immediately before proceeding.**
-## Integration with Codex's Todo Feature
+## Integration with Claude's Todo Feature
-When using Codex for multi-file testing:
+When using Claude for multi-file testing:
-1. **Create a todo list** before starting
+1. **Ask Claude to create a todo list** before starting
-1. **Process one file at a time**
+1. **Request one file at a time** or ensure Claude processes incrementally
 1. **Verify each test passes** before asking for the next
 1. **Mark todos complete** as you progress
--- a/.agents/skills/how-to-write-component/SKILL.md
+++ b/.agents/skills/how-to-write-component/SKILL.md
@ -1,71 +0,0 @@
 ---
 name: how-to-write-component
 description: React/TypeScript component style guide. Use when writing, refactoring, or reviewing React components, especially around props typing, state boundaries, shared local state with Jotai atoms, API types, query/mutation contracts, navigation, memoization, wrappers, and empty-state handling.
 ---
 # How To Write A Component
 Use this as the decision guide for React/TypeScript component structure. Existing code is reference material, not automatic precedent; when it conflicts with these rules, adapt the approach instead of reproducing the violation.
 ## Core Defaults
 - Search before adding UI, hooks, helpers, or styling patterns. Reuse existing base components, feature components, hooks, utilities, and design styles when they fit.
 - Group code by feature workflow, route, or ownership area: components, hooks, local types, query helpers, atoms, constants, and small utilities should live near the code that changes with them.
 - Promote code to shared only when multiple verticals need the same stable primitive. Otherwise keep it local and compose shared primitives inside the owning feature.
 - Use Tailwind CSS v4.1+ rules via the `tailwind-css-rules` skill. Prefer v4 utilities, `gap`, `text-size/line-height`, `min-h-dvh`, and avoid deprecated utilities and `@apply`.
 ## Ownership
 - Put local state, queries, mutations, handlers, and derived UI data in the lowest component that uses them. Extract a purpose-built owner component only when the logic has no natural home.
 - Repeated TanStack query calls in sibling components are acceptable when each component independently consumes the data. Do not hoist a query only because it is duplicated; TanStack Query handles deduplication and cache sharing.
 - Hoist state, queries, or callbacks to a parent only when the parent consumes the data, coordinates shared loading/error/empty UI, needs one consistent snapshot, or owns a workflow spanning children.
 - Avoid prop drilling. One pass-through layer is acceptable; repeated forwarding means ownership should move down or into feature-scoped Jotai UI state. Keep server/cache state in query and API data flow.
 - Keep callbacks in a parent only for workflow coordination such as form submission, shared selection, batch behavior, or navigation. Otherwise let the child or row own its action.
 - Prefer uncontrolled DOM state and CSS variables before adding controlled props.
 ## Components, Props, And Types
 - Type component signatures directly; do not use `FC` or `React.FC`.
 - Prefer `function` for top-level components and module helpers. Use arrow functions for local callbacks, handlers, and lambda-style APIs.
 - Prefer named exports. Use default exports only where the framework requires them, such as Next.js route files.
 - Type simple one-off props inline. Use a named `Props` type only when reused, exported, complex, or clearer.
 - Use API-generated or API-returned types at component boundaries. Keep small UI conversion helpers beside the component that needs them.
 - Name values by their domain role and backend API contract, and keep that name stable across the call chain, especially IDs like `appInstanceId`. Normalize framework or route params at the boundary.
 - Keep fallback and invariant checks at the lowest component that already handles that state; callers should pass raw values through instead of duplicating checks.
 ## Queries And Mutations
 - Keep `web/contract/*` as the single source of truth for API shape; follow existing domain/router patterns and the `{ params, query?, body? }` input shape.
 - Consume queries directly with `useQuery(consoleQuery.xxx.queryOptions(...))` or `useQuery(marketplaceQuery.xxx.queryOptions(...))`.
 - Avoid pass-through hooks and thin `web/service/use-*` wrappers that only rename `queryOptions()` or `mutationOptions()`. Extract a small `queryOptions` helper only when repeated call-site options justify it.
 - Keep feature hooks for real orchestration, workflow state, or shared domain behavior.
 - For missing required query input, use `input: skipToken`; use `enabled` only for extra business gating after the input is valid.
 - Consume mutations directly with `useMutation(consoleQuery.xxx.mutationOptions(...))` or `useMutation(marketplaceQuery.xxx.mutationOptions(...))`; use oRPC clients as `mutationFn` only for custom flows.
 - Put shared cache behavior in `createTanstackQueryUtils(...experimental_defaults...)`; components may add UI feedback callbacks, but should not own shared invalidation rules.
 - Do not use deprecated `useInvalid` or `useReset`.
 - Prefer `mutate(...)`; use `mutateAsync(...)` only when Promise semantics are required, and wrap awaited calls in `try/catch`.
 ## Component Boundaries
 - Use the first level below a page or tab to organize independent page sections when it adds real structure. This layer is layout/semantic first, not automatically the data owner.
 - Split deeper components by the data and state each layer actually needs. Each component should access only necessary data, and ownership should stay at the lowest consumer.
 - Keep cohesive forms, menu bodies, and one-off helpers local unless they need their own state, reuse, or semantic boundary.
 - Separate hidden secondary surfaces from the trigger's main flow. For dialogs, dropdowns, popovers, and similar branches, extract a small local component that owns the trigger, open state, and hidden content when it would obscure the parent flow.
 - Preserve composability by separating behavior ownership from layout ownership. A dropdown action may own its trigger, open state, and menu content; the caller owns placement such as slots, offsets, and alignment.
 - Avoid unnecessary DOM hierarchy. Do not add wrapper elements unless they provide layout, semantics, accessibility, state ownership, or integration with a library API; prefer fragments or styling an existing element when possible.
 - Avoid shallow wrappers and prop renaming unless the wrapper adds validation, orchestration, error handling, state ownership, or a real semantic boundary.
 ## You Might Not Need An Effect
 - Use Effects only to synchronize with external systems such as browser APIs, non-React widgets, subscriptions, timers, analytics that must run because the component was shown, or imperative DOM integration.
 - Do not use Effects to transform props or state for rendering. Calculate derived values during render, and use `useMemo` only when the calculation is actually expensive.
 - Do not use Effects to handle user actions. Put action-specific logic in the event handler where the cause is known.
 - Do not use Effects to copy one state value into another state value representing the same concept. Pick one source of truth and derive the rest during render.
 - Do not reset or adjust state from props with an Effect. Prefer a `key` reset, storing a stable ID and deriving the selected object, or guarded same-component render-time adjustment when truly necessary.
 - Prefer framework data APIs or TanStack Query for data fetching instead of writing request Effects in components.
 - If an Effect still seems necessary, first name the external system it synchronizes with. If there is no external system, remove the Effect and restructure the state or event flow.
 ## Navigation And Performance
 - Prefer `Link` for normal navigation. Use router APIs only for command-flow side effects such as mutation success, guarded redirects, or form submission.
 - Avoid `memo`, `useMemo`, and `useCallback` unless there is a clear performance reason.
--- a/.agents/skills/tailwind-css-rules/SKILL.md
+++ b/.agents/skills/tailwind-css-rules/SKILL.md
@ -1,367 +0,0 @@
 ---
 name: tailwind-css-rules
 description: Tailwind CSS v4.1+ rules and best practices. Use when writing, reviewing, refactoring, or upgrading Tailwind CSS classes and styles, especially v4 utility migrations, layout spacing, typography, responsive variants, dark mode, gradients, CSS variables, and component styling.
 ---
 # Tailwind CSS Rules and Best Practices
 ## Core Principles
 - **Always use Tailwind CSS v4.1+** - Ensure the codebase is using the latest version
 - **Do not use deprecated or removed utilities** - ALWAYS use the replacement
 - **Never use `@apply`** - Use CSS variables, the `--spacing()` function, or framework components instead
 - **Check for redundant classes** - Remove any classes that aren't necessary
 - **Group elements logically** to simplify responsive tweaks later
 ## Upgrading to Tailwind CSS v4
 ### Before Upgrading
 - **Always read the upgrade documentation first** - Read https://tailwindcss.com/docs/upgrade-guide and https://tailwindcss.com/blog/tailwindcss-v4 before starting an upgrade.
 - Ensure the git repository is in a clean state before starting
 ### Upgrade Process
 1. Run the upgrade command: `npx @tailwindcss/upgrade@latest` for both major and minor updates
 2. The tool will convert JavaScript config files to the new CSS format
 3. Review all changes extensively to clean up any false positives
 4. Test thoroughly across your application
 ## Breaking Changes Reference
 ### Removed Utilities (NEVER use these in v4)
 | ❌ Deprecated           | ✅ Replacement                                    |
 | ----------------------- | ------------------------------------------------- |
 | `bg-opacity-*`          | Use opacity modifiers like `bg-black/50`          |
 | `text-opacity-*`        | Use opacity modifiers like `text-black/50`        |
 | `border-opacity-*`      | Use opacity modifiers like `border-black/50`      |
 | `divide-opacity-*`      | Use opacity modifiers like `divide-black/50`      |
 | `ring-opacity-*`        | Use opacity modifiers like `ring-black/50`        |
 | `placeholder-opacity-*` | Use opacity modifiers like `placeholder-black/50` |
 | `flex-shrink-*`         | `shrink-*`                                        |
 | `flex-grow-*`           | `grow-*`                                          |
 | `overflow-ellipsis`     | `text-ellipsis`                                   |
 | `decoration-slice`      | `box-decoration-slice`                            |
 | `decoration-clone`      | `box-decoration-clone`                            |
 ### Renamed Utilities
 Use the v4 name when migrating code that still carries Tailwind v3 semantics. Do not blanket-replace existing v4 classes: classes such as `rounded-sm`, `shadow-sm`, `ring-1`, and `ring-2` are valid in this codebase when they intentionally represent the current design scale.
 | ❌ v3 pattern       | ✅ v4 pattern                                      |
 | ------------------- | -------------------------------------------------- |
 | `bg-gradient-*`     | `bg-linear-*`                                      |
 | old shadow scale    | verify against the current Tailwind/design scale   |
 | old blur scale      | verify against the current Tailwind/design scale   |
 | old radius scale    | use the Dify radius token mapping when applicable  |
 | `outline-none`      | `outline-hidden`                                   |
 | bare `ring` utility | use an explicit ring width such as `ring-1`/`ring-2`/`ring-3` |
 For Figma radius tokens, follow `packages/dify-ui/AGENTS.md`. For example, `--radius/xs` maps to `rounded-sm`; do not rewrite it to `rounded-xs`.
 ## Layout and Spacing Rules
 ### Flexbox and Grid Spacing
 #### Always use gap utilities for internal spacing
 Gap provides consistent spacing without edge cases (no extra space on last items). It's cleaner and more maintainable than margins on children.
 ```html
 <!-- ❌ Don't do this -->
 <div class="flex">
  <div class="mr-4">Item 1</div>
  <div class="mr-4">Item 2</div>
  <div>Item 3</div>
  <!-- No margin on last -->
 </div>
 <!-- ✅ Do this instead -->
 <div class="flex gap-4">
  <div>Item 1</div>
  <div>Item 2</div>
  <div>Item 3</div>
 </div>
 ```
 #### Gap vs Space utilities
 - **Never use `space-x-*` or `space-y-*` in flex/grid layouts** - always use gap
 - Space utilities add margins to children and have issues with wrapped items
 - Gap works correctly with flex-wrap and all flex directions
 ```html
 <!-- ❌ Avoid space utilities in flex containers -->
 <div class="flex flex-wrap space-x-4">
  <!-- Space utilities break with wrapped items -->
 </div>
 <!-- ✅ Use gap for consistent spacing -->
 <div class="flex flex-wrap gap-4">
  <!-- Gap works perfectly with wrapping -->
 </div>
 ```
 ### General Spacing Guidelines
 - **Prefer top and left margins** over bottom and right margins (unless conditionally rendered)
 - **Use padding on parent containers** instead of bottom margins on the last child
 - **Always use `min-h-dvh` instead of `min-h-screen`** - `min-h-screen` is buggy on mobile Safari
 - **Prefer `size-*` utilities** over separate `w-*` and `h-*` when setting equal dimensions
 - For max-widths, prefer the container scale (e.g., `max-w-2xs` over `max-w-72`)
 ## Typography Rules
 ### Line Heights
 - **Never use `leading-*` classes** - Always use line height modifiers with text size
 - **Always use fixed line heights from the spacing scale** - Don't use named values
 ```html
 <!-- ❌ Don't do this -->
 <p class="text-base leading-7">Text with separate line height</p>
 <p class="text-lg leading-relaxed">Text with named line height</p>
 <!-- ✅ Do this instead -->
 <p class="text-base/7">Text with line height modifier</p>
 <p class="text-lg/8">Text with specific line height</p>
 ```
 ### Font Size Reference
 Be precise with font sizes - know the actual pixel values:
 - `text-xs` = 12px
 - `text-sm` = 14px
 - `text-base` = 16px
 - `text-lg` = 18px
 - `text-xl` = 20px
 ## Color and Opacity
 ### Opacity Modifiers
 **Never use `bg-opacity-*`, `text-opacity-*`, etc.** - use the opacity modifier syntax:
 ```html
 <!-- ❌ Don't do this -->
 <div class="bg-red-500 bg-opacity-60">Old opacity syntax</div>
 <!-- ✅ Do this instead -->
 <div class="bg-red-500/60">Modern opacity syntax</div>
 ```
 ## Responsive Design
 ### Breakpoint Optimization
 - **Check for redundant classes across breakpoints**
 - **Only add breakpoint variants when values change**
 ```html
 <!-- ❌ Redundant breakpoint classes -->
 <div class="px-4 md:px-4 lg:px-4">
  <!-- md:px-4 and lg:px-4 are redundant -->
 </div>
 <!-- ✅ Efficient breakpoint usage -->
 <div class="px-4 lg:px-8">
  <!-- Only specify when value changes -->
 </div>
 ```
 ## Dark Mode
 ### Dark Mode Best Practices
 - Use the plain `dark:` variant pattern
 - Put light mode styles first, then dark mode styles
 - Ensure `dark:` variant comes before other variants
 ```html
 <!-- ✅ Correct dark mode pattern -->
 <div class="bg-white text-black dark:bg-black dark:text-white">
  <button class="hover:bg-gray-100 dark:hover:bg-gray-800">Click me</button>
 </div>
 ```
 ## Gradient Utilities
 - **ALWAYS Use `bg-linear-*` instead of `bg-gradient-*` utilities** - The gradient utilities were renamed in v4
 - Use the new `bg-radial` or `bg-radial-[<position>]` to create radial gradients
 - Use the new `bg-conic` or `bg-conic-*` to create conic gradients
 ```html
 <!-- ✅ Use the new gradient utilities -->
 <div class="h-14 bg-linear-to-br from-violet-500 to-fuchsia-500"></div>
 <div
  class="size-18 bg-radial-[at_50%_75%] from-sky-200 via-blue-400 to-indigo-900 to-90%"
 ></div>
 <div
  class="size-24 bg-conic-180 from-indigo-600 via-indigo-50 to-indigo-600"
 ></div>
 <!-- ❌ Do not use bg-gradient-* utilities -->
 <div class="h-14 bg-gradient-to-br from-violet-500 to-fuchsia-500"></div>
 ```
 ## Working with CSS Variables
 ### Accessing Theme Values
 Tailwind CSS v4 exposes all theme values as CSS variables:
 ```css
 /* Access colors, and other theme values */
 .custom-element {
  background: var(--color-red-500);
  border-radius: var(--radius-lg);
 }
 ```
 ### The `--spacing()` Function
 Use the dedicated `--spacing()` function for spacing calculations:
 ```css
 .custom-class {
  margin-top: calc(100vh - --spacing(16));
 }
 ```
 ### Extending theme values
 Use CSS to extend theme values:
 ```css
@import "tailwindcss";
@theme {
  --color-mint-500: oklch(0.72 0.11 178);
 }
 ```
 ```html
 <div class="bg-mint-500">
  <!-- ... -->
 </div>
 ```
 ## New v4 Features
 ### Container Queries
 Use the `@container` class and size variants:
 ```html
 <article class="@container">
  <div class="flex flex-col @md:flex-row @lg:gap-8">
    <img class="w-full @md:w-48" />
    <div class="mt-4 @md:mt-0">
      <!-- Content adapts to container size -->
    </div>
  </div>
 </article>
 ```
 ### Container Query Units
 Use container-based units like `cqw` for responsive sizing:
 ```html
 <div class="@container">
  <h1 class="text-[50cqw]">Responsive to container width</h1>
 </div>
 ```
 ### Text Shadows (v4.1)
 Use text-shadow-\* utilities from text-shadow-2xs to text-shadow-lg:
 ```html
 <!-- ✅ Text shadow examples -->
 <h1 class="text-shadow-lg">Large shadow</h1>
 <p class="text-shadow-sm/50">Small shadow with opacity</p>
 ```
 ### Masking (v4.1)
 Use the new composable mask utilities for image and gradient masks:
 ```html
 <!-- ✅ Linear gradient masks on specific sides -->
 <div class="mask-t-from-50%">Top fade</div>
 <div class="mask-b-from-20% mask-b-to-80%">Bottom gradient</div>
 <div class="mask-linear-from-white mask-linear-to-black/60">
  Fade from white to black
 </div>
 <!-- ✅ Radial gradient masks -->
 <div class="mask-radial-[100%_100%] mask-radial-from-75% mask-radial-at-left">
  Radial mask
 </div>
 ```
 ## Component Patterns
 ### Avoiding Utility Inheritance
 Don't add utilities to parents that you override in children:
 ```html
 <!-- ❌ Avoid this pattern -->
 <div class="text-center">
  <h1>Centered Heading</h1>
  <div class="text-left">Left-aligned content</div>
 </div>
 <!-- ✅ Better approach -->
 <div>
  <h1 class="text-center">Centered Heading</h1>
  <div>Left-aligned content</div>
 </div>
 ```
 ### Component Extraction
 - Extract repeated patterns into framework components, not CSS classes
 - Keep utility classes in templates/JSX
 - Use data attributes for complex state-based styling
 ## CSS Best Practices
 ### Nesting Guidelines
 - Use nesting when styling both parent and children
 - Avoid empty parent selectors
 ```css
 /* ✅ Good nesting - parent has styles */
 .card {
  padding: --spacing(4);
  > .card-title {
    font-weight: bold;
  }
 }
 /* ❌ Avoid empty parents */
 ul {
  > li {
    /* Parent has no styles */
  }
 }
 ```
 ## Common Pitfalls to Avoid
 1. **Using old opacity utilities** - Always use `/opacity` syntax like `bg-red-500/60`
 2. **Redundant breakpoint classes** - Only specify changes
 3. **Space utilities in flex/grid** - Always use gap
 4. **Leading utilities** - Use line-height modifiers like `text-sm/6`
 5. **Arbitrary values** - Use the design scale
 6. **@apply directive** - Use components or CSS variables
 7. **min-h-screen on mobile** - Use min-h-dvh
 8. **Separate width/height** - Use size utilities when equal
 9. **Arbitrary values** - Always use Tailwind's predefined scale whenever possible (e.g., use `ml-4` over `ml-[16px]`)
--- a/.claude/skills/e2e-cucumber-playwright
+++ b/.claude/skills/e2e-cucumber-playwright
@ -1 +0,0 @@
 ../../.agents/skills/e2e-cucumber-playwright
--- a/.devcontainer/post_create_command.sh
+++ b/.devcontainer/post_create_command.sh
@ -7,7 +7,7 @@ cd web && pnpm install
 pipx install uv
 echo "alias start-api=\"cd $WORKSPACE_ROOT/api && uv run python -m flask run --host 0.0.0.0 --port=5001 --debug\"" >> ~/.bashrc
-echo "alias start-worker=\"cd $WORKSPACE_ROOT/api && uv run python -m celery -A app.celery worker -P threads -c 1 --loglevel INFO -Q dataset,dataset_summary,priority_dataset,priority_pipeline,pipeline,mail,ops_trace,app_deletion,plugin,workflow_storage,conversation,workflow,schedule_poller,schedule_executor,triggered_workflow_dispatcher,trigger_refresh_publisher,trigger_refresh_executor,retention\"" >> ~/.bashrc
+echo "alias start-worker=\"cd $WORKSPACE_ROOT/api && uv run python -m celery -A app.celery worker -P threads -c 1 --loglevel INFO -Q dataset,dataset_summary,priority_dataset,priority_pipeline,pipeline,mail,ops_trace,app_deletion,plugin,workflow_storage,conversation,workflow,schedule_poller,schedule_executor,triggered_workflow_dispatcher,trigger_refresh_executor,retention\"" >> ~/.bashrc
 echo "alias start-web=\"cd $WORKSPACE_ROOT/web && pnpm dev:inspect\"" >> ~/.bashrc
 echo "alias start-web-prod=\"cd $WORKSPACE_ROOT/web && pnpm build && pnpm start\"" >> ~/.bashrc
 echo "alias start-containers=\"cd $WORKSPACE_ROOT/docker && docker-compose -f docker-compose.middleware.yaml -p dify --env-file middleware.env up -d\"" >> ~/.bashrc
--- a/.dockerignore
+++ b/.dockerignore
@ -1,15 +0,0 @@
 **/node_modules
 **/.pnpm-store
 **/dist
 **/.next
 **/.turbo
 **/.cache
 **/__pycache__
 **/*.pyc
 **/.mypy_cache
 **/.ruff_cache
 .git
 .github
 *.md
 !web/README.md
 !api/README.md
--- a/.gitattributes
+++ b/.gitattributes
@ -5,7 +5,3 @@
 # them.
 *.sh      text eol=lf
 # Codegen output must stay byte-identical across platforms so
 # `pnpm tree:check` in CI does not trip on CRLF rewrites.
 *.generated.ts  text eol=lf
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -6,9 +6,6 @@
 * @crazywoola @laipz8200 @Yeuoly
 # ESLint suppression file is maintained by autofix.ci pruning.
 /eslint-suppressions.json
 # CODEOWNERS file
 /.github/CODEOWNERS @laipz8200 @crazywoola
@ -18,10 +15,6 @@
 # Docs
 /docs/ @crazywoola
 # CLI
 /cli/ @langgenius/maintainers
 /.github/workflows/cli-tests.yml @langgenius/maintainers
 # Backend (default owner, more specific rules below will override)
 /api/ @QuantumGhost
--- a/.github/actions/setup-web/action.yml
+++ b/.github/actions/setup-web/action.yml
@ -1,15 +1,10 @@
 name: Setup Web Environment
 description: Set up Node.js, Vite+, pnpm, and web dependencies
 runs:
  using: composite
  steps:
    - name: Setup pnpm
      uses: pnpm/action-setup@8912a9102ac27614460f54aedde9e1e7f9aec20d # v6.0.5
      with:
        run_install: false
    - name: Setup Vite+
-      uses: voidzero-dev/setup-vp@4f5aa3e38c781f1b01e78fb9255527cee8a6efa6 # v1.8.0
+      uses: voidzero-dev/setup-vp@20553a7a7429c429a74894104a2835d7fed28a72 # v1.3.0
      with:
        node-version-file: .nvmrc
        cache: true
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -1,6 +1,106 @@
 version: 2
 updates:
  - package-ecosystem: "pip"
    directory: "/api"
    open-pull-requests-limit: 10
    schedule:
      interval: "weekly"
    groups:
      flask:
        patterns:
          - "flask"
          - "flask-*"
          - "werkzeug"
          - "gunicorn"
      google:
        patterns:
          - "google-*"
          - "googleapis-*"
      opentelemetry:
        patterns:
          - "opentelemetry-*"
      pydantic:
        patterns:
          - "pydantic"
          - "pydantic-*"
      llm:
        patterns:
          - "langfuse"
          - "langsmith"
          - "litellm"
          - "mlflow*"
          - "opik"
          - "weave*"
          - "arize*"
          - "tiktoken"
          - "transformers"
      database:
        patterns:
          - "sqlalchemy"
          - "psycopg2*"
          - "psycogreen"
          - "redis*"
          - "alembic*"
      storage:
        patterns:
          - "boto3*"
          - "botocore*"
          - "azure-*"
          - "bce-*"
          - "cos-python-*"
          - "esdk-obs-*"
          - "google-cloud-storage"
          - "opendal"
          - "oss2"
          - "supabase*"
          - "tos*"
      vdb:
        patterns:
          - "alibabacloud*"
          - "chromadb"
          - "clickhouse-*"
          - "clickzetta-*"
          - "couchbase"
          - "elasticsearch"
          - "opensearch-py"
          - "oracledb"
          - "pgvect*"
          - "pymilvus"
          - "pymochow"
          - "pyobvector"
          - "qdrant-client"
          - "intersystems-*"
          - "tablestore"
          - "tcvectordb"
          - "tidb-vector"
          - "upstash-*"
          - "volcengine-*"
          - "weaviate-*"
          - "xinference-*"
          - "mo-vector"
          - "mysql-connector-*"
      dev:
        patterns:
          - "coverage"
          - "dotenv-linter"
          - "faker"
          - "lxml-stubs"
          - "basedpyright"
          - "ruff"
          - "pytest*"
          - "types-*"
          - "boto3-stubs"
          - "hypothesis"
          - "pandas-stubs"
          - "scipy-stubs"
          - "import-linter"
          - "celery-types"
          - "mypy*"
          - "pyrefly"
      python-packages:
        patterns:
          - "*"
  - package-ecosystem: "uv"
    directory: "/api"
    open-pull-requests-limit: 10
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@ -1,9 +1,3 @@
 web:
  - changed-files:
-      - any-glob-to-any-file:
+      - any-glob-to-any-file: 'web/**'
          - 'web/**'
          - 'packages/**'
          - 'package.json'
          - 'pnpm-lock.yaml'
          - 'pnpm-workspace.yaml'
          - '.nvmrc'
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -7,7 +7,6 @@
 ## Summary
 <!-- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change. -->
 <!-- If this PR was created by an automated agent, add `From <Tool Name>` as the final line of the description. Example: `From Codex`. -->
 ## Screenshots
@ -18,7 +17,7 @@
 ## Checklist
 - [ ] This change requires a documentation update, included: [Dify Document](https://github.com/langgenius/dify-docs)
- [ ] I understand that this PR may be closed in case there was no previous discussion or issues. (This doesn't apply to typos!)
+- [x] I understand that this PR may be closed in case there was no previous discussion or issues. (This doesn't apply to typos!)
- [ ] I've added a test for each change that was introduced, and I tried as much as possible to make a single atomic change.
+- [x] I've added a test for each change that was introduced, and I tried as much as possible to make a single atomic change.
- [ ] I've updated the documentation accordingly.
+- [x] I've updated the documentation accordingly.
- [ ] I ran `make lint && make type-check` (backend) and `cd web && pnpm exec vp staged` (frontend) to appease the lint gods
+- [x] I ran `make lint` and `make type-check` (backend) and `cd web && npx lint-staged` (frontend) to appease the lint gods
--- a/.github/scripts/check-hotfix-cherry-picks.sh
+++ b/.github/scripts/check-hotfix-cherry-picks.sh
@ -1,73 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 BASE_SHA=${BASE_SHA:-}
 HEAD_SHA=${HEAD_SHA:-}
 MAIN_REF=${MAIN_REF:-origin/main}
 REMEDIATION_HINT="Changes should be made from the main branch using git cherry-pick -x."
 error() {
  printf 'ERROR: %s\n' "$1" >&2
 }
 if [[ -z "$BASE_SHA" || -z "$HEAD_SHA" ]]; then
  error "BASE_SHA and HEAD_SHA are required. $REMEDIATION_HINT"
  exit 2
 fi
 if ! git rev-parse --verify "$BASE_SHA^{commit}" > /dev/null 2>&1; then
  error "Base commit '$BASE_SHA' is not available in the local git checkout."
  exit 2
 fi
 if ! git rev-parse --verify "$HEAD_SHA^{commit}" > /dev/null 2>&1; then
  error "Head commit '$HEAD_SHA' is not available in the local git checkout."
  exit 2
 fi
 if ! git rev-parse --verify "$MAIN_REF^{commit}" > /dev/null 2>&1; then
  error "Main ref '$MAIN_REF' is not available in the local git checkout. $REMEDIATION_HINT"
  exit 2
 fi
 failed=0
 checked=0
 while IFS= read -r commit_sha; do
  [[ -n "$commit_sha" ]] || continue
  checked=$((checked + 1))
  subject=$(git log -1 --format=%s "$commit_sha")
  source_sha=$(
    git log -1 --format=%B "$commit_sha" \
      | sed -nE 's/^\(cherry picked from commit ([0-9a-fA-F]{7,64})\)$/\1/p' \
      | tail -n 1
  )
  if [[ -z "$source_sha" ]]; then
    error "Commit $commit_sha ($subject) is missing cherry-pick provenance. $REMEDIATION_HINT"
    failed=1
    continue
  fi
  if ! git cat-file -e "$source_sha^{commit}" 2> /dev/null; then
    error "Commit $commit_sha ($subject) references source $source_sha, but that commit is not available locally. $REMEDIATION_HINT"
    failed=1
    continue
  fi
  if ! git merge-base --is-ancestor "$source_sha" "$MAIN_REF"; then
    error "Commit $commit_sha ($subject) references source $source_sha, but that source is not reachable from main ($MAIN_REF). $REMEDIATION_HINT"
    failed=1
  fi
 done < <(git rev-list --reverse "$BASE_SHA..$HEAD_SHA")
 if [[ "$failed" -ne 0 ]]; then
  exit 1
 fi
 if [[ "$checked" -eq 0 ]]; then
  echo "No PR commits to check."
 else
  echo "Verified $checked PR commit(s) include cherry-pick provenance from main."
 fi
--- a/.github/scripts/generate-i18n-changes.mjs
+++ b/.github/scripts/generate-i18n-changes.mjs
@ -1,82 +0,0 @@
 import { execFileSync } from 'node:child_process'
 import fs from 'node:fs'
 import path from 'node:path'
 const repoRoot = process.cwd()
 const baseSha = process.env.BASE_SHA || ''
 const headSha = process.env.HEAD_SHA || ''
 const files = (process.env.CHANGED_FILES || '').split(/\s+/).filter(Boolean)
 const outputPath = process.env.I18N_CHANGES_OUTPUT_PATH || '/tmp/i18n-changes.json'
 const englishPath = fileStem => path.join(repoRoot, 'web', 'i18n', 'en-US', `${fileStem}.json`)
 const readCurrentJson = (fileStem) => {
  const filePath = englishPath(fileStem)
  if (!fs.existsSync(filePath))
    return null
  return JSON.parse(fs.readFileSync(filePath, 'utf8'))
 }
 const readBaseJson = (fileStem) => {
  if (!baseSha)
    return null
  try {
    const relativePath = `web/i18n/en-US/${fileStem}.json`
    const content = execFileSync('git', ['show', `${baseSha}:${relativePath}`], { encoding: 'utf8' })
    return JSON.parse(content)
  }
  catch {
    return null
  }
 }
 const compareJson = (beforeValue, afterValue) => JSON.stringify(beforeValue) === JSON.stringify(afterValue)
 const changes = {}
 for (const fileStem of files) {
  const currentJson = readCurrentJson(fileStem)
  const beforeJson = readBaseJson(fileStem) || {}
  const afterJson = currentJson || {}
  const added = {}
  const updated = {}
  const deleted = []
  for (const [key, value] of Object.entries(afterJson)) {
    if (!(key in beforeJson)) {
      added[key] = value
      continue
    }
    if (!compareJson(beforeJson[key], value)) {
      updated[key] = {
        before: beforeJson[key],
        after: value,
      }
    }
  }
  for (const key of Object.keys(beforeJson)) {
    if (!(key in afterJson))
      deleted.push(key)
  }
  changes[fileStem] = {
    fileDeleted: currentJson === null,
    added,
    updated,
    deleted,
  }
 }
 fs.writeFileSync(
  outputPath,
  JSON.stringify({
    baseSha,
    headSha,
    files,
    changes,
  })
 )
--- a/.github/workflows/anti-slop.yml
+++ b/.github/workflows/anti-slop.yml
@ -0,0 +1,19 @@
 name: Anti-Slop PR Check
 on:
  pull_request_target:
    types: [opened, edited, synchronize]
 permissions:
  pull-requests: write
  contents: read
 jobs:
  anti-slop:
    runs-on: ubuntu-latest
    steps:
      - uses: peakoss/anti-slop@85daca1880e9e1af197fc06ea03349daf08f4202 # v0.2.1
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          close-pr: false
          failure-add-pr-labels: "needs-revision"
--- a/.github/workflows/api-tests.yml
+++ b/.github/workflows/api-tests.yml
@ -16,7 +16,7 @@ concurrency:
 jobs:
  api-unit:
    name: API Unit Tests
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    env:
      COVERAGE_FILE: coverage-unit
    defaults:
@ -35,7 +35,7 @@ jobs:
          persist-credentials: false
      - name: Setup UV and Python
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          enable-cache: true
          python-version: ${{ matrix.python-version }}
@ -54,7 +54,7 @@ jobs:
        run: uv run --project api bash dev/pytest/pytest_unit_tests.sh
      - name: Upload unit coverage data
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: api-coverage-unit
          path: coverage-unit
@ -62,7 +62,7 @@ jobs:
  api-integration:
    name: API Integration Tests
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    env:
      COVERAGE_FILE: coverage-integration
      STORAGE_TYPE: opendal
@ -84,7 +84,7 @@ jobs:
          persist-credentials: false
      - name: Setup UV and Python
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          enable-cache: true
          python-version: ${{ matrix.python-version }}
@ -99,13 +99,13 @@ jobs:
      - name: Set up dotenvs
        run: |
          cp docker/.env.example docker/.env
-          cp docker/envs/middleware.env.example docker/middleware.env
+          cp docker/middleware.env.example docker/middleware.env
      - name: Expose Service Ports
        run: sh .github/workflows/expose_service_ports.sh
      - name: Set up Sandbox
-        uses: hoverkraft-tech/compose-action@d2bee4f07e8ca410d6b196d00f90c12e7d48c33a # v2.6.0
+        uses: hoverkraft-tech/compose-action@4894d2492015c1774ee5a13a95b1072093087ec3 # v2.5.0
        with:
          compose-file: |
            docker/docker-compose.middleware.yaml
@ -129,7 +129,7 @@ jobs:
            api/tests/test_containers_integration_tests
      - name: Upload integration coverage data
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: api-coverage-integration
          path: coverage-integration
@ -137,7 +137,7 @@ jobs:
  api-coverage:
    name: API Coverage
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    needs:
      - api-unit
      - api-integration
@ -156,7 +156,7 @@ jobs:
          persist-credentials: false
      - name: Setup UV and Python
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          enable-cache: true
          python-version: "3.12"
--- a/.github/workflows/autofix.yml
+++ b/.github/workflows/autofix.yml
@ -13,7 +13,7 @@ permissions:
 jobs:
  autofix:
    if: github.repository == 'langgenius/dify'
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    steps:
      - name: Complete merge group check
        if: github.event_name == 'merge_group'
@ -25,7 +25,7 @@ jobs:
      - name: Check Docker Compose inputs
        if: github.event_name != 'merge_group'
        id: docker-compose-changes
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            docker/generate_docker_compose
@ -35,11 +35,10 @@ jobs:
      - name: Check web inputs
        if: github.event_name != 'merge_group'
        id: web-changes
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            web/**
            packages/**
            package.json
            pnpm-lock.yaml
            pnpm-workspace.yaml
@ -47,7 +46,7 @@ jobs:
      - name: Check api inputs
        if: github.event_name != 'merge_group'
        id: api-changes
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            api/**
@ -57,7 +56,7 @@ jobs:
          python-version: "3.11"
      - if: github.event_name != 'merge_group'
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
      - name: Generate Docker Compose
        if: github.event_name != 'merge_group' && steps.docker-compose-changes.outputs.any_changed == 'true'
@ -113,23 +112,14 @@ jobs:
          find . -name "*.py.bak" -type f -delete
      - name: Setup web environment
-        if: github.event_name != 'merge_group'
+        if: github.event_name != 'merge_group' && steps.web-changes.outputs.any_changed == 'true'
        uses: ./.github/actions/setup-web
      - name: Generate API docs
        if: github.event_name != 'merge_group' && steps.api-changes.outputs.any_changed == 'true'
        run: |
          cd api
          uv run dev/generate_swagger_markdown_docs.py --swagger-dir ../packages/contracts/openapi --markdown-dir openapi/markdown --keep-swagger-json
      - name: Generate frontend contracts
        if: github.event_name != 'merge_group' && steps.api-changes.outputs.any_changed == 'true'
        run: pnpm --dir packages/contracts gen-api-contract-from-openapi
      - name: ESLint autofix
        if: github.event_name != 'merge_group' && steps.web-changes.outputs.any_changed == 'true'
        run: |
          cd web
          vp exec eslint --concurrency=2 --prune-suppressions --quiet || true
      - if: github.event_name != 'merge_group'
-        uses: autofix-ci/action@c5b2d67aa2274e7b5a18224e8171550871fc7e4a # v1.3.4
+        uses: autofix-ci/action@7a166d7532b277f34e16238930461bf77f9d7ed8 # v1.3.3
--- a/.github/workflows/build-push.yml
+++ b/.github/workflows/build-push.yml
@ -26,9 +26,6 @@ jobs:
  build:
    runs-on: ${{ matrix.runs_on }}
    if: github.repository == 'langgenius/dify'
    permissions:
      contents: read
      id-token: write
    strategy:
      matrix:
        include:
@ -38,28 +35,28 @@ jobs:
            build_context: "{{defaultContext}}:api"
            file: "Dockerfile"
            platform: linux/amd64
-            runs_on: depot-ubuntu-24.04-4
+            runs_on: ubuntu-latest
          - service_name: "build-api-arm64"
            image_name_env: "DIFY_API_IMAGE_NAME"
            artifact_context: "api"
            build_context: "{{defaultContext}}:api"
            file: "Dockerfile"
            platform: linux/arm64
-            runs_on: depot-ubuntu-24.04-4
+            runs_on: ubuntu-24.04-arm
          - service_name: "build-web-amd64"
            image_name_env: "DIFY_WEB_IMAGE_NAME"
            artifact_context: "web"
            build_context: "{{defaultContext}}"
            file: "web/Dockerfile"
            platform: linux/amd64
-            runs_on: depot-ubuntu-24.04-4
+            runs_on: ubuntu-latest
          - service_name: "build-web-arm64"
            image_name_env: "DIFY_WEB_IMAGE_NAME"
            artifact_context: "web"
            build_context: "{{defaultContext}}"
            file: "web/Dockerfile"
            platform: linux/arm64
-            runs_on: depot-ubuntu-24.04-4
+            runs_on: ubuntu-24.04-arm
    steps:
      - name: Prepare
@ -68,13 +65,13 @@ jobs:
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
      - name: Login to Docker Hub
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          username: ${{ env.DOCKERHUB_USER }}
          password: ${{ env.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
+      - name: Set up Docker Buildx
-        uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1.7.1
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      - name: Extract metadata for Docker
        id: meta
@ -84,15 +81,16 @@ jobs:
      - name: Build Docker image
        id: build
-        uses: depot/build-push-action@5f3b3c2e5a00f0093de47f657aeaefcedff27d18 # v1.17.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
          project: ${{ vars.DEPOT_PROJECT_ID }}
          context: ${{ matrix.build_context }}
          file: ${{ matrix.file }}
          platforms: ${{ matrix.platform }}
          build-args: COMMIT_SHA=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
          labels: ${{ steps.meta.outputs.labels }}
          outputs: type=image,name=${{ env[matrix.image_name_env] }},push-by-digest=true,name-canonical=true,push=true
          cache-from: type=gha,scope=${{ matrix.service_name }}
          cache-to: type=gha,mode=max,scope=${{ matrix.service_name }}
      - name: Export digest
        env:
@ -103,40 +101,16 @@ jobs:
          touch "/tmp/digests/${sanitized_digest}"
      - name: Upload digest
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: digests-${{ matrix.artifact_context }}-${{ env.PLATFORM_PAIR }}
          path: /tmp/digests/*
          if-no-files-found: error
          retention-days: 1
  fork-build-validate:
    if: github.repository != 'langgenius/dify'
    runs-on: ubuntu-24.04
    strategy:
      matrix:
        include:
          - service_name: "validate-api-amd64"
            build_context: "{{defaultContext}}:api"
            file: "Dockerfile"
          - service_name: "validate-web-amd64"
            build_context: "{{defaultContext}}"
            file: "web/Dockerfile"
    steps:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      - name: Validate Docker image
        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          push: false
          context: ${{ matrix.build_context }}
          file: ${{ matrix.file }}
          platforms: linux/amd64
  create-manifest:
    needs: build
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    if: github.repository == 'langgenius/dify'
    strategy:
      matrix:
@ -156,7 +130,7 @@ jobs:
          merge-multiple: true
      - name: Login to Docker Hub
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          username: ${{ env.DOCKERHUB_USER }}
          password: ${{ env.DOCKERHUB_TOKEN }}
--- a/.github/workflows/cli-docker-build.yml
+++ b/.github/workflows/cli-docker-build.yml
@ -1,63 +0,0 @@
 name: CLI Docker Build (dev)
 on:
  pull_request:
    branches:
      - "main"
    paths:
      - "cli/**"
      - "packages/tsconfig/**"
      - "pnpm-lock.yaml"
      - "pnpm-workspace.yaml"
  merge_group:
    branches:
      - "main"
    types: [checks_requested]
 concurrency:
  group: cli-docker-build-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 jobs:
  build:
    name: Build CLI dev image
    if: github.event_name == 'merge_group' || github.event.pull_request.head.repo.full_name == github.repository
    runs-on: depot-ubuntu-24.04-4
    permissions:
      contents: read
      id-token: write
    steps:
      - name: Set up Depot CLI
        uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1.7.1
      - name: Build CLI Dockerfile.dev
        uses: depot/build-push-action@5f3b3c2e5a00f0093de47f657aeaefcedff27d18 # v1.17.0
        with:
          project: ${{ vars.DEPOT_PROJECT_ID }}
          push: false
          context: "{{defaultContext}}"
          file: "cli/Dockerfile.dev"
          platforms: linux/amd64,linux/arm64
  build-fork:
    name: Build CLI dev image (fork)
    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository
    runs-on: ubuntu-24.04
    permissions:
      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      - name: Build CLI Dockerfile.dev
        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          push: false
          context: "."
          file: "cli/Dockerfile.dev"
          platforms: linux/amd64
--- a/.github/workflows/cli-release.yml
+++ b/.github/workflows/cli-release.yml
@ -1,102 +0,0 @@
 name: CLI Release
 on:
  workflow_dispatch:
 concurrency:
  group: cli-release-${{ github.ref }}
  cancel-in-progress: true
 jobs:
  release:
    name: build standalone binaries (all targets)
    runs-on: depot-ubuntu-24.04
    if: github.repository == 'langgenius/dify'
    permissions:
      contents: write
    defaults:
      run:
        shell: bash
        working-directory: ./cli
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          fetch-depth: 0
      - name: Setup web environment
        uses: ./.github/actions/setup-web
      - name: Setup Bun
        uses: oven-sh/setup-bun@4bc047ad259df6fc24a6c9b0f9a0cb08cf17fbe5 # v2.0.2
        with:
          bun-version: latest
      - name: Read cli/package.json
        id: manifest
        run: |
          version=$(node -p "require('./package.json').version")
          channel=$(node -p "require('./package.json').difyctl.channel")
          minDify=$(node -p "require('./package.json').difyctl.compat.minDify")
          maxDify=$(node -p "require('./package.json').difyctl.compat.maxDify")
          {
              echo "version=$version"
              echo "channel=$channel"
              echo "minDify=$minDify"
              echo "maxDify=$maxDify"
          } >> "$GITHUB_OUTPUT"
      - name: Validate manifest
        run: scripts/release-validate-manifest.sh
      - name: Install cross-arch native prebuilds
        # Re-installs node_modules with every @napi-rs/keyring platform variant
        # so `bun build --compile` can embed the right .node into each target.
        working-directory: ./
        run: NPM_CONFIG_USERCONFIG="$PWD/cli/scripts/cross-arch.npmrc" pnpm install --frozen-lockfile
      - name: Compile standalone binaries (all targets)
        env:
          CLI_VERSION: ${{ steps.manifest.outputs.version }}
          DIFYCTL_CHANNEL: ${{ steps.manifest.outputs.channel }}
          DIFYCTL_MIN_DIFY: ${{ steps.manifest.outputs.minDify }}
          DIFYCTL_MAX_DIFY: ${{ steps.manifest.outputs.maxDify }}
        run: |
          DIFYCTL_COMMIT="$(git rev-parse HEAD)" \
          DIFYCTL_BUILD_DATE="$(git log -1 --format=%cI HEAD)" \
            pnpm build:bin
      - name: Generate sha256 checksum file
        env:
          CLI_VERSION: ${{ steps.manifest.outputs.version }}
        run: scripts/release-write-checksums.sh
      - name: Publish GitHub Release
        env:
          GH_TOKEN: ${{ github.token }}
          REPO: ${{ github.repository }}
          TAG: difyctl-v${{ steps.manifest.outputs.version }}
          VERSION: ${{ steps.manifest.outputs.version }}
          CHANNEL: ${{ steps.manifest.outputs.channel }}
        working-directory: ./cli/dist/bin
        run: |
          prerelease_flag=""
          if [ "$CHANNEL" != "stable" ]; then
              prerelease_flag="--prerelease"
          fi
          if gh release view "$TAG" --repo "$REPO" >/dev/null 2>&1; then
              echo "Release $TAG exists — replacing assets"
              gh release upload "$TAG" --repo "$REPO" --clobber difyctl-v*
          else
              echo "Creating release $TAG"
              gh release create "$TAG" \
                  --repo "$REPO" \
                  --target "$GITHUB_SHA" \
                  --title "difyctl $VERSION" \
                  --notes "Automated release built by \`cli-release.yml\` (commit ${GITHUB_SHA:0:7})." \
                  $prerelease_flag \
                  difyctl-v*
          fi
--- a/.github/workflows/cli-smoke.yml
+++ b/.github/workflows/cli-smoke.yml
@ -1,57 +0,0 @@
 name: CLI Smoke (live dify)
 on:
  workflow_dispatch:
    inputs:
      dify_version:
        description: "Dify image tag to test against (e.g. 1.7.0)"
        type: string
        required: true
      cli_ref:
        description: "Git ref to build the cli from (default: current branch)"
        type: string
        required: false
 jobs:
  smoke:
    runs-on: ubuntu-latest
    timeout-minutes: 30
    defaults:
      run:
        shell: bash
    steps:
      - name: Checkout cli ref
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ inputs.cli_ref || github.ref }}
          persist-credentials: false
      - name: Setup web environment
        uses: ./.github/actions/setup-web
      - name: Bring up dify
        env:
          DIFY_VERSION: ${{ inputs.dify_version }}
        run: |
          cd docker
          cp .env.example .env
          DIFY_API_IMAGE_TAG="$DIFY_VERSION" \
          DIFY_WEB_IMAGE_TAG="$DIFY_VERSION" \
          docker compose up -d api worker web db redis
          for i in $(seq 1 60); do
              if curl -fsS http://localhost:5001/health >/dev/null 2>&1; then
                  echo "dify api ready after ${i}s"
                  break
              fi
              sleep 1
          done
      - name: Run smoke against live dify
        working-directory: ./cli
        run: pnpm exec tsx scripts/run-smoke.ts --base-url http://localhost:5001
      - name: Dump dify logs on failure
        if: failure()
        run: |
          cd docker
          docker compose logs api worker web --tail=200
--- a/.github/workflows/cli-tests.yml
+++ b/.github/workflows/cli-tests.yml
@ -1,46 +0,0 @@
 name: CLI Tests
 on:
  workflow_call:
    secrets:
      CODECOV_TOKEN:
        required: false
 permissions:
  contents: read
 concurrency:
  group: cli-tests-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 jobs:
  test:
    name: CLI Tests
    runs-on: depot-ubuntu-24.04
    env:
      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
    defaults:
      run:
        shell: bash
        working-directory: ./cli
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Setup web environment
        uses: ./.github/actions/setup-web
      - name: CI pipeline (typecheck, lint, coverage, build)
        run: pnpm ci
      - name: Report coverage
        if: ${{ env.CODECOV_TOKEN != '' }}
        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
        with:
          directory: cli/coverage
          flags: cli
        env:
          CODECOV_TOKEN: ${{ env.CODECOV_TOKEN }}
--- a/.github/workflows/db-migration-test.yml
+++ b/.github/workflows/db-migration-test.yml
@ -9,7 +9,7 @@ concurrency:
 jobs:
  db-migration-test-postgres:
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
@ -19,7 +19,7 @@ jobs:
          persist-credentials: false
      - name: Setup UV and Python
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          enable-cache: true
          python-version: "3.12"
@ -37,10 +37,10 @@ jobs:
      - name: Prepare middleware env
        run: |
          cd docker
-          cp envs/middleware.env.example middleware.env
+          cp middleware.env.example middleware.env
      - name: Set up Middlewares
-        uses: hoverkraft-tech/compose-action@d2bee4f07e8ca410d6b196d00f90c12e7d48c33a # v2.6.0
+        uses: hoverkraft-tech/compose-action@4894d2492015c1774ee5a13a95b1072093087ec3 # v2.5.0
        with:
          compose-file: |
            docker/docker-compose.middleware.yaml
@ -59,7 +59,7 @@ jobs:
        run: uv run --directory api flask upgrade-db
  db-migration-test-mysql:
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
@ -69,7 +69,7 @@ jobs:
          persist-credentials: false
      - name: Setup UV and Python
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          enable-cache: true
          python-version: "3.12"
@ -87,14 +87,14 @@ jobs:
      - name: Prepare middleware env for MySQL
        run: |
          cd docker
-          cp envs/middleware.env.example middleware.env
+          cp middleware.env.example middleware.env
          sed -i 's/DB_TYPE=postgresql/DB_TYPE=mysql/' middleware.env
          sed -i 's/DB_HOST=db_postgres/DB_HOST=db_mysql/' middleware.env
          sed -i 's/DB_PORT=5432/DB_PORT=3306/' middleware.env
          sed -i 's/DB_USERNAME=postgres/DB_USERNAME=mysql/' middleware.env
      - name: Set up Middlewares
-        uses: hoverkraft-tech/compose-action@d2bee4f07e8ca410d6b196d00f90c12e7d48c33a # v2.6.0
+        uses: hoverkraft-tech/compose-action@4894d2492015c1774ee5a13a95b1072093087ec3 # v2.5.0
        with:
          compose-file: |
            docker/docker-compose.middleware.yaml
@ -110,28 +110,6 @@ jobs:
          sed -i 's/DB_PORT=5432/DB_PORT=3306/' .env
          sed -i 's/DB_USERNAME=postgres/DB_USERNAME=root/' .env
      # hoverkraft-tech/compose-action@v2.6.0 only waits for `docker compose up -d`
      # to return (container processes started); it does not wait on healthcheck
      # status. mysql:8.0's first-time init takes 15-30s, so without an explicit
      # wait the migration runs while InnoDB is still initialising and gets
      # killed with "Lost connection during query". Poll a real SELECT until it
      # succeeds.
      - name: Wait for MySQL to accept queries
        run: |
          set +e
          for i in $(seq 1 60); do
            if docker run --rm --network host mysql:8.0 \
                mysql -h 127.0.0.1 -P 3306 -uroot -pdifyai123456 \
                -e 'SELECT 1' >/dev/null 2>&1; then
              echo "MySQL ready after ${i}s"
              exit 0
            fi
            sleep 1
          done
          echo "MySQL not ready after 60s; dumping container logs:"
          docker compose -f docker/docker-compose.middleware.yaml --profile mysql logs --tail=200 db_mysql
          exit 1
      - name: Run DB Migration
        env:
          DEBUG: true
--- a/.github/workflows/deploy-agent-dev.yml
+++ b/.github/workflows/deploy-agent-dev.yml
@ -13,7 +13,7 @@ on:
 jobs:
  deploy:
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    if: |
      github.event.workflow_run.conclusion == 'success' &&
      github.event.workflow_run.head_branch == 'deploy/agent-dev'
--- a/.github/workflows/deploy-dev.yml
+++ b/.github/workflows/deploy-dev.yml
@ -10,7 +10,7 @@ on:
 jobs:
  deploy:
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    if: |
      github.event.workflow_run.conclusion == 'success' &&
      github.event.workflow_run.head_branch == 'deploy/dev'
--- a/.github/workflows/deploy-enterprise.yml
+++ b/.github/workflows/deploy-enterprise.yml
@ -13,7 +13,7 @@ on:
 jobs:
  deploy:
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    if: |
      github.event.workflow_run.conclusion == 'success' &&
      github.event.workflow_run.head_branch == 'deploy/enterprise'
--- a/.github/workflows/deploy-hitl.yml
+++ b/.github/workflows/deploy-hitl.yml
@ -10,7 +10,7 @@ on:
 jobs:
  deploy:
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    if: |
      github.event.workflow_run.conclusion == 'success' &&
      github.event.workflow_run.head_branch == 'build/feat/hitl'
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@ -6,7 +6,12 @@ on:
      - "main"
    paths:
      - api/Dockerfile
      - web/docker/**
      - web/Dockerfile
      - package.json
      - pnpm-lock.yaml
      - pnpm-workspace.yaml
      - .nvmrc
 concurrency:
  group: docker-build-${{ github.head_ref || github.run_id }}
@ -14,59 +19,28 @@ concurrency:
 jobs:
  build-docker:
    if: github.event.pull_request.head.repo.full_name == github.repository
    runs-on: ${{ matrix.runs_on }}
    permissions:
      contents: read
      id-token: write
    strategy:
      matrix:
        include:
          - service_name: "api-amd64"
            platform: linux/amd64
-            runs_on: depot-ubuntu-24.04-4
+            runs_on: ubuntu-latest
            context: "{{defaultContext}}:api"
            file: "Dockerfile"
          - service_name: "api-arm64"
            platform: linux/arm64
-            runs_on: depot-ubuntu-24.04-4
+            runs_on: ubuntu-24.04-arm
            context: "{{defaultContext}}:api"
            file: "Dockerfile"
          - service_name: "web-amd64"
            platform: linux/amd64
-            runs_on: depot-ubuntu-24.04-4
+            runs_on: ubuntu-latest
            context: "{{defaultContext}}"
            file: "web/Dockerfile"
          - service_name: "web-arm64"
            platform: linux/arm64
-            runs_on: depot-ubuntu-24.04-4
+            runs_on: ubuntu-24.04-arm
            context: "{{defaultContext}}"
            file: "web/Dockerfile"
    steps:
      - name: Set up Depot CLI
        uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1.7.1
      - name: Build Docker Image
        uses: depot/build-push-action@5f3b3c2e5a00f0093de47f657aeaefcedff27d18 # v1.17.0
        with:
          project: ${{ vars.DEPOT_PROJECT_ID }}
          push: false
          context: ${{ matrix.context }}
          file: ${{ matrix.file }}
          platforms: ${{ matrix.platform }}
  build-docker-fork:
    if: github.event.pull_request.head.repo.full_name != github.repository
    runs-on: ubuntu-24.04
    permissions:
      contents: read
    strategy:
      matrix:
        include:
          - service_name: "api-amd64"
            context: "{{defaultContext}}:api"
            file: "Dockerfile"
          - service_name: "web-amd64"
            context: "{{defaultContext}}"
            file: "web/Dockerfile"
    steps:
@ -74,9 +48,11 @@ jobs:
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      - name: Build Docker Image
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
          push: false
          context: ${{ matrix.context }}
          file: ${{ matrix.file }}
-          platforms: linux/amd64
+          platforms: ${{ matrix.platform }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
--- a/.github/workflows/hotfix-cherry-pick.yml
+++ b/.github/workflows/hotfix-cherry-pick.yml
@ -1,49 +0,0 @@
 name: Hotfix Cherry-Pick Provenance
 on:
  pull_request:
    branches:
      - 'hotfix/**'
      - 'lts/**'
    types:
      - opened
      - edited
      - reopened
      - ready_for_review
      - synchronize
 permissions:
  contents: read
 concurrency:
  group: hotfix-cherry-pick-${{ github.event.pull_request.number || github.run_id }}
  cancel-in-progress: true
 jobs:
  check-cherry-pick-provenance:
    name: Require cherry-pick provenance
    runs-on: depot-ubuntu-24.04
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
      - name: Fetch PR base, PR head, and main
        env:
          BASE_REF: ${{ github.base_ref }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
        run: |
          git fetch --no-tags --prune origin \
            "+refs/heads/main:refs/remotes/origin/main" \
            "+refs/heads/${BASE_REF}:refs/remotes/origin/${BASE_REF}" \
            "+refs/pull/${PR_NUMBER}/head:refs/remotes/pull/${PR_NUMBER}/head"
      - name: Load checker from main
        run: git show origin/main:.github/scripts/check-hotfix-cherry-picks.sh > "$RUNNER_TEMP/check-hotfix-cherry-picks.sh"
      - name: Check PR commits
        env:
          BASE_SHA: ${{ github.event.pull_request.base.sha }}
          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
          MAIN_REF: origin/main
        run: bash "$RUNNER_TEMP/check-hotfix-cherry-picks.sh"
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@ -7,8 +7,8 @@ jobs:
    permissions:
      contents: read
      pull-requests: write
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    steps:
-      - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0
+      - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
        with:
          sync-labels: true
--- a/.github/workflows/main-ci.yml
+++ b/.github/workflows/main-ci.yml
@ -23,7 +23,7 @@ concurrency:
 jobs:
  pre_job:
    name: Skip Duplicate Checks
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    outputs:
      should_skip: ${{ steps.skip_check.outputs.should_skip || 'false' }}
    steps:
@ -39,10 +39,9 @@ jobs:
    name: Check Changed Files
    needs: pre_job
    if: needs.pre_job.outputs.should_skip != 'true'
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    outputs:
      api-changed: ${{ steps.changes.outputs.api }}
      cli-changed: ${{ steps.changes.outputs.cli }}
      e2e-changed: ${{ steps.changes.outputs.e2e }}
      web-changed: ${{ steps.changes.outputs.web }}
      vdb-changed: ${{ steps.changes.outputs.vdb }}
@ -58,27 +57,14 @@ jobs:
              - '.github/workflows/api-tests.yml'
              - '.github/workflows/expose_service_ports.sh'
              - 'docker/.env.example'
-              - 'docker/envs/middleware.env.example'
+              - 'docker/middleware.env.example'
              - 'docker/docker-compose.middleware.yaml'
              - 'docker/docker-compose-template.yaml'
              - 'docker/generate_docker_compose'
              - 'docker/ssrf_proxy/**'
              - 'docker/volumes/sandbox/conf/**'
            cli:
              - 'cli/**'
              - 'packages/tsconfig/**'
              - 'package.json'
              - 'pnpm-lock.yaml'
              - 'pnpm-workspace.yaml'
              - 'eslint.config.mjs'
              - '.npmrc'
              - '.nvmrc'
              - '.github/workflows/cli-tests.yml'
              - '.github/workflows/cli-docker-build.yml'
              - '.github/actions/setup-web/**'
            web:
              - 'web/**'
              - 'packages/**'
              - 'package.json'
              - 'pnpm-lock.yaml'
              - 'pnpm-workspace.yaml'
@ -91,23 +77,21 @@ jobs:
              - 'api/uv.lock'
              - 'e2e/**'
              - 'web/**'
              - 'packages/**'
              - 'package.json'
              - 'pnpm-lock.yaml'
              - 'pnpm-workspace.yaml'
              - '.nvmrc'
              - 'docker/docker-compose.middleware.yaml'
-              - 'docker/envs/middleware.env.example'
+              - 'docker/middleware.env.example'
              - '.github/workflows/web-e2e.yml'
              - '.github/actions/setup-web/**'
            vdb:
              - 'api/core/rag/datasource/**'
              - 'api/tests/integration_tests/vdb/**'
              - 'api/providers/vdb/*/tests/**'
              - '.github/workflows/vdb-tests.yml'
              - '.github/workflows/expose_service_ports.sh'
              - 'docker/.env.example'
-              - 'docker/envs/middleware.env.example'
+              - 'docker/middleware.env.example'
              - 'docker/docker-compose.yaml'
              - 'docker/docker-compose-template.yaml'
              - 'docker/generate_docker_compose'
@ -129,7 +113,7 @@ jobs:
              - '.github/workflows/db-migration-test.yml'
              - '.github/workflows/expose_service_ports.sh'
              - 'docker/.env.example'
-              - 'docker/envs/middleware.env.example'
+              - 'docker/middleware.env.example'
              - 'docker/docker-compose.middleware.yaml'
              - 'docker/docker-compose-template.yaml'
              - 'docker/generate_docker_compose'
@ -152,7 +136,7 @@ jobs:
      - pre_job
      - check-changes
    if: needs.pre_job.outputs.should_skip != 'true' && needs.check-changes.outputs.api-changed != 'true'
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    steps:
      - name: Report skipped API tests
        run: echo "No API-related changes detected; skipping API tests."
@ -165,7 +149,7 @@ jobs:
      - check-changes
      - api-tests-run
      - api-tests-skip
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    steps:
      - name: Finalize API Tests status
        env:
@ -197,66 +181,6 @@ jobs:
          echo "API tests were not required, but the skip job finished with result: $SKIP_RESULT" >&2
          exit 1
  cli-tests-run:
    name: Run CLI Tests
    needs:
      - pre_job
      - check-changes
    if: needs.pre_job.outputs.should_skip != 'true' && needs.check-changes.outputs.cli-changed == 'true'
    uses: ./.github/workflows/cli-tests.yml
    secrets: inherit
  cli-tests-skip:
    name: Skip CLI Tests
    needs:
      - pre_job
      - check-changes
    if: needs.pre_job.outputs.should_skip != 'true' && needs.check-changes.outputs.cli-changed != 'true'
    runs-on: depot-ubuntu-24.04
    steps:
      - name: Report skipped CLI tests
        run: echo "No CLI-related changes detected; skipping CLI tests."
  cli-tests:
    name: CLI Tests
    if: ${{ always() }}
    needs:
      - pre_job
      - check-changes
      - cli-tests-run
      - cli-tests-skip
    runs-on: depot-ubuntu-24.04
    steps:
      - name: Finalize CLI Tests status
        env:
          SHOULD_SKIP_WORKFLOW: ${{ needs.pre_job.outputs.should_skip }}
          TESTS_CHANGED: ${{ needs.check-changes.outputs.cli-changed }}
          RUN_RESULT: ${{ needs.cli-tests-run.result }}
          SKIP_RESULT: ${{ needs.cli-tests-skip.result }}
        run: |
          if [[ "$SHOULD_SKIP_WORKFLOW" == 'true' ]]; then
            echo "CLI tests were skipped because this workflow run duplicated a successful or newer run."
            exit 0
          fi
          if [[ "$TESTS_CHANGED" == 'true' ]]; then
            if [[ "$RUN_RESULT" == 'success' ]]; then
              echo "CLI tests ran successfully."
              exit 0
            fi
            echo "CLI tests were required but finished with result: $RUN_RESULT" >&2
            exit 1
          fi
          if [[ "$SKIP_RESULT" == 'success' ]]; then
            echo "CLI tests were skipped because no CLI-related files changed."
            exit 0
          fi
          echo "CLI tests were not required, but the skip job finished with result: $SKIP_RESULT" >&2
          exit 1
  web-tests-run:
    name: Run Web Tests
    needs:
@ -272,7 +196,7 @@ jobs:
      - pre_job
      - check-changes
    if: needs.pre_job.outputs.should_skip != 'true' && needs.check-changes.outputs.web-changed != 'true'
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    steps:
      - name: Report skipped web tests
        run: echo "No web-related changes detected; skipping web tests."
@ -285,7 +209,7 @@ jobs:
      - check-changes
      - web-tests-run
      - web-tests-skip
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    steps:
      - name: Finalize Web Tests status
        env:
@ -331,7 +255,7 @@ jobs:
      - pre_job
      - check-changes
    if: needs.pre_job.outputs.should_skip != 'true' && needs.check-changes.outputs.e2e-changed != 'true'
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    steps:
      - name: Report skipped web full-stack e2e
        run: echo "No E2E-related changes detected; skipping web full-stack E2E."
@ -344,7 +268,7 @@ jobs:
      - check-changes
      - web-e2e-run
      - web-e2e-skip
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    steps:
      - name: Finalize Web Full-Stack E2E status
        env:
@ -396,7 +320,7 @@ jobs:
      - pre_job
      - check-changes
    if: needs.pre_job.outputs.should_skip != 'true' && needs.check-changes.outputs.vdb-changed != 'true'
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    steps:
      - name: Report skipped VDB tests
        run: echo "No VDB-related changes detected; skipping VDB tests."
@ -409,7 +333,7 @@ jobs:
      - check-changes
      - vdb-tests-run
      - vdb-tests-skip
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    steps:
      - name: Finalize VDB Tests status
        env:
@ -455,7 +379,7 @@ jobs:
      - pre_job
      - check-changes
    if: needs.pre_job.outputs.should_skip != 'true' && needs.check-changes.outputs.migration-changed != 'true'
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    steps:
      - name: Report skipped DB migration tests
        run: echo "No migration-related changes detected; skipping DB migration tests."
@ -468,7 +392,7 @@ jobs:
      - check-changes
      - db-migration-test-run
      - db-migration-test-skip
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    steps:
      - name: Finalize DB Migration Test status
        env:
--- a/.github/workflows/pyrefly-diff-comment.yml
+++ b/.github/workflows/pyrefly-diff-comment.yml
@ -12,7 +12,7 @@ permissions: {}
 jobs:
  comment:
    name: Comment PR with pyrefly diff
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
@ -21,7 +21,7 @@ jobs:
    if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.pull_requests[0].head.repo.full_name != github.repository }}
    steps:
      - name: Download pyrefly diff artifact
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
@ -49,7 +49,7 @@ jobs:
        run: unzip -o pyrefly_diff.zip
      - name: Post comment
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
@ -76,29 +76,13 @@ jobs:
              diff += '\\n\\n... (truncated) ...';
            }
-            if (diff.trim()) {
+            const body = diff.trim()
-              const body = '### Pyrefly Diff\n<details>\n<summary>base → PR</summary>\n\n```diff\n' + diff + '\n```\n</details>';
+              ? '### Pyrefly Diff\n<details>\n<summary>base → PR</summary>\n\n```diff\n' + diff + '\n```\n</details>'
-              const marker = '### Pyrefly Diff';
+              : '### Pyrefly Diff\nNo changes detected.';
              const { data: comments } = await github.rest.issues.listComments({
                issue_number: prNumber,
                owner: context.repo.owner,
                repo: context.repo.repo,
              });
              const existing = comments.find((comment) => comment.body.startsWith(marker));
-              if (existing) {
+            await github.rest.issues.createComment({
-                await github.rest.issues.updateComment({
+              issue_number: prNumber,
-                  comment_id: existing.id,
+              owner: context.repo.owner,
-                  owner: context.repo.owner,
+              repo: context.repo.repo,
-                  repo: context.repo.repo,
+              body,
-                  body,
+            });
                });
              } else {
                await github.rest.issues.createComment({
                  issue_number: prNumber,
                  owner: context.repo.owner,
                  repo: context.repo.repo,
                  body,
                });
              }
            }
--- a/.github/workflows/pyrefly-diff.yml
+++ b/.github/workflows/pyrefly-diff.yml
@ -10,7 +10,7 @@ permissions:
 jobs:
  pyrefly-diff:
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    permissions:
      contents: read
      issues: write
@ -22,7 +22,7 @@ jobs:
          fetch-depth: 0
      - name: Setup Python & UV
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          enable-cache: true
@ -66,7 +66,7 @@ jobs:
          echo ${{ github.event.pull_request.number }} > pr_number.txt
      - name: Upload pyrefly diff
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: pyrefly_diff
          path: |
@ -75,7 +75,7 @@ jobs:
      - name: Comment PR with pyrefly diff
        if: ${{ github.event.pull_request.head.repo.full_name == github.repository && steps.line_count_check.outputs.same == 'false' }}
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
@ -103,26 +103,9 @@ jobs:
                ].join('\n')
              : '### Pyrefly Diff\nNo changes detected.';
-            const marker = '### Pyrefly Diff';
+            await github.rest.issues.createComment({
            const { data: comments } = await github.rest.issues.listComments({
              issue_number: prNumber,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body,
            });
            const existing = comments.find((comment) => comment.body.startsWith(marker));
            if (existing) {
              await github.rest.issues.updateComment({
                comment_id: existing.id,
                owner: context.repo.owner,
                repo: context.repo.repo,
                body,
              });
            } else {
              await github.rest.issues.createComment({
                issue_number: prNumber,
                owner: context.repo.owner,
                repo: context.repo.repo,
                body,
              });
            }
--- a/.github/workflows/pyrefly-type-coverage-comment.yml
+++ b/.github/workflows/pyrefly-type-coverage-comment.yml
@ -1,118 +0,0 @@
 name: Comment with Pyrefly Type Coverage
 on:
  workflow_run:
    workflows:
      - Pyrefly Type Coverage
    types:
      - completed
 permissions: {}
 jobs:
  comment:
    name: Comment PR with type coverage
    runs-on: depot-ubuntu-24.04
    permissions:
      actions: read
      contents: read
      issues: write
      pull-requests: write
    if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.pull_requests[0].head.repo.full_name != github.repository }}
    steps:
      - name: Checkout default branch (trusted code)
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Python & UV
        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
        with:
          enable-cache: true
      - name: Install dependencies
        run: uv sync --project api --dev
      - name: Download type coverage artifact
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const fs = require('fs');
            const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
              owner: context.repo.owner,
              repo: context.repo.repo,
              run_id: ${{ github.event.workflow_run.id }},
            });
            const match = artifacts.data.artifacts.find((artifact) =>
              artifact.name === 'pyrefly_type_coverage'
            );
            if (!match) {
              throw new Error('pyrefly_type_coverage artifact not found');
            }
            const download = await github.rest.actions.downloadArtifact({
              owner: context.repo.owner,
              repo: context.repo.repo,
              artifact_id: match.id,
              archive_format: 'zip',
            });
            fs.writeFileSync('pyrefly_type_coverage.zip', Buffer.from(download.data));
      - name: Unzip artifact
        run: unzip -o pyrefly_type_coverage.zip
      - name: Render coverage markdown from structured data
        id: render
        run: |
          comment_body="$(uv run --directory api python libs/pyrefly_type_coverage.py \
            --base base_report.json \
            < pr_report.json)"
          {
            echo "### Pyrefly Type Coverage"
            echo ""
            echo "$comment_body"
          } > /tmp/type_coverage_comment.md
      - name: Post comment
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const fs = require('fs');
            const body = fs.readFileSync('/tmp/type_coverage_comment.md', { encoding: 'utf8' });
            let prNumber = null;
            try {
              prNumber = parseInt(fs.readFileSync('pr_number.txt', { encoding: 'utf8' }), 10);
            } catch (err) {
              const prs = context.payload.workflow_run.pull_requests || [];
              if (prs.length > 0 && prs[0].number) {
                prNumber = prs[0].number;
              }
            }
            if (!prNumber) {
              throw new Error('PR number not found in artifact or workflow_run payload');
            }
            // Update existing comment if one exists, otherwise create new
            const { data: comments } = await github.rest.issues.listComments({
              issue_number: prNumber,
              owner: context.repo.owner,
              repo: context.repo.repo,
            });
            const marker = '### Pyrefly Type Coverage';
            const existing = comments.find(c => c.body.startsWith(marker));
            if (existing) {
              await github.rest.issues.updateComment({
                comment_id: existing.id,
                owner: context.repo.owner,
                repo: context.repo.repo,
                body,
              });
            } else {
              await github.rest.issues.createComment({
                issue_number: prNumber,
                owner: context.repo.owner,
                repo: context.repo.repo,
                body,
              });
            }
--- a/.github/workflows/pyrefly-type-coverage.yml
+++ b/.github/workflows/pyrefly-type-coverage.yml
@ -1,120 +0,0 @@
 name: Pyrefly Type Coverage
 on:
  pull_request:
    paths:
      - 'api/**/*.py'
 permissions:
  contents: read
 jobs:
  pyrefly-type-coverage:
    runs-on: depot-ubuntu-24.04
    permissions:
      contents: read
      issues: write
      pull-requests: write
    steps:
      - name: Checkout PR branch
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
      - name: Setup Python & UV
        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
        with:
          enable-cache: true
      - name: Install dependencies
        run: uv sync --project api --dev
      - name: Run pyrefly report on PR branch
        run: |
          uv run --directory api --dev pyrefly report 2>/dev/null > /tmp/pyrefly_report_pr.tmp && \
            mv /tmp/pyrefly_report_pr.tmp /tmp/pyrefly_report_pr.json || \
            echo '{}' > /tmp/pyrefly_report_pr.json
      - name: Save helper script from base branch
        run: |
          git show ${{ github.event.pull_request.base.sha }}:api/libs/pyrefly_type_coverage.py > /tmp/pyrefly_type_coverage.py 2>/dev/null \
            || cp api/libs/pyrefly_type_coverage.py /tmp/pyrefly_type_coverage.py
      - name: Checkout base branch
        run: git checkout ${{ github.base_ref }}
      - name: Run pyrefly report on base branch
        run: |
          uv run --directory api --dev pyrefly report 2>/dev/null > /tmp/pyrefly_report_base.tmp && \
            mv /tmp/pyrefly_report_base.tmp /tmp/pyrefly_report_base.json || \
            echo '{}' > /tmp/pyrefly_report_base.json
      - name: Generate coverage comparison
        id: coverage
        run: |
          comment_body="$(uv run --directory api python /tmp/pyrefly_type_coverage.py \
            --base /tmp/pyrefly_report_base.json \
            < /tmp/pyrefly_report_pr.json)"
          {
            echo "### Pyrefly Type Coverage"
            echo ""
            echo "$comment_body"
          } | tee -a "$GITHUB_STEP_SUMMARY" > /tmp/type_coverage_comment.md
          # Save structured data for the fork-PR comment workflow
          cp /tmp/pyrefly_report_pr.json pr_report.json
          cp /tmp/pyrefly_report_base.json base_report.json
      - name: Save PR number
        run: |
          echo ${{ github.event.pull_request.number }} > pr_number.txt
      - name: Upload type coverage artifact
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: pyrefly_type_coverage
          path: |
            pr_report.json
            base_report.json
            pr_number.txt
      - name: Comment PR with type coverage
        if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const fs = require('fs');
            const marker = '### Pyrefly Type Coverage';
            let body;
            try {
              body = fs.readFileSync('/tmp/type_coverage_comment.md', { encoding: 'utf8' });
            } catch {
              body = `${marker}\n\n_Coverage report unavailable._`;
            }
            const prNumber = context.payload.pull_request.number;
            // Update existing comment if one exists, otherwise create new
            const { data: comments } = await github.rest.issues.listComments({
              issue_number: prNumber,
              owner: context.repo.owner,
              repo: context.repo.repo,
            });
            const existing = comments.find(c => c.body.startsWith(marker));
            if (existing) {
              await github.rest.issues.updateComment({
                comment_id: existing.id,
                owner: context.repo.owner,
                repo: context.repo.repo,
                body,
              });
            } else {
              await github.rest.issues.createComment({
                issue_number: prNumber,
                owner: context.repo.owner,
                repo: context.repo.repo,
                body,
              });
            }
--- a/.github/workflows/semantic-pull-request.yml
+++ b/.github/workflows/semantic-pull-request.yml
@ -16,7 +16,7 @@ jobs:
    name: Validate PR title
    permissions:
      pull-requests: read
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    steps:
      - name: Complete merge group check
        if: github.event_name == 'merge_group'
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -12,7 +12,7 @@ on:
 jobs:
  stale:
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    permissions:
      issues: write
      pull-requests: write
@ -23,8 +23,8 @@ jobs:
          days-before-issue-stale: 15
          days-before-issue-close: 3
          repo-token: ${{ secrets.GITHUB_TOKEN }}
-          stale-issue-message: "Closed due to inactivity. If you have any questions, you can reopen it."
+          stale-issue-message: "Close due to it's no longer active, if you have any questions, you can reopen it."
-          stale-pr-message: "Closed due to inactivity. If you have any questions, you can reopen it."
+          stale-pr-message: "Close due to it's no longer active, if you have any questions, you can reopen it."
          stale-issue-label: 'no-issue-activity'
          stale-pr-label: 'no-pr-activity'
-          any-of-labels: '🌚 invalid,🙋‍♂️ question,wont-fix,no-issue-activity,no-pr-activity,💪 enhancement,🤔 cant-reproduce,🙏 help wanted'
+          any-of-labels: 'duplicate,question,invalid,wontfix,no-issue-activity,no-pr-activity,enhancement,cant-reproduce,help-wanted'
--- a/.github/workflows/style.yml
+++ b/.github/workflows/style.yml
@ -15,7 +15,7 @@ permissions:
 jobs:
  python-style:
    name: Python Style
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
@ -25,7 +25,7 @@ jobs:
      - name: Check changed files
        id: changed-files
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            api/**
@ -33,7 +33,7 @@ jobs:
      - name: Setup UV and Python
        if: steps.changed-files.outputs.any_changed == 'true'
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          enable-cache: false
          python-version: "3.12"
@ -57,7 +57,7 @@ jobs:
  web-style:
    name: Web Style
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ./web
@ -73,13 +73,10 @@ jobs:
      - name: Check changed files
        id: changed-files
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            web/**
            e2e/**
            sdks/nodejs-client/**
            packages/**
            package.json
            pnpm-lock.yaml
            pnpm-workspace.yaml
@ -94,28 +91,26 @@ jobs:
      - name: Restore ESLint cache
        if: steps.changed-files.outputs.any_changed == 'true'
        id: eslint-cache-restore
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
-          path: .eslintcache
+          path: web/.eslintcache
-          key: ${{ runner.os }}-eslint-${{ hashFiles('pnpm-lock.yaml', 'eslint.config.mjs', 'web/eslint.config.mjs', 'web/eslint.constants.mjs', 'web/plugins/eslint/**') }}-${{ github.sha }}
+          key: ${{ runner.os }}-web-eslint-${{ hashFiles('web/package.json', 'pnpm-lock.yaml', 'web/eslint.config.mjs', 'web/eslint.constants.mjs', 'web/plugins/eslint/**') }}-${{ github.sha }}
          restore-keys: |
-            ${{ runner.os }}-eslint-${{ hashFiles('pnpm-lock.yaml', 'eslint.config.mjs', 'web/eslint.config.mjs', 'web/eslint.constants.mjs', 'web/plugins/eslint/**') }}-
+            ${{ runner.os }}-web-eslint-${{ hashFiles('web/package.json', 'pnpm-lock.yaml', 'web/eslint.config.mjs', 'web/eslint.constants.mjs', 'web/plugins/eslint/**') }}-
      - name: Web style check
        if: steps.changed-files.outputs.any_changed == 'true'
-        working-directory: .
+        working-directory: ./web
        run: vp run lint:ci
      - name: Web tsslint
        if: steps.changed-files.outputs.any_changed == 'true'
        working-directory: ./web
        env:
          NODE_OPTIONS: --max-old-space-size=4096
        run: vp run lint:tss
      - name: Web type check
        if: steps.changed-files.outputs.any_changed == 'true'
-        working-directory: .
+        working-directory: ./web
        run: vp run type-check
      - name: Web dead code check
@ -125,14 +120,14 @@ jobs:
      - name: Save ESLint cache
        if: steps.changed-files.outputs.any_changed == 'true' && success() && steps.eslint-cache-restore.outputs.cache-hit != 'true'
-        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
-          path: .eslintcache
+          path: web/.eslintcache
          key: ${{ steps.eslint-cache-restore.outputs.cache-primary-key }}
  superlinter:
    name: SuperLinter
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
@ -143,7 +138,7 @@ jobs:
      - name: Check changed files
        id: changed-files
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
        with:
          files: |
            **.sh
@ -154,7 +149,7 @@ jobs:
            .editorconfig
      - name: Super-linter
-        uses: super-linter/super-linter/slim@9e863354e3ff62e0727d37183162c4a88873df41 # v8.6.0
+        uses: super-linter/super-linter/slim@61abc07d755095a68f4987d1c2c3d1d64408f1f9 # v8.5.0
        if: steps.changed-files.outputs.any_changed == 'true'
        env:
          BASH_SEVERITY: warning
--- a/.github/workflows/tool-test-sdks.yaml
+++ b/.github/workflows/tool-test-sdks.yaml
@ -17,7 +17,7 @@ concurrency:
 jobs:
  build:
    name: unit test for Node.js SDK
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    defaults:
      run:
@ -29,7 +29,7 @@ jobs:
          persist-credentials: false
      - name: Use Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: 22
          cache: ''
--- a/.github/workflows/translate-i18n-claude.yml
+++ b/.github/workflows/translate-i18n-claude.yml
@ -35,7 +35,7 @@ concurrency:
 jobs:
  translate:
    if: github.repository == 'langgenius/dify'
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    timeout-minutes: 120
    steps:
@ -68,7 +68,89 @@ jobs:
          " web/i18n-config/languages.ts | sed 's/[[:space:]]*$//')
          generate_changes_json() {
-            node .github/scripts/generate-i18n-changes.mjs
+            node <<'NODE'
            const { execFileSync } = require('node:child_process')
            const fs = require('node:fs')
            const path = require('node:path')
            const repoRoot = process.cwd()
            const baseSha = process.env.BASE_SHA || ''
            const headSha = process.env.HEAD_SHA || ''
            const files = (process.env.CHANGED_FILES || '').split(/\s+/).filter(Boolean)
            const englishPath = fileStem => path.join(repoRoot, 'web', 'i18n', 'en-US', `${fileStem}.json`)
            const readCurrentJson = (fileStem) => {
              const filePath = englishPath(fileStem)
              if (!fs.existsSync(filePath))
                return null
              return JSON.parse(fs.readFileSync(filePath, 'utf8'))
            }
            const readBaseJson = (fileStem) => {
              if (!baseSha)
                return null
              try {
                const relativePath = `web/i18n/en-US/${fileStem}.json`
                const content = execFileSync('git', ['show', `${baseSha}:${relativePath}`], { encoding: 'utf8' })
                return JSON.parse(content)
              }
              catch (error) {
                return null
              }
            }
            const compareJson = (beforeValue, afterValue) => JSON.stringify(beforeValue) === JSON.stringify(afterValue)
            const changes = {}
            for (const fileStem of files) {
              const currentJson = readCurrentJson(fileStem)
              const beforeJson = readBaseJson(fileStem) || {}
              const afterJson = currentJson || {}
              const added = {}
              const updated = {}
              const deleted = []
              for (const [key, value] of Object.entries(afterJson)) {
                if (!(key in beforeJson)) {
                  added[key] = value
                  continue
                }
                if (!compareJson(beforeJson[key], value)) {
                  updated[key] = {
                    before: beforeJson[key],
                    after: value,
                  }
                }
              }
              for (const key of Object.keys(beforeJson)) {
                if (!(key in afterJson))
                  deleted.push(key)
              }
              changes[fileStem] = {
                fileDeleted: currentJson === null,
                added,
                updated,
                deleted,
              }
            }
            fs.writeFileSync(
              '/tmp/i18n-changes.json',
              JSON.stringify({
                baseSha,
                headSha,
                files,
                changes,
              })
            )
            NODE
          }
          if [ "${{ github.event_name }}" = "repository_dispatch" ]; then
@ -158,7 +240,7 @@ jobs:
      - name: Run Claude Code for Translation Sync
        if: steps.context.outputs.CHANGED_FILES != ''
-        uses: anthropics/claude-code-action@476e359e6203e73dad705c8b322e333fabbd7416 # v1.0.119
+        uses: anthropics/claude-code-action@88c168b39e7e64da0286d812b6e9fbebb6708185 # v1.0.82
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          github_token: ${{ secrets.GITHUB_TOKEN }}
@ -188,7 +270,7 @@ jobs:
            Tool rules:
            - Use Read for repository files.
            - Use Edit for JSON updates.
-            - Use Bash only for `vp`.
+            - Use Bash only for `pnpm`.
            - Do not use Bash for `git`, `gh`, or branch management.
            Required execution plan:
@ -210,7 +292,7 @@ jobs:
               - Read the current English JSON file for any file that still exists so wording, placeholders, and surrounding terminology stay accurate.
               - If `Structured change set available` is `false`, treat this as a scoped full sync and use the current English files plus scoped checks as the source of truth.
            4. Run a scoped pre-check before editing:
-               - `vp run dify-web#i18n:check ${{ steps.context.outputs.FILE_ARGS }} ${{ steps.context.outputs.LANG_ARGS }}`
+               - `pnpm --dir ${{ github.workspace }}/web run i18n:check ${{ steps.context.outputs.FILE_ARGS }} ${{ steps.context.outputs.LANG_ARGS }}`
               - Use this command as the source of truth for missing and extra keys inside the current scope.
            5. Apply translations.
               - For every target language and scoped file:
@ -218,19 +300,19 @@ jobs:
                 - If the locale file does not exist yet, create it with `Write` and then continue with `Edit` as needed.
                 - ADD missing keys.
                 - UPDATE stale translations when the English value changed.
-                 - DELETE removed keys. Prefer `vp run dify-web#i18n:check ${{ steps.context.outputs.FILE_ARGS }} ${{ steps.context.outputs.LANG_ARGS }} --auto-remove` for extra keys so deletions stay in scope.
+                 - DELETE removed keys. Prefer `pnpm --dir ${{ github.workspace }}/web run i18n:check ${{ steps.context.outputs.FILE_ARGS }} ${{ steps.context.outputs.LANG_ARGS }} --auto-remove` for extra keys so deletions stay in scope.
               - Preserve placeholders exactly: `{{variable}}`, `${variable}`, HTML tags, component tags, and variable names.
               - Match the existing terminology and register used by each locale.
               - Prefer one Edit per file when stable, but prioritize correctness over batching.
            6. Verify only the edited files.
-               - Run `vp run dify-web#lint:fix --quiet -- <relative edited i18n file paths under web/>`
+               - Run `pnpm --dir ${{ github.workspace }}/web lint:fix --quiet -- <relative edited i18n file paths>`
-               - Run `vp run dify-web#i18n:check ${{ steps.context.outputs.FILE_ARGS }} ${{ steps.context.outputs.LANG_ARGS }}`
+               - Run `pnpm --dir ${{ github.workspace }}/web run i18n:check ${{ steps.context.outputs.FILE_ARGS }} ${{ steps.context.outputs.LANG_ARGS }}`
               - If verification fails, fix the remaining problems before continuing.
            7. Stop after the scoped locale files are updated and verification passes.
               - Do not create branches, commits, or pull requests.
          claude_args: |
            --max-turns 120
-            --allowedTools "Read,Write,Edit,Bash(vp *),Bash(vp:*),Glob,Grep"
+            --allowedTools "Read,Write,Edit,Bash(pnpm *),Bash(pnpm:*),Glob,Grep"
      - name: Prepare branch metadata
        id: pr_meta
@ -272,7 +354,6 @@ jobs:
      - name: Create or update translation PR
        if: steps.pr_meta.outputs.has_changes == 'true'
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          BRANCH_NAME: ${{ steps.pr_meta.outputs.branch_name }}
          FILES_IN_SCOPE: ${{ steps.context.outputs.CHANGED_FILES }}
          TARGET_LANGS: ${{ steps.context.outputs.TARGET_LANGS }}
@ -321,8 +402,8 @@ jobs:
            '',
            '## Verification',
            '',
-            `- \`vp run dify-web#i18n:check --file ${process.env.FILES_IN_SCOPE} --lang ${process.env.TARGET_LANGS}\``,
+            `- \`pnpm --dir web run i18n:check --file ${process.env.FILES_IN_SCOPE} --lang ${process.env.TARGET_LANGS}\``,
-            `- \`vp run dify-web#lint:fix --quiet -- <edited i18n files under web/>\``,
+            `- \`pnpm --dir web lint:fix --quiet -- <edited i18n files>\``,
            '',
            '## Notes',
            '',
--- a/.github/workflows/trigger-i18n-sync.yml
+++ b/.github/workflows/trigger-i18n-sync.yml
@ -16,7 +16,7 @@ concurrency:
 jobs:
  trigger:
    if: github.repository == 'langgenius/dify'
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    timeout-minutes: 5
    steps:
@ -42,7 +42,88 @@ jobs:
          fi
          export BASE_SHA HEAD_SHA CHANGED_FILES
-          node .github/scripts/generate-i18n-changes.mjs
+          node <<'NODE'
          const { execFileSync } = require('node:child_process')
          const fs = require('node:fs')
          const path = require('node:path')
          const repoRoot = process.cwd()
          const baseSha = process.env.BASE_SHA || ''
          const headSha = process.env.HEAD_SHA || ''
          const files = (process.env.CHANGED_FILES || '').split(/\s+/).filter(Boolean)
          const englishPath = fileStem => path.join(repoRoot, 'web', 'i18n', 'en-US', `${fileStem}.json`)
          const readCurrentJson = (fileStem) => {
            const filePath = englishPath(fileStem)
            if (!fs.existsSync(filePath))
              return null
            return JSON.parse(fs.readFileSync(filePath, 'utf8'))
          }
          const readBaseJson = (fileStem) => {
            if (!baseSha)
              return null
            try {
              const relativePath = `web/i18n/en-US/${fileStem}.json`
              const content = execFileSync('git', ['show', `${baseSha}:${relativePath}`], { encoding: 'utf8' })
              return JSON.parse(content)
            }
            catch (error) {
              return null
            }
          }
          const compareJson = (beforeValue, afterValue) => JSON.stringify(beforeValue) === JSON.stringify(afterValue)
          const changes = {}
          for (const fileStem of files) {
            const beforeJson = readBaseJson(fileStem) || {}
            const afterJson = readCurrentJson(fileStem) || {}
            const added = {}
            const updated = {}
            const deleted = []
            for (const [key, value] of Object.entries(afterJson)) {
              if (!(key in beforeJson)) {
                added[key] = value
                continue
              }
              if (!compareJson(beforeJson[key], value)) {
                updated[key] = {
                  before: beforeJson[key],
                  after: value,
                }
              }
            }
            for (const key of Object.keys(beforeJson)) {
              if (!(key in afterJson))
                deleted.push(key)
            }
            changes[fileStem] = {
              fileDeleted: readCurrentJson(fileStem) === null,
              added,
              updated,
              deleted,
            }
          }
          fs.writeFileSync(
            '/tmp/i18n-changes.json',
            JSON.stringify({
              baseSha,
              headSha,
              files,
              changes,
            })
          )
          NODE
          if [ -n "$CHANGED_FILES" ]; then
            echo "has_changes=true" >> "$GITHUB_OUTPUT"
@ -56,7 +137,7 @@ jobs:
      - name: Trigger i18n sync workflow
        if: steps.detect.outputs.has_changes == 'true'
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          BASE_SHA: ${{ steps.detect.outputs.base_sha }}
          HEAD_SHA: ${{ steps.detect.outputs.head_sha }}
--- a/.github/workflows/vdb-tests-full.yml
+++ b/.github/workflows/vdb-tests-full.yml
@ -16,7 +16,7 @@ jobs:
  test:
    name: Full VDB Tests
    if: github.repository == 'langgenius/dify'
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    strategy:
      matrix:
        python-version:
@ -36,7 +36,7 @@ jobs:
          remove_tool_cache: true
      - name: Setup UV and Python
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
        with:
          enable-cache: true
          python-version: ${{ matrix.python-version }}
@ -51,7 +51,7 @@ jobs:
      - name: Set up dotenvs
        run: |
          cp docker/.env.example docker/.env
-          cp docker/envs/middleware.env.example docker/middleware.env
+          cp docker/middleware.env.example docker/middleware.env
      - name: Expose Service Ports
        run: sh .github/workflows/expose_service_ports.sh
@ -65,7 +65,7 @@ jobs:
 #            tiflash
      - name: Set up Full Vector Store Matrix
-        uses: hoverkraft-tech/compose-action@d2bee4f07e8ca410d6b196d00f90c12e7d48c33a # v2.6.0
+        uses: hoverkraft-tech/compose-action@4894d2492015c1774ee5a13a95b1072093087ec3 # v2.5.0
        with:
          compose-file: |
            docker/docker-compose.yaml
@ -89,7 +89,7 @@ jobs:
          cp api/tests/integration_tests/.env.example api/tests/integration_tests/.env
 #      - name: Check VDB Ready (TiDB)
-#        run: uv run --project api python api/providers/vdb/tidb-vector/tests/integration_tests/check_tiflash_ready.py
+#        run: uv run --project api python api/tests/integration_tests/vdb/tidb_vector/check_tiflash_ready.py
      - name: Test Vector Stores
        run: uv run --project api bash dev/pytest/pytest_vdb.sh
--- a/.github/workflows/vdb-tests.yml
+++ b/.github/workflows/vdb-tests.yml
@ -13,7 +13,7 @@ concurrency:
 jobs:
  test:
    name: VDB Smoke Tests
-    runs-on: depot-ubuntu-24.04
+    runs-on: ubuntu-latest
    strategy:
      matrix:
        python-version:
@ -33,7 +33,7 @@ jobs:
          remove_tool_cache: true
      - name: Setup UV and Python
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          enable-cache: true
          python-version: ${{ matrix.python-version }}
@ -48,7 +48,7 @@ jobs:
      - name: Set up dotenvs
        run: |
          cp docker/.env.example docker/.env
-          cp docker/envs/middleware.env.example docker/middleware.env
+          cp docker/middleware.env.example docker/middleware.env
      - name: Expose Service Ports
        run: sh .github/workflows/expose_service_ports.sh
@ -62,7 +62,7 @@ jobs:
 #            tiflash
      - name: Set up Vector Stores for Smoke Coverage
-        uses: hoverkraft-tech/compose-action@d2bee4f07e8ca410d6b196d00f90c12e7d48c33a # v2.6.0
+        uses: hoverkraft-tech/compose-action@4894d2492015c1774ee5a13a95b1072093087ec3 # v2.5.0
        with:
          compose-file: |
            docker/docker-compose.yaml
@ -81,12 +81,12 @@ jobs:
          cp api/tests/integration_tests/.env.example api/tests/integration_tests/.env
 #      - name: Check VDB Ready (TiDB)
-#        run: uv run --project api python api/providers/vdb/tidb-vector/tests/integration_tests/check_tiflash_ready.py
+#        run: uv run --project api python api/tests/integration_tests/vdb/tidb_vector/check_tiflash_ready.py
      - name: Test Vector Stores
        run: |
          uv run --project api pytest --timeout "${PYTEST_TIMEOUT:-180}" \
-            api/providers/vdb/vdb-chroma/tests/integration_tests \
+            api/tests/integration_tests/vdb/chroma \
-            api/providers/vdb/vdb-pgvector/tests/integration_tests \
+            api/tests/integration_tests/vdb/pgvector \
-            api/providers/vdb/vdb-qdrant/tests/integration_tests \
+            api/tests/integration_tests/vdb/qdrant \
-            api/providers/vdb/vdb-weaviate/tests/integration_tests
+            api/tests/integration_tests/vdb/weaviate
--- a/.github/workflows/web-e2e.yml
+++ b/.github/workflows/web-e2e.yml
@ -13,7 +13,7 @@ concurrency:
 jobs:
  test:
    name: Web Full-Stack E2E
-    runs-on: depot-ubuntu-24.04-4
+    runs-on: ubuntu-latest
    defaults:
      run:
        shell: bash
@ -28,7 +28,7 @@ jobs:
        uses: ./.github/actions/setup-web
      - name: Setup UV and Python
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          enable-cache: true
          python-version: "3.12"
@ -53,7 +53,7 @@ jobs:
      - name: Upload Cucumber report
        if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: cucumber-report
          path: e2e/cucumber-report
@ -61,7 +61,7 @@ jobs:
      - name: Upload E2E logs
        if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: e2e-logs
          path: e2e/.logs
--- a/.github/workflows/web-tests.yml
+++ b/.github/workflows/web-tests.yml
@ -16,7 +16,7 @@ concurrency:
 jobs:
  test:
    name: Web Tests (${{ matrix.shardIndex }}/${{ matrix.shardTotal }})
-    runs-on: depot-ubuntu-24.04-4
+    runs-on: ubuntu-latest
    env:
      VITEST_COVERAGE_SCOPE: app-components
    strategy:
@ -43,7 +43,7 @@ jobs:
      - name: Upload blob report
        if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: blob-report-${{ matrix.shardIndex }}
          path: web/.vitest-reports/*
@ -54,7 +54,7 @@ jobs:
    name: Merge Test Reports
    if: ${{ !cancelled() }}
    needs: [test]
-    runs-on: depot-ubuntu-24.04-4
+    runs-on: ubuntu-latest
    env:
      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
    defaults:
@ -89,37 +89,3 @@ jobs:
          flags: web
        env:
          CODECOV_TOKEN: ${{ env.CODECOV_TOKEN }}
  dify-ui-test:
    name: dify-ui Tests
    runs-on: depot-ubuntu-24.04-4
    env:
      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
    defaults:
      run:
        shell: bash
        working-directory: ./packages/dify-ui
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Setup web environment
        uses: ./.github/actions/setup-web
      - name: Install Chromium for Browser Mode
        run: vp exec playwright install --with-deps chromium
      - name: Run dify-ui tests
        run: vp test run --coverage --silent=passed-only
      - name: Report coverage
        if: ${{ env.CODECOV_TOKEN != '' }}
        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
        with:
          directory: packages/dify-ui/coverage
          flags: dify-ui
        env:
          CODECOV_TOKEN: ${{ env.CODECOV_TOKEN }}
--- a/.gitignore
+++ b/.gitignore
@ -115,12 +115,6 @@ venv/
 ENV/
 env.bak/
 venv.bak/
 # cli/ has a src/env/ module (DIFY_* registry) — don't treat it as a venv
 !/cli/src/env/
 !/cli/src/commands/env/
 # cli/scripts/lib/ holds TS build helpers (resolve-buildinfo etc.) — don't treat as Python lib/
 !/cli/scripts/lib/
 .conda/
 # Spyder project settings
@ -209,7 +203,6 @@ sdks/python-client/dify_client.egg-info
 .vscode/*
 !.vscode/launch.json.template
 !.vscode/settings.example.json
 !.vscode/README.md
 api/.vscode
 # vscode Code History Extension
@ -225,9 +218,6 @@ node_modules
 # plugin migrate
 plugins.jsonl
 # generated API OpenAPI specs
 packages/contracts/openapi/
 # mise
 mise.toml
@ -246,16 +236,9 @@ scripts/stress-test/reports/
 .playwright-mcp/
 .serena/
 # vitest browser mode attachments (failure screenshots, traces, etc.)
 .vitest-attachments/
 **/__screenshots__/
 # settings
 *.local.json
 *.local.md
 *.local.toml
 # Code Agent Folder
 .qoder/*
 .context/*
 .eslintcache
--- a/.npmrc
+++ b/.npmrc
@ -0,0 +1 @@
 save-exact=true
--- a/.vite-hooks/pre-commit
+++ b/.vite-hooks/pre-commit
@ -56,9 +56,70 @@ if $api_modified; then
    fi
 fi
-if $skip_web_checks; then
+if $web_modified; then
-    echo "Git operation in progress, skipping web checks"
+    if $skip_web_checks; then
-    exit 0
+        echo "Git operation in progress, skipping web checks"
-fi
+        exit 0
    fi
-vp staged
+    echo "Running ESLint on web module"
    if git diff --cached --quiet -- 'web/**/*.ts' 'web/**/*.tsx'; then
        web_ts_modified=false
    else
        ts_diff_status=$?
        if [ $ts_diff_status -eq 1 ]; then
            web_ts_modified=true
        else
            echo "Unable to determine staged TypeScript changes (git exit code: $ts_diff_status)."
            exit $ts_diff_status
        fi
    fi
    cd ./web || exit 1
    vp staged
    if $web_ts_modified; then
        echo "Running TypeScript type-check:tsgo"
        if ! pnpm run type-check:tsgo; then
            echo "Type check failed. Please run 'pnpm run type-check:tsgo' to fix the errors."
            exit 1
        fi
    else
        echo "No staged TypeScript changes detected, skipping type-check:tsgo"
    fi
    echo "Running knip"
    if ! pnpm run knip; then
        echo "Knip check failed. Please run 'pnpm run knip' to fix the errors."
        exit 1
    fi
    echo "Running unit tests check"
    modified_files=$(git diff --cached --name-only -- utils | grep -v '\.spec\.ts$' || true)
    if [ -n "$modified_files" ]; then
        for file in $modified_files; do
            test_file="${file%.*}.spec.ts"
            echo "Checking for test file: $test_file"
            # check if the test file exists
            if [ -f "../$test_file" ]; then
                echo "Detected changes in $file, running corresponding unit tests..."
                pnpm run test "../$test_file"
                if [ $? -ne 0 ]; then
                    echo "Unit tests failed. Please fix the errors before committing."
                    exit 1
                fi
                echo "Unit tests for $file passed."
            else
                echo "Warning: $file does not have a corresponding test file."
            fi
        done
        echo "All unit tests for modified web/utils files have passed."
    fi
    cd ../
 fi
--- a/.vscode/launch.json.template
+++ b/.vscode/launch.json.template
@ -2,10 +2,21 @@
    "version": "0.2.0",
    "configurations": [
        {
-            "name": "Python: API (gevent)",
+            "name": "Python: Flask API",
            "type": "debugpy",
            "request": "launch",
-            "program": "${workspaceFolder}/api/app.py",
+            "module": "flask",
            "env": {
                "FLASK_APP": "app.py",
                "FLASK_ENV": "development"
            },
            "args": [
                "run",
                "--host=0.0.0.0",
                "--port=5001",
                "--no-debugger",
                "--no-reload"
            ],
            "jinja": true,
            "justMyCode": true,
            "cwd": "${workspaceFolder}/api",
--- a/AGENTS.md
+++ b/AGENTS.md
@ -9,7 +9,6 @@ The codebase is split into:
 - **Backend API** (`/api`): Python Flask application organized with Domain-Driven Design
 - **Frontend Web** (`/web`): Next.js application using TypeScript and React
 - **Docker deployment** (`/docker`): Containerized deployment configurations
 - **Dify Agent Backend** (`/dify-agent`): Backend services for managing and executing agent
 ## Backend Workflow
@ -31,7 +30,7 @@ The codebase is split into:
 ## Language Style
 - **Python**: Keep type hints on functions and attributes, and implement relevant special methods (e.g., `__repr__`, `__str__`). Prefer `TypedDict` over `dict` or `Mapping` for type safety and better code documentation.
- **TypeScript**: Use the strict config, rely on ESLint (`pnpm lint:fix` preferred) plus `pnpm type-check`, and avoid `any` types.
+- **TypeScript**: Use the strict config, rely on ESLint (`pnpm lint:fix` preferred) plus `pnpm type-check:tsgo`, and avoid `any` types.
 ## General Practices
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -97,3 +97,8 @@ Feel free to reach out if you encounter any issues during the setup process.
 ## Getting Help
 If you ever get stuck or get a burning question while contributing, simply shoot your queries our way via the related GitHub issue, or hop onto our [Discord](https://discord.gg/8Tpq4AcN9c) for a quick chat.
 ## Automated Agent Contributions
 > [!NOTE]
 > If you are an automated agent， just add 🤖🤖🤖 to the end of the PR title to opt-in.
--- a/40
+++ b/40
@ -3,10 +3,6 @@ DOCKER_REGISTRY=langgenius
 WEB_IMAGE=$(DOCKER_REGISTRY)/dify-web
 API_IMAGE=$(DOCKER_REGISTRY)/dify-api
 VERSION=latest
 DOCKER_DIR=docker
 DOCKER_MIDDLEWARE_ENV=$(DOCKER_DIR)/middleware.env
 DOCKER_MIDDLEWARE_ENV_EXAMPLE=$(DOCKER_DIR)/envs/middleware.env.example
 DOCKER_MIDDLEWARE_PROJECT=dify-middlewares-dev
 # Default target - show help
 .DEFAULT_GOAL := help
@ -21,13 +17,8 @@ dev-setup: prepare-docker prepare-web prepare-api
 # Step 1: Prepare Docker middleware
 prepare-docker:
 	@echo "🐳 Setting up Docker middleware..."
-	@if [ ! -f "$(DOCKER_MIDDLEWARE_ENV)" ]; then \
+	@cp -n docker/middleware.env.example docker/middleware.env 2>/dev/null || echo "Docker middleware.env already exists"
-		cp "$(DOCKER_MIDDLEWARE_ENV_EXAMPLE)" "$(DOCKER_MIDDLEWARE_ENV)"; \
+	@cd docker && docker compose -f docker-compose.middleware.yaml --env-file middleware.env -p dify-middlewares-dev up -d
 		echo "Docker middleware.env created"; \
 	else \
 		echo "Docker middleware.env already exists"; \
 	fi
 	@cd $(DOCKER_DIR) && docker compose -f docker-compose.middleware.yaml --env-file middleware.env -p $(DOCKER_MIDDLEWARE_PROJECT) up -d
 	@echo "✅ Docker middleware started"
 # Step 2: Prepare web environment
@ -48,18 +39,12 @@ prepare-api:
 # Clean dev environment
 dev-clean:
 	@echo "⚠️  Stopping Docker containers..."
-	@if [ -f "$(DOCKER_MIDDLEWARE_ENV)" ]; then \
+	@cd docker && docker compose -f docker-compose.middleware.yaml --env-file middleware.env -p dify-middlewares-dev down
 		cd $(DOCKER_DIR) && docker compose -f docker-compose.middleware.yaml --env-file middleware.env -p $(DOCKER_MIDDLEWARE_PROJECT) down; \
 	else \
 		echo "Docker middleware.env does not exist, skipping compose down"; \
 	fi
 	@echo "🗑️  Removing volumes..."
 	@rm -rf docker/volumes/db
 	@rm -rf docker/volumes/mysql
 	@rm -rf docker/volumes/redis
 	@rm -rf docker/volumes/plugin_daemon
 	@rm -rf docker/volumes/weaviate
 	@rm -rf docker/volumes/sandbox/dependencies
 	@rm -rf api/storage
 	@echo "✅ Cleanup complete"
@ -83,15 +68,16 @@ lint:
 	@echo "✅ Linting complete"
 type-check:
-	@echo "📝 Running type checks (pyrefly + mypy)..."
+	@echo "📝 Running type checks (basedpyright + pyrefly + mypy)..."
-	@./dev/pyrefly-check-local $(PATH_TO_CHECK)
+	@./dev/basedpyright-check $(PATH_TO_CHECK)
-	@uv --directory api run mypy --exclude-gitignore --exclude 'tests/' --exclude 'migrations/' --exclude 'dev/generate_swagger_specs.py' --exclude 'dev/generate_fastopenapi_specs.py' --check-untyped-defs --disable-error-code=import-untyped .
+	@./dev/pyrefly-check-local
 	@uv --directory api run mypy --exclude-gitignore --exclude 'tests/' --exclude 'migrations/' --check-untyped-defs --disable-error-code=import-untyped .
 	@echo "✅ Type checks complete"
 type-check-core:
-	@echo "📝 Running core type checks (pyrefly + mypy)..."
+	@echo "📝 Running core type checks (basedpyright + mypy)..."
-	@./dev/pyrefly-check-local $(PATH_TO_CHECK)
+	@./dev/basedpyright-check $(PATH_TO_CHECK)
-	@uv --directory api run mypy --exclude-gitignore --exclude 'tests/' --exclude 'migrations/' --exclude 'dev/generate_swagger_specs.py' --exclude 'dev/generate_fastopenapi_specs.py' --check-untyped-defs --disable-error-code=import-untyped .
+	@uv --directory api run mypy --exclude-gitignore --exclude 'tests/' --exclude 'migrations/' --check-untyped-defs --disable-error-code=import-untyped .
 	@echo "✅ Core type checks complete"
 test:
@ -146,14 +132,14 @@ help:
 	@echo "  make prepare-docker - Set up Docker middleware"
 	@echo "  make prepare-web    - Set up web environment"
 	@echo "  make prepare-api    - Set up API environment"
-	@echo "  make dev-clean      - Stop Docker middleware containers and remove dev data"
+	@echo "  make dev-clean      - Stop Docker middleware containers"
 	@echo ""
 	@echo "Backend Code Quality:"
 	@echo "  make format         - Format code with ruff"
 	@echo "  make check          - Check code with ruff"
 	@echo "  make lint           - Format, fix, and lint code (ruff, imports, dotenv)"
-	@echo "  make type-check     - Run type checks (pyrefly, mypy)"
+	@echo "  make type-check     - Run type checks (basedpyright, pyrefly, mypy)"
-	@echo "  make type-check-core - Run core type checks (pyrefly, mypy)"
+	@echo "  make type-check-core - Run core type checks (basedpyright, mypy)"
 	@echo "  make test           - Run backend unit tests (or TARGET_TESTS=./api/tests/<target_tests>)"
 	@echo ""
 	@echo "Docker Build Targets:"
--- a/README.md
+++ b/README.md
@ -137,7 +137,20 @@ Star Dify on GitHub and be instantly notified of new releases.
 ### Custom configurations
-If you need to customize the configuration, edit `docker/.env`. The essential startup defaults live in [`docker/.env.example`](docker/.env.example), and optional advanced variables are split under `docker/envs/` by theme. After making any changes, re-run `docker compose up -d` from the `docker` directory. You can find the full list of available environment variables [here](https://docs.dify.ai/getting-started/install-self-hosted/environments).
+If you need to customize the configuration, please refer to the comments in our [.env.example](docker/.env.example) file and update the corresponding values in your `.env` file. Additionally, you might need to make adjustments to the `docker-compose.yaml` file itself, such as changing image versions, port mappings, or volume mounts, based on your specific deployment environment and requirements. After making any changes, please re-run `docker compose up -d`. You can find the full list of available environment variables [here](https://docs.dify.ai/getting-started/install-self-hosted/environments).
 #### Customizing Suggested Questions
 You can now customize the "Suggested Questions After Answer" feature to better fit your use case. For example, to generate longer, more technical questions:
 ```bash
 # In your .env file
 SUGGESTED_QUESTIONS_PROMPT='Please help me predict the five most likely technical follow-up questions a developer would ask. Focus on implementation details, best practices, and architecture considerations. Keep each question between 40-60 characters. Output must be JSON array: ["question1","question2","question3","question4","question5"]'
 SUGGESTED_QUESTIONS_MAX_TOKENS=512
 SUGGESTED_QUESTIONS_TEMPERATURE=0.3
 ```
 See the [Suggested Questions Configuration Guide](docs/suggested-questions-configuration.md) for detailed examples and usage instructions.
 ### Metrics Monitoring with Grafana
@ -147,7 +160,7 @@ Import the dashboard to Grafana, using Dify's PostgreSQL database as data source
 ### Deployment with Kubernetes
-If you'd like to configure a highly available setup, there are community-contributed [Helm Charts](https://helm.sh/) and YAML files which allow Dify to be deployed on Kubernetes.
+If you'd like to configure a highly-available setup, there are community-contributed [Helm Charts](https://helm.sh/) and YAML files which allow Dify to be deployed on Kubernetes.
 - [Helm Chart by @LeoQuote](https://github.com/douban/charts/tree/master/charts/dify)
 - [Helm Chart by @BorisPolonsky](https://github.com/BorisPolonsky/dify-helm)
--- a/api/.env.example
+++ b/api/.env.example
@ -33,9 +33,6 @@ TRIGGER_URL=http://localhost:5001
 # The time in seconds after the signature is rejected
 FILES_ACCESS_TIMEOUT=300
 # Collaboration mode toggle
 ENABLE_COLLABORATION_MODE=true
 # Access token expiration time in minutes
 ACCESS_TOKEN_EXPIRE_MINUTES=60
@ -60,9 +57,6 @@ REDIS_SSL_CERTFILE=
 REDIS_SSL_KEYFILE=
 # Path to client private key file for SSL authentication
 REDIS_DB=0
 # Optional global prefix for Redis keys, topics, streams, and Celery Redis transport artifacts.
 # Leave empty to preserve current unprefixed behavior.
 REDIS_KEY_PREFIX=
 # redis Sentinel configuration.
 REDIS_USE_SENTINEL=false
@ -77,21 +71,10 @@ REDIS_USE_CLUSTERS=false
 REDIS_CLUSTERS=
 REDIS_CLUSTERS_PASSWORD=
 REDIS_RETRY_RETRIES=3
 REDIS_RETRY_BACKOFF_BASE=1.0
 REDIS_RETRY_BACKOFF_CAP=10.0
 REDIS_SOCKET_TIMEOUT=5.0
 REDIS_SOCKET_CONNECT_TIMEOUT=5.0
 REDIS_HEALTH_CHECK_INTERVAL=30
 # celery configuration
 CELERY_BROKER_URL=redis://:difyai123456@localhost:${REDIS_PORT}/1
 CELERY_BACKEND=redis
 # Ops trace retry configuration
 OPS_TRACE_RETRYABLE_DISPATCH_MAX_RETRIES=60
 OPS_TRACE_RETRYABLE_DISPATCH_DELAY_SECONDS=5
 # Database configuration
 DB_TYPE=postgresql
 DB_USERNAME=postgres
@ -102,8 +85,6 @@ DB_DATABASE=dify
 SQLALCHEMY_POOL_PRE_PING=true
 SQLALCHEMY_POOL_TIMEOUT=30
 # Connection pool reset behavior on return
 SQLALCHEMY_POOL_RESET_ON_RETURN=rollback
 # Storage configuration
 # use for store upload files, private keys...
@ -121,7 +102,6 @@ S3_BUCKET_NAME=your-bucket-name
 S3_ACCESS_KEY=your-access-key
 S3_SECRET_KEY=your-secret-key
 S3_REGION=your-region
 S3_ADDRESS_STYLE=auto
 # Workflow run and Conversation archive storage (S3-compatible)
 ARCHIVE_STORAGE_ENABLED=false
@ -387,7 +367,7 @@ VIKINGDB_ACCESS_KEY=your-ak
 VIKINGDB_SECRET_KEY=your-sk
 VIKINGDB_REGION=cn-shanghai
 VIKINGDB_HOST=api-vikingdb.xxx.volces.com
-VIKINGDB_SCHEME=http
+VIKINGDB_SCHEMA=http
 VIKINGDB_CONNECTION_TIMEOUT=30
 VIKINGDB_SOCKET_TIMEOUT=30
@ -438,6 +418,8 @@ UPLOAD_FILE_EXTENSION_BLACKLIST=
 # Model configuration
 MULTIMODAL_SEND_FORMAT=base64
 PROMPT_GENERATION_MAX_TOKENS=512
 CODE_GENERATION_MAX_TOKENS=1024
 PLUGIN_BASED_TOKEN_COUNTING_ENABLED=false
 # Mail configuration, support: resend, smtp, sendgrid
@ -557,7 +539,7 @@ MAX_VARIABLE_SIZE=204800
 # GraphEngine Worker Pool Configuration
 # Minimum number of workers per GraphEngine instance (default: 1)
-GRAPH_ENGINE_MIN_WORKERS=3
+GRAPH_ENGINE_MIN_WORKERS=1
 # Maximum number of workers per GraphEngine instance (default: 10)
 GRAPH_ENGINE_MAX_WORKERS=10
 # Queue depth threshold that triggers worker scale up (default: 3)
@ -663,11 +645,6 @@ INNER_API_KEY_FOR_PLUGIN=QaHbTe77CtuXmsfyhR7+vRjI/+XbV1AaFy691iy+kGDv2Jvy0/eAh8Y
 MARKETPLACE_ENABLED=true
 MARKETPLACE_API_URL=https://marketplace.dify.ai
 # Creators Platform configuration
 CREATORS_PLATFORM_FEATURES_ENABLED=true
 CREATORS_PLATFORM_API_URL=https://creators.dify.ai
 CREATORS_PLATFORM_OAUTH_CLIENT_ID=
 # Endpoint configuration
 ENDPOINT_URL_TEMPLATE=http://localhost:5002/e/{hook_id}
@ -718,6 +695,22 @@ SWAGGER_UI_PATH=/swagger-ui.html
 # Set to false to export dataset IDs as plain text for easier cross-environment import
 DSL_EXPORT_ENCRYPT_DATASET_ID=true
 # Suggested Questions After Answer Configuration
 # These environment variables allow customization of the suggested questions feature
 #
 # Custom prompt for generating suggested questions (optional)
 # If not set, uses the default prompt that generates 3 questions under 20 characters each
 # Example: "Please help me predict the five most likely technical follow-up questions a developer would ask. Focus on implementation details, best practices, and architecture considerations. Keep each question between 40-60 characters. Output must be JSON array: [\"question1\",\"question2\",\"question3\",\"question4\",\"question5\"]"
 # SUGGESTED_QUESTIONS_PROMPT=
 # Maximum number of tokens for suggested questions generation (default: 256)
 # Adjust this value for longer questions or more questions
 # SUGGESTED_QUESTIONS_MAX_TOKENS=256
 # Temperature for suggested questions generation (default: 0.0)
 # Higher values (0.5-1.0) produce more creative questions, lower values (0.0-0.3) produce more focused questions
 # SUGGESTED_QUESTIONS_TEMPERATURE=0
 # Tenant isolated task queue configuration
 TENANT_ISOLATED_TASK_CONCURRENCY=1
--- a/api/.ruff.toml
+++ b/api/.ruff.toml
@ -69,6 +69,8 @@ ignore = [
    "FURB152", # math-constant
    "UP007",   # non-pep604-annotation
    "UP032",   # f-string
    "UP045",   # non-pep604-annotation-optional
    "B005",    # strip-with-multi-characters
    "B006",    # mutable-argument-default
    "B007",    # unused-loop-control-variable
    "B026",    # star-arg-unpacking-after-keyword-arg
@ -82,6 +84,7 @@ ignore = [
    "SIM102",  # collapsible-if
    "SIM103",  # needless-bool
    "SIM105",  # suppressible-exception
    "SIM107",  # return-in-try-except-finally
    "SIM108",  # if-else-block-instead-of-if-exp
    "SIM113",  # enumerate-for-loop
    "SIM117",  # multiple-with-statements
@ -90,22 +93,32 @@ ignore = [
 ]
 [lint.per-file-ignores]
 "__init__.py" = [
    "F401", # unused-import
    "F811", # redefined-while-unused
 ]
 "configs/*" = [
    "N802", # invalid-function-name
 ]
 "graphon/model_runtime/callbacks/base_callback.py" = ["T201"]
 "core/workflow/callbacks/workflow_logging_callback.py" = ["T201"]
 "libs/gmpy2_pkcs10aep_cipher.py" = [
    "N803", # invalid-argument-name
 ]
 "tests/*" = [
    "F811", # redefined-while-unused
    "T201", # allow print in tests,
    "S110", # allow ignoring exceptions in tests code (currently)
 ]
 "controllers/console/explore/trial.py" = ["TID251"]
 "controllers/console/human_input_form.py" = ["TID251"]
 "controllers/web/human_input_form.py" = ["TID251"]
 [lint.flake8-tidy-imports]
 [lint.flake8-tidy-imports.banned-api."flask_restx.reqparse"]
 msg = "Use Pydantic payload/query models instead of reqparse."
 [lint.flake8-tidy-imports.banned-api."flask_restx.reqparse.RequestParser"]
 msg = "Use Pydantic payload/query models instead of reqparse."
 [lint.isort]
 known-first-party = ["graphon"]
--- a/api/.vscode/launch.json.example
+++ b/api/.vscode/launch.json.example
@ -3,21 +3,29 @@
    "compounds": [
        {
            "name": "Launch Flask and Celery",
-            "configurations": ["Python: API (gevent)", "Python: Celery"]
+            "configurations": ["Python: Flask", "Python: Celery"]
        }
    ],
    "configurations": [
        {
-            "name": "Python: API (gevent)",
+            "name": "Python: Flask",
-            "consoleName": "API",
+            "consoleName": "Flask",
            "type": "debugpy",
            "request": "launch",
            "python": "${workspaceFolder}/.venv/bin/python",
            "cwd": "${workspaceFolder}",
            "envFile": ".env",
-            "program": "${workspaceFolder}/app.py",
+            "module": "flask",
            "justMyCode": true,
-            "jinja": true
+            "jinja": true,
            "env": {
                "FLASK_APP": "app.py",
                "GEVENT_SUPPORT": "True"
            },
            "args": [
                "run",
                "--port=5001"
            ]
        },
        {
            "name": "Python: Celery",
--- a/api/AGENTS.md
+++ b/api/AGENTS.md
@ -193,10 +193,6 @@ Before opening a PR / submitting:
 - Controllers: parse input via Pydantic, invoke services, return serialised responses; no business logic.
 - Services: coordinate repositories, providers, background tasks; keep side effects explicit.
 - Document non-obvious behaviour with concise docstrings and comments.
 - For Flask-RESTX controller request, query, and response schemas, follow `controllers/API_SCHEMA_GUIDE.md`.
  In short: use Pydantic models, document GET query params with `query_params_from_model(...)`, register response
  DTOs with `register_response_schema_models(...)`, serialize response DTOs with `dump_response(...)`,
  and avoid adding new legacy `ns.model(...)`, `@marshal_with(...)`, or GET `@ns.expect(...)` patterns.
 ### Miscellaneous
--- a/api/Dockerfile
+++ b/api/Dockerfile
@ -21,11 +21,9 @@ RUN apt-get update \
          # for building gmpy2
          libmpfr-dev libmpc-dev
-# Install Python dependencies (workspace members under providers/vdb/)
+# Install Python dependencies
 COPY pyproject.toml uv.lock ./
-COPY providers ./providers
+RUN uv sync --locked --no-dev
 # Trust the checked-in lock during image builds; dev-only path sources live outside the api/ context.
 RUN uv sync --frozen --no-dev
 # production stage
 FROM base AS production
--- a/api/README.md
+++ b/api/README.md
@ -99,13 +99,5 @@ The scripts resolve paths relative to their location, so you can run them from a
   ./dev/reformat               # Run all formatters and linters
   uv run ruff check --fix ./   # Fix linting issues
   uv run ruff format ./        # Format code
-   uv run pyrefly check         # Type checking
+   uv run basedpyright .        # Type checking
   ```
 ## Generate TS stub
 ```
 uv run dev/generate_swagger_specs.py --output-dir openapi
 ```
 use https://jsontotable.org/openapi-to-typescript to convert to typescript
--- a/api/app.py
+++ b/api/app.py
@ -1,6 +1,5 @@
 from __future__ import annotations
 import logging
 import sys
 from typing import TYPE_CHECKING, cast
@ -10,35 +9,17 @@ if TYPE_CHECKING:
    celery: Celery
 HOST = "0.0.0.0"
 PORT = 5001
 logger = logging.getLogger(__name__)
 def is_db_command() -> bool:
    if len(sys.argv) > 1 and sys.argv[0].endswith("flask") and sys.argv[1] == "db":
        return True
    return False
 def log_startup_banner(host: str, port: int) -> None:
    debugger_attached = sys.gettrace() is not None
    logger.info("Serving Dify API via gevent WebSocket server")
    logger.info("Bound to http://%s:%s", host, port)
    logger.info("Debugger attached: %s", "on" if debugger_attached else "off")
    logger.info("Press CTRL+C to quit")
 # create app
 flask_app = None
 socketio_app = None
 if is_db_command():
    from app_factory import create_migrations_app
    app = create_migrations_app()
    socketio_app = app
    flask_app = app
 else:
    # Gunicorn and Celery handle monkey patching automatically in production by
    # specifying the `gevent` worker class. Manual monkey patching is not required here.
@ -49,14 +30,8 @@ else:
    from app_factory import create_app
-    socketio_app, flask_app = create_app()
+    app = create_app()
    app = flask_app
    celery = cast("Celery", app.extensions["celery"])
 if __name__ == "__main__":
-    from gevent import pywsgi
+    app.run(host="0.0.0.0", port=5001)
    from geventwebsocket.handler import WebSocketHandler  # type: ignore[reportMissingTypeStubs]
    log_startup_banner(HOST, PORT)
    server = pywsgi.WSGIServer((HOST, PORT), socketio_app, handler_class=WebSocketHandler)
    server.serve_forever()
--- a/api/app_factory.py
+++ b/api/app_factory.py
@ -1,7 +1,6 @@
 import logging
 import time
 import socketio  # type: ignore[reportMissingTypeStubs]
 from flask import request
 from opentelemetry.trace import get_current_span
 from opentelemetry.trace.span import INVALID_SPAN_ID, INVALID_TRACE_ID
@ -11,7 +10,6 @@ from contexts.wrapper import RecyclableContextVar
 from controllers.console.error import UnauthorizedAndForceLogout
 from core.logging.context import init_request_context
 from dify_app import DifyApp
 from extensions.ext_socketio import sio
 from services.enterprise.enterprise_service import EnterpriseService
 from services.feature_service import LicenseStatus
@ -117,25 +115,21 @@ def create_flask_app_with_configs() -> DifyApp:
            logger.warning("Failed to add trace headers to response", exc_info=True)
        return response
-    # Capture the decorator return values so static checkers do not treat the hooks as unused.
+    # Capture the decorator's return value to avoid pyright reportUnusedFunction
    _ = before_request
    _ = add_trace_headers
    return dify_app
-def create_app() -> tuple[socketio.WSGIApp, DifyApp]:
+def create_app() -> DifyApp:
    start_time = time.perf_counter()
    app = create_flask_app_with_configs()
    initialize_extensions(app)
    sio.app = app
    socketio_app = socketio.WSGIApp(sio, app)
    end_time = time.perf_counter()
    if dify_config.DEBUG:
        logger.info("Finished create_app (%s ms)", round((end_time - start_time) * 1000, 2))
-    return socketio_app, app
+    return app
 def initialize_extensions(app: DifyApp):
@ -159,7 +153,6 @@ def initialize_extensions(app: DifyApp):
        ext_logstore,
        ext_mail,
        ext_migrate,
        ext_oauth_bearer,
        ext_orjson,
        ext_otel,
        ext_proxy_fix,
@ -182,6 +175,7 @@ def initialize_extensions(app: DifyApp):
        ext_import_modules,
        ext_orjson,
        ext_forward_refs,
        ext_set_secretkey,
        ext_compress,
        ext_code_based_extension,
        ext_database,
@ -189,7 +183,6 @@ def initialize_extensions(app: DifyApp):
        ext_migrate,
        ext_redis,
        ext_storage,
        ext_set_secretkey,
        ext_logstore,  # Initialize logstore after storage, before celery
        ext_celery,
        ext_login,
@ -204,7 +197,6 @@ def initialize_extensions(app: DifyApp):
        ext_enterprise_telemetry,
        ext_request_logging,
        ext_session_factory,
        ext_oauth_bearer,
    ]
    for ext in extensions:
        short_name = ext.__name__.split(".")[-1]
--- a/api/celery_healthcheck.py
+++ b/api/celery_healthcheck.py
@ -1,18 +0,0 @@
 # This module provides a lightweight Celery instance for use in Docker health checks.
 # Unlike celery_entrypoint.py, this does NOT import app.py and therefore avoids
 # initializing all Flask extensions (DB, Redis, storage, blueprints, etc.).
 # Using this module keeps the health check fast and low-cost.
 from celery import Celery
 from configs import dify_config
 from extensions.ext_celery import get_celery_broker_transport_options, get_celery_ssl_options
 celery = Celery(broker=dify_config.CELERY_BROKER_URL)
 broker_transport_options = get_celery_broker_transport_options()
 if broker_transport_options:
    celery.conf.update(broker_transport_options=broker_transport_options)
 ssl_options = get_celery_ssl_options()
 if ssl_options:
    celery.conf.update(broker_use_ssl=ssl_options)
--- a/api/commands/account.py
+++ b/api/commands/account.py
@ -2,7 +2,7 @@ import base64
 import secrets
 import click
-from sqlalchemy.orm import Session
+from sqlalchemy.orm import sessionmaker
 from constants.languages import languages
 from extensions.ext_database import db
@ -25,32 +25,30 @@ def reset_password(email, new_password, password_confirm):
        return
    normalized_email = email.strip().lower()
-    account = AccountService.get_account_by_email_with_case_fallback(email.strip())
+    with sessionmaker(db.engine, expire_on_commit=False).begin() as session:
        account = AccountService.get_account_by_email_with_case_fallback(email.strip(), session=session)
-    if not account:
+        if not account:
-        click.echo(click.style(f"Account not found for email: {email}", fg="red"))
+            click.echo(click.style(f"Account not found for email: {email}", fg="red"))
-        return
+            return
-    try:
+        try:
-        valid_password(new_password)
+            valid_password(new_password)
-    except:
+        except:
-        click.echo(click.style(f"Invalid password. Must match {password_pattern}", fg="red"))
+            click.echo(click.style(f"Invalid password. Must match {password_pattern}", fg="red"))
-        return
+            return
-    # generate password salt
+        # generate password salt
-    salt = secrets.token_bytes(16)
+        salt = secrets.token_bytes(16)
-    base64_salt = base64.b64encode(salt).decode()
+        base64_salt = base64.b64encode(salt).decode()
-    # encrypt password with salt
+        # encrypt password with salt
-    password_hashed = hash_password(new_password, salt)
+        password_hashed = hash_password(new_password, salt)
-    base64_password_hashed = base64.b64encode(password_hashed).decode()
+        base64_password_hashed = base64.b64encode(password_hashed).decode()
    with Session(db.engine) as session:
        account = session.merge(account)
        account.password = base64_password_hashed
        account.password_salt = base64_salt
-        session.commit()
+        AccountService.reset_login_error_rate_limit(normalized_email)
-    AccountService.reset_login_error_rate_limit(normalized_email)
+        click.echo(click.style("Password reset successfully.", fg="green"))
    click.echo(click.style("Password reset successfully.", fg="green"))
@click.command("reset-email", help="Reset the account email.")
@ -67,23 +65,21 @@ def reset_email(email, new_email, email_confirm):
        return
    normalized_new_email = new_email.strip().lower()
-    account = AccountService.get_account_by_email_with_case_fallback(email.strip())
+    with sessionmaker(db.engine, expire_on_commit=False).begin() as session:
        account = AccountService.get_account_by_email_with_case_fallback(email.strip(), session=session)
-    if not account:
+        if not account:
-        click.echo(click.style(f"Account not found for email: {email}", fg="red"))
+            click.echo(click.style(f"Account not found for email: {email}", fg="red"))
-        return
+            return
-    try:
+        try:
-        email_validate(normalized_new_email)
+            email_validate(normalized_new_email)
-    except:
+        except:
-        click.echo(click.style(f"Invalid email: {new_email}", fg="red"))
+            click.echo(click.style(f"Invalid email: {new_email}", fg="red"))
-        return
+            return
    with Session(db.engine) as session:
        account = session.merge(account)
        account.email = normalized_new_email
-        session.commit()
+        click.echo(click.style("Email updated successfully.", fg="green"))
    click.echo(click.style("Email updated successfully.", fg="green"))
@click.command("create-tenant", help="Create account and tenant.")
@ -113,18 +109,8 @@ def create_tenant(email: str, language: str | None = None, name: str | None = No
    # Validates name encoding for non-Latin characters.
    name = name.strip().encode("utf-8").decode("utf-8") if name else None
-    # Generate a random password that satisfies the password policy.
+    # generate random password
-    # The iteration limit guards against infinite loops caused by unexpected bugs in valid_password.
+    new_password = secrets.token_urlsafe(16)
    for _ in range(100):
        new_password = secrets.token_urlsafe(16)
        try:
            valid_password(new_password)
            break
        except Exception:
            continue
    else:
        click.echo(click.style("Failed to generate a valid password. Please try again.", fg="red"))
        return
    # register account
    account = RegisterService.register(
--- a/api/commands/plugin.py
+++ b/api/commands/plugin.py
@ -11,7 +11,7 @@ from configs import dify_config
 from core.helper import encrypter
 from core.plugin.entities.plugin_daemon import CredentialType
 from core.plugin.impl.plugin import PluginInstaller
-from core.tools.utils.system_encryption import encrypt_system_params
+from core.tools.utils.system_oauth_encryption import encrypt_system_oauth_params
 from extensions.ext_database import db
 from models import Tenant
 from models.oauth import DatasourceOauthParamConfig, DatasourceProvider
@ -44,7 +44,7 @@ def setup_system_tool_oauth_client(provider, client_params):
        click.echo(click.style(f"Encrypting client params: {client_params}", fg="yellow"))
        click.echo(click.style(f"Using SECRET_KEY: `{dify_config.SECRET_KEY}`", fg="yellow"))
-        oauth_client_params = encrypt_system_params(client_params_dict)
+        oauth_client_params = encrypt_system_oauth_params(client_params_dict)
        click.echo(click.style("Client params encrypted successfully.", fg="green"))
    except Exception as e:
        click.echo(click.style(f"Error parsing client params: {str(e)}", fg="red"))
@ -94,7 +94,7 @@ def setup_system_trigger_oauth_client(provider, client_params):
        click.echo(click.style(f"Encrypting client params: {client_params}", fg="yellow"))
        click.echo(click.style(f"Using SECRET_KEY: `{dify_config.SECRET_KEY}`", fg="yellow"))
-        oauth_client_params = encrypt_system_params(client_params_dict)
+        oauth_client_params = encrypt_system_oauth_params(client_params_dict)
        click.echo(click.style("Client params encrypted successfully.", fg="green"))
    except Exception as e:
        click.echo(click.style(f"Error parsing client params: {str(e)}", fg="red"))
@ -185,9 +185,9 @@ def transform_datasource_credentials(environment: str):
        firecrawl_plugin_id = "langgenius/firecrawl_datasource"
        jina_plugin_id = "langgenius/jina_datasource"
        if environment == "online":
-            notion_plugin_unique_identifier = plugin_migration._fetch_plugin_unique_identifier(notion_plugin_id)
+            notion_plugin_unique_identifier = plugin_migration._fetch_plugin_unique_identifier(notion_plugin_id)  # pyright: ignore[reportPrivateUsage]
-            firecrawl_plugin_unique_identifier = plugin_migration._fetch_plugin_unique_identifier(firecrawl_plugin_id)
+            firecrawl_plugin_unique_identifier = plugin_migration._fetch_plugin_unique_identifier(firecrawl_plugin_id)  # pyright: ignore[reportPrivateUsage]
-            jina_plugin_unique_identifier = plugin_migration._fetch_plugin_unique_identifier(jina_plugin_id)
+            jina_plugin_unique_identifier = plugin_migration._fetch_plugin_unique_identifier(jina_plugin_id)  # pyright: ignore[reportPrivateUsage]
        else:
            notion_plugin_unique_identifier = None
            firecrawl_plugin_unique_identifier = None
--- a/api/commands/retention.py
+++ b/api/commands/retention.py
@ -1,7 +1,7 @@
 import datetime
 import logging
 import time
-from typing import TypedDict
+from typing import Any
 import click
 import sqlalchemy as sa
@ -503,19 +503,7 @@ def _find_orphaned_draft_variables(batch_size: int = 1000) -> list[str]:
        return [row[0] for row in result]
-class _AppOrphanCounts(TypedDict):
+def _count_orphaned_draft_variables() -> dict[str, Any]:
    variables: int
    files: int
 class OrphanedDraftVariableStatsDict(TypedDict):
    total_orphaned_variables: int
    total_orphaned_files: int
    orphaned_app_count: int
    orphaned_by_app: dict[str, _AppOrphanCounts]
 def _count_orphaned_draft_variables() -> OrphanedDraftVariableStatsDict:
    """
    Count orphaned draft variables by app, including associated file counts.
@ -538,7 +526,7 @@ def _count_orphaned_draft_variables() -> OrphanedDraftVariableStatsDict:
    with db.engine.connect() as conn:
        result = conn.execute(sa.text(variables_query))
-        orphaned_by_app: dict[str, _AppOrphanCounts] = {}
+        orphaned_by_app = {}
        total_files = 0
        for row in result:
--- a/api/commands/system.py
+++ b/api/commands/system.py
@ -14,7 +14,6 @@ from libs.rsa import generate_key_pair
 from models import Tenant
 from models.model import App, AppMode, Conversation
 from models.provider import Provider, ProviderModel
 from models.tools import ApiToolProvider, BuiltinToolProvider, MCPToolProvider
 logger = logging.getLogger(__name__)
@ -24,16 +23,13 @@ DB_UPGRADE_LOCK_TTL_SECONDS = 60
@click.command(
    "reset-encrypt-key-pair",
    help="Reset the asymmetric key pair of workspace for encrypt LLM credentials. "
-    "After the reset, all LLM credentials and tool provider credentials "
+    "After the reset, all LLM credentials will become invalid, "
-    "(builtin / API / MCP) will be purged, requiring re-entry. "
+    "requiring re-entry."
    "Only support SELF_HOSTED mode.",
 )
@click.confirmation_option(
    prompt=click.style(
-        "Are you sure you want to reset encrypt key pair? "
+        "Are you sure you want to reset encrypt key pair? This operation cannot be rolled back!", fg="red"
        "This will also purge builtin / API / MCP tool provider records for every tenant. "
        "This operation cannot be rolled back!",
        fg="red",
    )
 )
 def reset_encrypt_key_pair():
@ -57,13 +53,6 @@ def reset_encrypt_key_pair():
            session.execute(delete(Provider).where(Provider.provider_type == "custom", Provider.tenant_id == tenant.id))
            session.execute(delete(ProviderModel).where(ProviderModel.tenant_id == tenant.id))
            # Purge tool provider records that hold credentials encrypted under the
            # tenant key. Leaving them in place causes /console/api/workspaces/current/
            # tool-providers to 500 because decryption fails on stale ciphertext (#35396).
            session.execute(delete(BuiltinToolProvider).where(BuiltinToolProvider.tenant_id == tenant.id))
            session.execute(delete(ApiToolProvider).where(ApiToolProvider.tenant_id == tenant.id))
            session.execute(delete(MCPToolProvider).where(MCPToolProvider.tenant_id == tenant.id))
            click.echo(
                click.style(
                    f"Congratulations! The asymmetric key pair of workspace {tenant.id} has been reset.",
--- a/api/commands/vector.py
+++ b/api/commands/vector.py
@ -341,10 +341,11 @@ def add_qdrant_index(field: str):
            click.echo(click.style("No dataset collection bindings found.", fg="red"))
            return
        import qdrant_client
        from dify_vdb_qdrant.qdrant_vector import PathQdrantParams, QdrantConfig
        from qdrant_client.http.exceptions import UnexpectedResponse
        from qdrant_client.http.models import PayloadSchemaType
        from core.rag.datasource.vdb.qdrant.qdrant_vector import PathQdrantParams, QdrantConfig
        for binding in bindings:
            if dify_config.QDRANT_URL is None:
                raise ValueError("Qdrant URL is required.")
--- a/api/configs/enterprise/init.py
+++ b/api/configs/enterprise/init.py
@ -23,12 +23,6 @@ class EnterpriseFeatureConfig(BaseSettings):
        ge=1, description="Maximum timeout in seconds for enterprise requests", default=5
    )
    ENTERPRISE_DISABLE_RUNTIME_CREDENTIAL_CHECK: bool = Field(
        default=False,
        description="If disabled, credential policy check is only performed when saving workflows."
        "This helps gain runtime performance by trading off consistency.",
    )
 class EnterpriseTelemetryConfig(BaseSettings):
    """
--- a/api/configs/feature/init.py
+++ b/api/configs/feature/init.py
@ -23,9 +23,9 @@ class SecurityConfig(BaseSettings):
    """
    SECRET_KEY: str = Field(
-        description="Secret key for secure session cookie signing. "
+        description="Secret key for secure session cookie signing."
-        "Leave empty to let Dify generate a persistent key in the storage directory, "
+        "Make sure you are changing this key for your deployment with a strong key."
-        "or set a strong value via the `SECRET_KEY` environment variable.",
+        "Generate a strong key using `openssl rand -base64 42` or set via the `SECRET_KEY` environment variable.",
        default="",
    )
@ -287,27 +287,6 @@ class MarketplaceConfig(BaseSettings):
    )
 class CreatorsPlatformConfig(BaseSettings):
    """
    Configuration for Creators Platform integration
    """
    CREATORS_PLATFORM_FEATURES_ENABLED: bool = Field(
        description="Enable or disable Creators Platform features",
        default=True,
    )
    CREATORS_PLATFORM_API_URL: HttpUrl = Field(
        description="Creators Platform API URL",
        default=HttpUrl("https://creators.dify.ai"),
    )
    CREATORS_PLATFORM_OAUTH_CLIENT_ID: str = Field(
        description="OAuth client ID for Creators Platform integration",
        default="",
    )
 class EndpointConfig(BaseSettings):
    """
    Configuration for various application endpoints and URLs
@ -520,44 +499,6 @@ class HttpConfig(BaseSettings):
    def WEB_API_CORS_ALLOW_ORIGINS(self) -> list[str]:
        return self.inner_WEB_API_CORS_ALLOW_ORIGINS.split(",")
    OPENAPI_ENABLED: bool = Field(
        description=(
            "Enable the /openapi/v1/* endpoint group used by difyctl and other "
            "programmatic clients. Set to true to activate; disabled by default."
        ),
        validation_alias=AliasChoices("OPENAPI_ENABLED"),
        default=False,
    )
    inner_OPENAPI_CORS_ALLOW_ORIGINS: str = Field(
        description=(
            "Comma-separated allowlist for /openapi/v1/* CORS. "
            "Default empty = same-origin only. Browser-cookie routes within "
            "the group reject cross-origin OPTIONS regardless of this list."
        ),
        validation_alias=AliasChoices("OPENAPI_CORS_ALLOW_ORIGINS"),
        default="",
    )
    @computed_field
    def OPENAPI_CORS_ALLOW_ORIGINS(self) -> list[str]:
        return [o for o in self.inner_OPENAPI_CORS_ALLOW_ORIGINS.split(",") if o]
    inner_OPENAPI_KNOWN_CLIENT_IDS: str = Field(
        description=(
            "Comma-separated client_id values accepted at "
            "POST /openapi/v1/oauth/device/code. New CLIs / SDKs added here "
            "without code changes. Unknown client_id returns 400 unsupported_client."
        ),
        validation_alias=AliasChoices("OPENAPI_KNOWN_CLIENT_IDS"),
        default="difyctl",
    )
    @computed_field  # type: ignore[misc]
    @property
    def OPENAPI_KNOWN_CLIENT_IDS(self) -> frozenset[str]:
        return frozenset(c for c in self.inner_OPENAPI_KNOWN_CLIENT_IDS.split(",") if c)
    HTTP_REQUEST_MAX_CONNECT_TIMEOUT: int = Field(
        ge=1, description="Maximum connection timeout in seconds for HTTP requests", default=10
    )
@ -799,7 +740,7 @@ class WorkflowConfig(BaseSettings):
    # GraphEngine Worker Pool Configuration
    GRAPH_ENGINE_MIN_WORKERS: PositiveInt = Field(
        description="Minimum number of workers per GraphEngine instance",
-        default=3,
+        default=1,
    )
    GRAPH_ENGINE_MAX_WORKERS: PositiveInt = Field(
@ -933,17 +874,6 @@ class AuthConfig(BaseSettings):
        default=86400,
    )
    ENABLE_OAUTH_BEARER: bool = Field(
        description="Enable OAuth bearer authentication (device-flow + Service API /v1/* bearer middleware).",
        default=True,
    )
    OPENAPI_RATE_LIMIT_PER_TOKEN: PositiveInt = Field(
        description="Per-token rate limit on /openapi/v1/* (requests per minute). "
        "Bucket keyed on sha256(token), shared across api replicas via Redis.",
        default=60,
    )
 class ModerationConfig(BaseSettings):
    """
@ -1186,18 +1116,6 @@ class MultiModalTransferConfig(BaseSettings):
    )
 class OpsTraceConfig(BaseSettings):
    OPS_TRACE_RETRYABLE_DISPATCH_MAX_RETRIES: PositiveInt = Field(
        description="Maximum retry attempts for transient ops trace provider dispatch failures.",
        default=60,
    )
    OPS_TRACE_RETRYABLE_DISPATCH_DELAY_SECONDS: PositiveInt = Field(
        description="Delay in seconds between transient ops trace provider dispatch retry attempts.",
        default=5,
    )
 class CeleryBeatConfig(BaseSettings):
    CELERY_BEAT_SCHEDULER_TIME: int = Field(
        description="Interval in days for Celery Beat scheduler execution, default to 1 day",
@ -1230,14 +1148,6 @@ class CeleryScheduleTasksConfig(BaseSettings):
        description="Enable scheduled workflow run cleanup task",
        default=False,
    )
    ENABLE_CLEAN_OAUTH_ACCESS_TOKENS_TASK: bool = Field(
        description="Enable scheduled cleanup of revoked/expired OAuth access-token rows past retention.",
        default=True,
    )
    OAUTH_ACCESS_TOKEN_RETENTION_DAYS: PositiveInt = Field(
        description="Days to retain revoked OAuth access-token rows before deletion.",
        default=30,
    )
    ENABLE_MAIL_CLEAN_DOCUMENT_NOTIFY_TASK: bool = Field(
        description="Enable mail clean document notify task",
        default=False,
@ -1364,13 +1274,6 @@ class PositionConfig(BaseSettings):
        return {item.strip() for item in self.POSITION_TOOL_EXCLUDES.split(",") if item.strip() != ""}
 class CollaborationConfig(BaseSettings):
    ENABLE_COLLABORATION_MODE: bool = Field(
        description="Whether to enable collaboration mode features across the workspace",
        default=True,
    )
 class LoginConfig(BaseSettings):
    ENABLE_EMAIL_CODE_LOGIN: bool = Field(
        description="whether to enable email code login",
@ -1469,7 +1372,6 @@ class FeatureConfig(
    AuthConfig,  # Changed from OAuthConfig to AuthConfig
    BillingConfig,
    CodeExecutionSandboxConfig,
    CreatorsPlatformConfig,
    TriggerConfig,
    AsyncWorkflowConfig,
    PluginConfig,
@ -1486,7 +1388,6 @@ class FeatureConfig(
    ModelLoadBalanceConfig,
    ModerationConfig,
    MultiModalTransferConfig,
    OpsTraceConfig,
    PositionConfig,
    RagEtlConfig,
    RepositoryConfig,
@ -1498,7 +1399,6 @@ class FeatureConfig(
    WorkflowConfig,
    WorkflowNodeExecutionConfig,
    WorkspaceConfig,
    CollaborationConfig,
    LoginConfig,
    AccountConfig,
    SwaggerUIConfig,
--- a/api/configs/middleware/init.py
+++ b/api/configs/middleware/init.py
@ -1,5 +1,5 @@
 import os
-from typing import Any, Literal, TypedDict, cast
+from typing import Any, Literal
 from urllib.parse import parse_qsl, quote_plus
 from pydantic import Field, NonNegativeFloat, NonNegativeInt, PositiveFloat, PositiveInt, computed_field
@ -50,30 +50,28 @@ from .vdb.vastbase_vector_config import VastbaseVectorConfig
 from .vdb.vikingdb_config import VikingDBConfig
 from .vdb.weaviate_config import WeaviateConfig
 _VALID_STORAGE_TYPE = Literal[
    "opendal",
    "s3",
    "aliyun-oss",
    "azure-blob",
    "baidu-obs",
    "clickzetta-volume",
    "google-storage",
    "huawei-obs",
    "oci-storage",
    "tencent-cos",
    "volcengine-tos",
    "supabase",
    "local",
 ]
 class StorageConfig(BaseSettings):
-    STORAGE_TYPE: _VALID_STORAGE_TYPE = Field(
+    STORAGE_TYPE: Literal[
        "opendal",
        "s3",
        "aliyun-oss",
        "azure-blob",
        "baidu-obs",
        "clickzetta-volume",
        "google-storage",
        "huawei-obs",
        "oci-storage",
        "tencent-cos",
        "volcengine-tos",
        "supabase",
        "local",
    ] = Field(
        description="Type of storage to use."
        " Options: 'opendal', '(deprecated) local', 's3', 'aliyun-oss', 'azure-blob', 'baidu-obs', "
        "'clickzetta-volume', 'google-storage', 'huawei-obs', 'oci-storage', 'tencent-cos', "
        "'volcengine-tos', 'supabase'. Default is 'opendal'.",
-        default=cast(_VALID_STORAGE_TYPE, "opendal"),
+        default="opendal",
    )
    STORAGE_LOCAL_PATH: str = Field(
@ -109,17 +107,6 @@ class KeywordStoreConfig(BaseSettings):
    )
 class SQLAlchemyEngineOptionsDict(TypedDict):
    pool_size: int
    max_overflow: int
    pool_recycle: int
    pool_pre_ping: bool
    connect_args: dict[str, str]
    pool_use_lifo: bool
    pool_reset_on_return: Literal["commit", "rollback", None]
    pool_timeout: int
 class DatabaseConfig(BaseSettings):
    # Database type selector
    DB_TYPE: Literal["postgresql", "mysql", "oceanbase", "seekdb"] = Field(
@ -162,16 +149,6 @@ class DatabaseConfig(BaseSettings):
        default="",
    )
    DB_SESSION_TIMEZONE_OVERRIDE: str = Field(
        description=(
            "PostgreSQL session timezone override injected via startup options."
            " Default is 'UTC' for out-of-the-box consistency."
            " Set to empty string to disable app-level timezone injection, for example when using RDS Proxy"
            " together with a database-side default timezone."
        ),
        default="UTC",
    )
    @computed_field  # type: ignore[prop-decorator]
    @property
    def SQLALCHEMY_DATABASE_URI_SCHEME(self) -> str:
@ -225,11 +202,6 @@ class DatabaseConfig(BaseSettings):
        default=30,
    )
    SQLALCHEMY_POOL_RESET_ON_RETURN: Literal["commit", "rollback", None] = Field(
        description="Connection pool reset behavior on return. Options: 'commit', 'rollback', or None",
        default="rollback",
    )
    RETRIEVAL_SERVICE_EXECUTORS: NonNegativeInt = Field(
        description="Number of processes for the retrieval service, default to CPU cores.",
        default=os.cpu_count() or 1,
@ -237,32 +209,30 @@ class DatabaseConfig(BaseSettings):
    @computed_field  # type: ignore[prop-decorator]
    @property
-    def SQLALCHEMY_ENGINE_OPTIONS(self) -> SQLAlchemyEngineOptionsDict:
+    def SQLALCHEMY_ENGINE_OPTIONS(self) -> dict[str, Any]:
        # Parse DB_EXTRAS for 'options'
        db_extras_dict = dict(parse_qsl(self.DB_EXTRAS))
        options = db_extras_dict.get("options", "")
-        connect_args: dict[str, str] = {}
+        connect_args = {}
        # Use the dynamic SQLALCHEMY_DATABASE_URI_SCHEME property
        if self.SQLALCHEMY_DATABASE_URI_SCHEME.startswith("postgresql"):
-            merged_options = options.strip()
+            timezone_opt = "-c timezone=UTC"
-            session_timezone_override = self.DB_SESSION_TIMEZONE_OVERRIDE.strip()
+            if options:
-            if session_timezone_override:
+                merged_options = f"{options} {timezone_opt}"
-                timezone_opt = f"-c timezone={session_timezone_override}"
+            else:
-                merged_options = f"{merged_options} {timezone_opt}".strip() if merged_options else timezone_opt
+                merged_options = timezone_opt
-            if merged_options:
+            connect_args = {"options": merged_options}
                connect_args = {"options": merged_options}
-        result: SQLAlchemyEngineOptionsDict = {
+        return {
            "pool_size": self.SQLALCHEMY_POOL_SIZE,
            "max_overflow": self.SQLALCHEMY_MAX_OVERFLOW,
            "pool_recycle": self.SQLALCHEMY_POOL_RECYCLE,
            "pool_pre_ping": self.SQLALCHEMY_POOL_PRE_PING,
            "connect_args": connect_args,
            "pool_use_lifo": self.SQLALCHEMY_POOL_USE_LIFO,
-            "pool_reset_on_return": self.SQLALCHEMY_POOL_RESET_ON_RETURN,
+            "pool_reset_on_return": None,
            "pool_timeout": self.SQLALCHEMY_POOL_TIMEOUT,
        }
        return result
 class CeleryConfig(DatabaseConfig):
--- a/api/configs/middleware/cache/redis_config.py
+++ b/api/configs/middleware/cache/redis_config.py
@ -32,11 +32,6 @@ class RedisConfig(BaseSettings):
        default=0,
    )
    REDIS_KEY_PREFIX: str = Field(
        description="Optional global prefix for Redis keys, topics, and transport artifacts",
        default="",
    )
    REDIS_USE_SSL: bool = Field(
        description="Enable SSL/TLS for the Redis connection",
        default=False,
@ -122,37 +117,6 @@ class RedisConfig(BaseSettings):
        default=None,
    )
    REDIS_RETRY_RETRIES: NonNegativeInt = Field(
        description="Maximum number of retries per Redis command on "
        "transient failures (ConnectionError, TimeoutError, socket.timeout)",
        default=3,
    )
    REDIS_RETRY_BACKOFF_BASE: PositiveFloat = Field(
        description="Base delay in seconds for exponential backoff between retries",
        default=1.0,
    )
    REDIS_RETRY_BACKOFF_CAP: PositiveFloat = Field(
        description="Maximum backoff delay in seconds between retries",
        default=10.0,
    )
    REDIS_SOCKET_TIMEOUT: PositiveFloat | None = Field(
        description="Socket timeout in seconds for Redis read/write operations",
        default=5.0,
    )
    REDIS_SOCKET_CONNECT_TIMEOUT: PositiveFloat | None = Field(
        description="Socket timeout in seconds for Redis connection establishment",
        default=5.0,
    )
    REDIS_HEALTH_CHECK_INTERVAL: NonNegativeInt = Field(
        description="Interval in seconds between Redis connection health checks (0 to disable)",
        default=30,
    )
    @field_validator("REDIS_MAX_CONNECTIONS", mode="before")
    @classmethod
    def _empty_string_to_none_for_max_conns(cls, v):
--- a/api/configs/middleware/vdb/hologres_config.py
+++ b/api/configs/middleware/vdb/hologres_config.py
@ -1,3 +1,4 @@
 from holo_search_sdk.types import BaseQuantizationType, DistanceType, TokenizerType
 from pydantic import Field
 from pydantic_settings import BaseSettings
@ -41,17 +42,17 @@ class HologresConfig(BaseSettings):
        default="public",
    )
-    HOLOGRES_TOKENIZER: str = Field(
+    HOLOGRES_TOKENIZER: TokenizerType = Field(
        description="Tokenizer for full-text search index (e.g., 'jieba', 'ik', 'standard', 'simple').",
        default="jieba",
    )
-    HOLOGRES_DISTANCE_METHOD: str = Field(
+    HOLOGRES_DISTANCE_METHOD: DistanceType = Field(
        description="Distance method for vector index (e.g., 'Cosine', 'Euclidean', 'InnerProduct').",
        default="Cosine",
    )
-    HOLOGRES_BASE_QUANTIZATION_TYPE: str = Field(
+    HOLOGRES_BASE_QUANTIZATION_TYPE: BaseQuantizationType = Field(
        description="Base quantization type for vector index (e.g., 'rabitq', 'sq8', 'fp16', 'fp32').",
        default="rabitq",
    )
--- a/api/configs/middleware/vdb/iris_config.py
+++ b/api/configs/middleware/vdb/iris_config.py
@ -1,7 +1,5 @@
 """Configuration for InterSystems IRIS vector database."""
 from typing import Any
 from pydantic import Field, PositiveInt, model_validator
 from pydantic_settings import BaseSettings
@ -66,7 +64,7 @@ class IrisVectorConfig(BaseSettings):
    @model_validator(mode="before")
    @classmethod
-    def validate_config(cls, values: dict[str, Any]) -> dict[str, Any]:
+    def validate_config(cls, values: dict) -> dict:
        """Validate IRIS configuration values.
        Args:
--- a/api/configs/secret_key.py
+++ b/api/configs/secret_key.py
@ -1,38 +0,0 @@
 """SECRET_KEY persistence helpers for runtime setup."""
 from __future__ import annotations
 import secrets
 from extensions.ext_storage import storage
 GENERATED_SECRET_KEY_FILENAME = ".dify_secret_key"
 def resolve_secret_key(secret_key: str) -> str:
    """Return an explicit SECRET_KEY or a generated key persisted in storage."""
    if secret_key:
        return secret_key
    return _load_or_create_secret_key()
 def _load_or_create_secret_key() -> str:
    try:
        persisted_key = storage.load_once(GENERATED_SECRET_KEY_FILENAME).decode("utf-8").strip()
        if persisted_key:
            return persisted_key
    except FileNotFoundError:
        pass
    generated_key = secrets.token_urlsafe(48)
    try:
        storage.save(GENERATED_SECRET_KEY_FILENAME, f"{generated_key}\n".encode())
    except Exception as exc:
        raise ValueError(
            f"SECRET_KEY is not set and could not be generated at {GENERATED_SECRET_KEY_FILENAME}. "
            "Set SECRET_KEY explicitly or make storage writable."
        ) from exc
    return generated_key
--- a/api/constants/dsl_version.py
+++ b/api/constants/dsl_version.py
@ -1 +0,0 @@
 CURRENT_APP_DSL_VERSION = "0.6.0"
--- a/api/constants/recommended_apps.json
+++ b/api/constants/recommended_apps.json
@ -19,7 +19,7 @@
                        "name": "Website Generator"
                    },
                    "app_id": "b53545b1-79ea-4da3-b31a-c39391c6f041",
-                    "categories": ["Programming"],
+                    "category": "Programming",
                    "copyright": null,
                    "description": null,
                    "is_listed": true,
@ -35,7 +35,7 @@
                        "name": "Investment Analysis Report Copilot"
                    },
                    "app_id": "a23b57fa-85da-49c0-a571-3aff375976c1",
-                    "categories": ["Agent"],
+                    "category": "Agent",
                    "copyright": "Dify.AI",
                    "description": "Welcome to your personalized Investment Analysis Copilot service, where we delve into the depths of stock analysis to provide you with comprehensive insights. \n",
                    "is_listed": true,
@ -51,7 +51,7 @@
                        "name": "Workflow Planning Assistant "
                    },
                    "app_id": "f3303a7d-a81c-404e-b401-1f8711c998c1",
-                    "categories": ["Workflow"],
+                    "category": "Workflow",
                    "copyright": null,
                    "description": "An assistant that helps you plan and select the right node for a workflow (V0.6.0).  ",
                    "is_listed": true,
@ -67,7 +67,7 @@
                        "name": "Automated Email Reply  "
                    },
                    "app_id": "e9d92058-7d20-4904-892f-75d90bef7587",
-                    "categories": ["Workflow"],
+                    "category": "Workflow",
                    "copyright": null,
                    "description": "Reply emails using Gmail API. It will automatically retrieve email in your inbox and create a response in Gmail. \nConfigure your Gmail API in Google Cloud Console. ",
                    "is_listed": true,
@ -83,7 +83,7 @@
                        "name": "Book Translation "
                    },
                    "app_id": "98b87f88-bd22-4d86-8b74-86beba5e0ed4",
-                    "categories": ["Workflow"],
+                    "category": "Workflow",
                    "copyright": null,
                    "description": "A workflow designed to translate a full book up to 15000 tokens per run. Uses Code node to separate text into chunks and Iteration to translate each chunk. ",
                    "is_listed": true,
@ -99,7 +99,7 @@
                        "name": "Python bug fixer"
                    },
                    "app_id": "cae337e6-aec5-4c7b-beca-d6f1a808bd5e",
-                    "categories": ["Programming"],
+                    "category": "Programming",
                    "copyright": null,
                    "description": null,
                    "is_listed": true,
@ -115,7 +115,7 @@
                        "name": "Code Interpreter"
                    },
                    "app_id": "d077d587-b072-4f2c-b631-69ed1e7cdc0f",
-                    "categories": ["Programming"],
+                    "category": "Programming",
                    "copyright": "Copyright 2023 Dify",
                    "description": "Code interpreter, clarifying the syntax and semantics of the code.",
                    "is_listed": true,
@ -131,7 +131,7 @@
                        "name": "SVG Logo Design "
                    },
                    "app_id": "73fbb5f1-c15d-4d74-9cc8-46d9db9b2cca",
-                    "categories": ["Agent"],
+                    "category": "Agent",
                    "copyright": "Dify.AI",
                    "description": "Hello, I am your creative partner in bringing ideas to vivid life! I can assist you in creating stunning designs by leveraging abilities of DALL·E 3.  ",
                    "is_listed": true,
@ -147,7 +147,7 @@
                        "name": "Long Story Generator (Iteration) "
                    },
                    "app_id": "5efb98d7-176b-419c-b6ef-50767391ab62",
-                    "categories": ["Workflow"],
+                    "category": "Workflow",
                    "copyright": null,
                    "description": "A workflow demonstrating how to use Iteration node to generate long article that is longer than the context length of LLMs. ",
                    "is_listed": true,
@ -163,7 +163,7 @@
                        "name": "Text Summarization Workflow"
                    },
                    "app_id": "f00c4531-6551-45ee-808f-1d7903099515",
-                    "categories": ["Workflow"],
+                    "category": "Workflow",
                    "copyright": null,
                    "description": "Based on users' choice, retrieve external knowledge to more accurately summarize articles.",
                    "is_listed": true,
@ -179,7 +179,7 @@
                        "name": "YouTube Channel Data Analysis"
                    },
                    "app_id": "be591209-2ca8-410f-8f3b-ca0e530dd638",
-                    "categories": ["Agent"],
+                    "category": "Agent",
                    "copyright": "Dify.AI",
                    "description": "I am a YouTube Channel Data Analysis Copilot, I am here to provide expert data analysis tailored to your needs. ",
                    "is_listed": true,
@ -195,7 +195,7 @@
                        "name": "Article Grading Bot"
                    },
                    "app_id": "a747f7b4-c48b-40d6-b313-5e628232c05f",
-                    "categories": ["Writing"],
+                    "category": "Writing",
                    "copyright": null,
                    "description": "Assess the quality of articles and text based on user defined criteria. ",
                    "is_listed": true,
@ -211,7 +211,7 @@
                        "name": "SEO Blog Generator"
                    },
                    "app_id": "18f3bd03-524d-4d7a-8374-b30dbe7c69d5",
-                    "categories": ["Workflow"],
+                    "category": "Workflow",
                    "copyright": null,
                    "description": "Workflow for retrieving information from the internet, followed by segmented generation of SEO blogs.",
                    "is_listed": true,
@ -227,7 +227,7 @@
                        "name": "SQL Creator"
                    },
                    "app_id": "050ef42e-3e0c-40c1-a6b6-a64f2c49d744",
-                    "categories": ["Programming"],
+                    "category": "Programming",
                    "copyright": "Copyright 2023 Dify",
                    "description": "Write SQL from natural language by pasting in your schema with the request.Please describe your query requirements in natural language and select the target database type.",
                    "is_listed": true,
@ -243,7 +243,7 @@
                        "name": "Sentiment Analysis "
                    },
                    "app_id": "f06bf86b-d50c-4895-a942-35112dbe4189",
-                    "categories": ["Workflow"],
+                    "category": "Workflow",
                    "copyright": null,
                    "description": "Batch sentiment analysis of text, followed by JSON output of sentiment classification along with scores.",
                    "is_listed": true,
@ -259,7 +259,7 @@
                        "name": "Strategic Consulting Expert"
                    },
                    "app_id": "7e8ca1ae-02f2-4b5f-979e-62d19133bee2",
-                    "categories": ["Assistant"],
+                    "category": "Assistant",
                    "copyright": "Copyright 2023 Dify",
                    "description": "I can answer your questions related to strategic marketing.",
                    "is_listed": true,
@ -275,7 +275,7 @@
                        "name": "Code Converter"
                    },
                    "app_id": "4006c4b2-0735-4f37-8dbb-fb1a8c5bd87a",
-                    "categories": ["Programming"],
+                    "category": "Programming",
                    "copyright": "Copyright 2023 Dify",
                    "description": "This is an application that provides the ability to convert code snippets in multiple programming languages. You can input the code you wish to convert, select the target programming language, and get the desired output.",
                    "is_listed": true,
@ -291,7 +291,7 @@
                        "name": "Question Classifier + Knowledge + Chatbot "
                    },
                    "app_id": "d9f6b733-e35d-4a40-9f38-ca7bbfa009f7",
-                    "categories": ["Workflow"],
+                    "category": "Workflow",
                    "copyright": null,
                    "description": "Basic Workflow Template, a chatbot capable of identifying intents alongside with a knowledge base.",
                    "is_listed": true,
@ -307,7 +307,7 @@
                        "name": "AI Front-end interviewer"
                    },
                    "app_id": "127efead-8944-4e20-ba9d-12402eb345e0",
-                    "categories": ["HR"],
+                    "category": "HR",
                    "copyright": "Copyright 2023 Dify",
                    "description": "A simulated front-end interviewer that tests the skill level of front-end development through questioning.",
                    "is_listed": true,
@ -323,7 +323,7 @@
                        "name": "Knowledge Retrieval + Chatbot "
                    },
                    "app_id": "e9870913-dd01-4710-9f06-15d4180ca1ce",
-                    "categories": ["Workflow"],
+                    "category": "Workflow",
                    "copyright": null,
                    "description": "Basic Workflow Template, A chatbot with a knowledge base. ",
                    "is_listed": true,
@ -339,7 +339,7 @@
                        "name": "Email Assistant Workflow "
                    },
                    "app_id": "dd5b6353-ae9b-4bce-be6a-a681a12cf709",
-                    "categories": ["Workflow"],
+                    "category": "Workflow",
                    "copyright": null,
                    "description": "A multifunctional email assistant capable of summarizing, replying, composing, proofreading, and checking grammar.",
                    "is_listed": true,
@ -355,7 +355,7 @@
                        "name": "Customer Review Analysis Workflow "
                    },
                    "app_id": "9c0cd31f-4b62-4005-adf5-e3888d08654a",
-                    "categories": ["Workflow"],
+                    "category": "Workflow",
                    "copyright": null,
                    "description": "Utilize LLM (Large Language Models) to classify customer reviews and forward them to the internal system.",
                    "is_listed": true,
--- a/api/controllers/API_SCHEMA_GUIDE.md
+++ b/api/controllers/API_SCHEMA_GUIDE.md
@ -1,211 +0,0 @@
 # API Schema Guide
 This guide describes the expected Flask-RESTX + Pydantic pattern for controller request payloads, query
 parameters, response schemas, and Swagger documentation.
 ## Principles
 - Use Pydantic `BaseModel` for request bodies and query parameters.
 - Use `fields.base.ResponseModel` for response DTOs.
 - Keep runtime validation and Swagger documentation wired to the same Pydantic model.
 - Prefer explicit validation and serialization in controller methods over Flask-RESTX marshalling.
 - Do not add new Flask-RESTX `fields.*` dictionaries, `Namespace.model(...)` exports, or `@marshal_with(...)` for migrated or new endpoints.
 - Do not use `@ns.expect(...)` for GET query parameters. Flask-RESTX documents that as a request body.
 ## Naming
 - Request body models: use a `Payload` suffix.
  - Example: `WorkflowRunPayload`, `DatasourceVariablesPayload`.
 - Query parameter models: use a `Query` suffix.
  - Example: `WorkflowRunListQuery`, `MessageListQuery`.
 - Response models: use a `Response` suffix and inherit from `ResponseModel`.
  - Example: `WorkflowRunDetailResponse`, `WorkflowRunNodeExecutionListResponse`.
 - Use `ListResponse` or `PaginationResponse` for wrapper responses.
  - Example: `WorkflowRunNodeExecutionListResponse`, `WorkflowRunPaginationResponse`.
 - Keep these models near the controller when they are endpoint-specific. Move them to `fields/*_fields.py` only when shared by multiple controllers.
 ## Registering Models For Swagger
 Use helpers from `controllers.common.schema`.
 ```python
 from controllers.common.schema import (
    query_params_from_model,
    register_response_schema_models,
    register_schema_models,
 )
 from libs.helper import dump_response
 ```
 Register request payload and query models with `register_schema_models(...)`:
 ```python
 register_schema_models(
    console_ns,
    WorkflowRunPayload,
    WorkflowRunListQuery,
 )
 ```
 Register response models with `register_response_schema_models(...)`:
 ```python
 register_response_schema_models(
    console_ns,
    WorkflowRunDetailResponse,
    WorkflowRunPaginationResponse,
 )
 ```
 Response models are registered in Pydantic serialization mode. This matters when a response model uses
 `validation_alias` to read internal object attributes but emits public API field names. For example, a response model
 can validate from `inputs_dict` while documenting and serializing `inputs`.
 ## Request Bodies
 For non-GET request bodies:
 1. Define a Pydantic `Payload` model.
 2. Register it with `register_schema_models(...)`.
 3. Use `@ns.expect(ns.models[Payload.__name__])` for Swagger documentation.
 4. Validate from `ns.payload or {}` inside the controller.
 ```python
 class DraftWorkflowNodeRunPayload(BaseModel):
    inputs: dict[str, Any]
    query: str = ""
 register_schema_models(console_ns, DraftWorkflowNodeRunPayload)
@console_ns.expect(console_ns.models[DraftWorkflowNodeRunPayload.__name__])
 def post(self, app_model: App, node_id: str):
    payload = DraftWorkflowNodeRunPayload.model_validate(console_ns.payload or {})
    result = service.run(..., inputs=payload.inputs, query=payload.query)
    return dump_response(WorkflowRunNodeExecutionResponse, result)
 ```
 ## Query Parameters
 For GET query parameters:
 1. Define a Pydantic `Query` model.
 2. Register it with `register_schema_models(...)` if it is referenced elsewhere in docs, or only use
   `query_params_from_model(...)` if a body schema is not needed.
 3. Use `@ns.doc(params=query_params_from_model(QueryModel))`.
 4. Validate from `request.args.to_dict(flat=True)` or an explicit dict when type coercion is needed.
 ```python
 class WorkflowRunListQuery(BaseModel):
    last_id: str | None = Field(default=None, description="Last run ID for pagination")
    limit: int = Field(default=20, ge=1, le=100, description="Number of items per page (1-100)")
@console_ns.doc(params=query_params_from_model(WorkflowRunListQuery))
 def get(self, app_model: App):
    query = WorkflowRunListQuery.model_validate(request.args.to_dict(flat=True))
    result = service.list(..., limit=query.limit, last_id=query.last_id)
    return dump_response(WorkflowRunPaginationResponse, result)
 ```
 Do not do this for GET query parameters:
 ```python
@console_ns.expect(console_ns.models[WorkflowRunListQuery.__name__])
 def get(...):
    ...
 ```
 That documents a GET request body and is not the expected contract.
 ## Responses
 Response models should inherit from `ResponseModel`:
 ```python
 class WorkflowRunNodeExecutionResponse(ResponseModel):
    id: str
    inputs: Any = Field(default=None, validation_alias="inputs_dict")
    process_data: Any = Field(default=None, validation_alias="process_data_dict")
    outputs: Any = Field(default=None, validation_alias="outputs_dict")
 ```
 Document response models with `@ns.response(...)`:
 ```python
@console_ns.response(
    200,
    "Node run started successfully",
    console_ns.models[WorkflowRunNodeExecutionResponse.__name__],
 )
 def post(...):
    ...
 ```
 Serialize explicitly:
 ```python
 return dump_response(WorkflowRunNodeExecutionResponse, workflow_node_execution)
 ```
 `dump_response(...)` is the preferred response serialization helper for a single Pydantic response DTO. It validates
 with `from_attributes=True` and returns `model_dump(mode="json")`, so SQLAlchemy models, plain objects, dictionaries,
 Pydantic aliases, computed fields, and `datetime` values are serialized consistently.
 For wrapper responses, pass a dictionary with the public wrapper fields:
 ```python
 return dump_response(
    WorkflowRunPaginationResponse,
    {
        "data": workflow_runs,
        "page": page,
        "limit": limit,
        "has_more": has_more,
    },
 )
 ```
 If the service can return `None`, translate that into the expected HTTP error before validation:
 ```python
 workflow_run = service.get_workflow_run(...)
 if workflow_run is None:
    raise NotFound("Workflow run not found")
 return dump_response(WorkflowRunDetailResponse, workflow_run)
 ```
 Use manual `model_validate(...).model_dump(...)` only when the endpoint needs behavior that `dump_response(...)` does
 not provide, such as returning a non-dict payload, intentionally excluding fields, or composing a `(body, status)` tuple.
 ## Legacy Flask-RESTX Patterns
 Avoid adding these patterns to new or migrated endpoints:
 - `ns.model(...)` for new request/response DTOs.
 - Module-level exported RESTX model objects such as `workflow_run_detail_model`.
 - `fields.Nested({...})` with raw inline dict field maps.
 - `@marshal_with(...)` for response serialization.
 - `@ns.expect(...)` for GET query params.
 Existing legacy field dictionaries may remain where an endpoint has not yet been migrated. Keep that compatibility local
 to the legacy area and avoid importing RESTX model objects from controllers.
 ## Verifying Swagger
 For schema and documentation changes, run focused tests and generate Swagger JSON:
 ```bash
 uv run --project . pytest tests/unit_tests/controllers/common/test_schema.py
 uv run --project . pytest tests/unit_tests/commands/test_generate_swagger_specs.py tests/unit_tests/controllers/test_swagger.py
 uv run --project . dev/generate_swagger_specs.py --output-dir /tmp/dify-openapi-check
 ```
 Inspect affected endpoints with `jq`. Check that:
 - GET parameters are `in: query`.
 - Request bodies appear only where the endpoint has a body.
 - Responses reference the expected `*Response` schema.
 - Response schemas use public serialized names, not internal validation aliases like `inputs_dict`.
--- a/api/controllers/common/controller_schemas.py
+++ b/api/controllers/common/controller_schemas.py
@ -1,104 +0,0 @@
 from typing import Any, Literal
 from uuid import UUID
 from pydantic import BaseModel, Field, model_validator
 from libs.helper import UUIDStrOrEmpty
 # --- Conversation schemas ---
 class ConversationRenamePayload(BaseModel):
    name: str | None = None
    auto_generate: bool = False
    @model_validator(mode="after")
    def validate_name_requirement(self):
        if not self.auto_generate:
            if self.name is None or not self.name.strip():
                raise ValueError("name is required when auto_generate is false")
        return self
 # --- Message schemas ---
 class MessageListQuery(BaseModel):
    conversation_id: UUIDStrOrEmpty = Field(description="Conversation UUID")
    first_id: UUIDStrOrEmpty | None = Field(default=None, description="First message ID for pagination")
    limit: int = Field(default=20, ge=1, le=100, description="Number of messages to return (1-100)")
 class MessageFeedbackPayload(BaseModel):
    rating: Literal["like", "dislike"] | None = None
    content: str | None = None
 # --- Saved message schemas ---
 class SavedMessageListQuery(BaseModel):
    last_id: UUIDStrOrEmpty | None = None
    limit: int = Field(default=20, ge=1, le=100)
 class SavedMessageCreatePayload(BaseModel):
    message_id: UUIDStrOrEmpty
 # --- Workflow schemas ---
 class DefaultBlockConfigQuery(BaseModel):
    q: str | None = None
 class WorkflowListQuery(BaseModel):
    page: int = Field(default=1, ge=1, le=99999)
    limit: int = Field(default=10, ge=1, le=100)
    user_id: str | None = None
    named_only: bool = False
 class WorkflowRunPayload(BaseModel):
    inputs: dict[str, Any]
    files: list[dict[str, Any]] | None = None
 class WorkflowUpdatePayload(BaseModel):
    marked_name: str | None = Field(default=None, max_length=20)
    marked_comment: str | None = Field(default=None, max_length=100)
 # --- Dataset schemas ---
 DOCUMENT_BATCH_DOWNLOAD_ZIP_MAX_DOCS = 100
 class ChildChunkCreatePayload(BaseModel):
    content: str
 class ChildChunkUpdatePayload(BaseModel):
    content: str
 class DocumentBatchDownloadZipPayload(BaseModel):
    """Request payload for bulk downloading documents as a zip archive."""
    document_ids: list[UUID] = Field(..., min_length=1, max_length=DOCUMENT_BATCH_DOWNLOAD_ZIP_MAX_DOCS)
 class MetadataUpdatePayload(BaseModel):
    name: str
 # --- Audio schemas ---
 class TextToAudioPayload(BaseModel):
    message_id: str | None = Field(default=None, description="Message ID")
    voice: str | None = Field(default=None, description="Voice to use for TTS")
    text: str | None = Field(default=None, description="Text to convert to audio")
    streaming: bool | None = Field(default=None, description="Enable streaming response")
--- a/api/controllers/common/fields.py
+++ b/api/controllers/common/fields.py
@ -2,9 +2,9 @@ from __future__ import annotations
 from typing import Any
 from graphon.file import helpers as file_helpers
 from pydantic import BaseModel, ConfigDict, computed_field
 from graphon.file import helpers as file_helpers
 from models.model import IconType
 type JSONValue = str | int | float | bool | None | dict[str, Any] | list[Any]
--- a/api/controllers/common/helpers.py
+++ b/api/controllers/common/helpers.py
@ -41,8 +41,7 @@ def guess_file_info_from_response(response: httpx.Response):
    # Try to extract filename from URL
    parsed_url = urllib.parse.urlparse(url)
    url_path = parsed_url.path
-    # Decode percent-encoded characters in the path segment
+    filename = os.path.basename(url_path)
    filename = urllib.parse.unquote(os.path.basename(url_path))
    # If filename couldn't be extracted, use Content-Disposition header
    if not filename:
--- a/api/controllers/common/human_input.py
+++ b/api/controllers/common/human_input.py
@ -1,21 +0,0 @@
 import json
 from pydantic import BaseModel, JsonValue
 class HumanInputFormSubmitPayload(BaseModel):
    inputs: dict[str, JsonValue]
    action: str
 def stringify_form_default_values(values: dict[str, object]) -> dict[str, str]:
    """Serialize default values into strings expected by human-input form clients."""
    result: dict[str, str] = {}
    for key, value in values.items():
        if value is None:
            result[key] = ""
        elif isinstance(value, (dict, list)):
            result[key] = json.dumps(value, ensure_ascii=False)
        else:
            result[key] = str(value)
    return result
--- a/api/controllers/common/schema.py
+++ b/api/controllers/common/schema.py
@ -1,14 +1,6 @@
-"""Helpers for registering Pydantic models with Flask-RESTX namespaces.
+"""Helpers for registering Pydantic models with Flask-RESTX namespaces."""
 Flask-RESTX treats `SchemaModel` bodies as opaque JSON schemas; it does not
 promote Pydantic's nested `$defs` into top-level Swagger `definitions`.
 These helpers keep that translation centralized so models registered through
 `register_schema_models` emit resolvable Swagger 2.0 references.
 """
 from collections.abc import Mapping
 from enum import StrEnum
 from typing import Any, Literal, NotRequired, TypedDict
 from flask_restx import Namespace
 from pydantic import BaseModel, TypeAdapter
@ -16,89 +8,10 @@ from pydantic import BaseModel, TypeAdapter
 DEFAULT_REF_TEMPLATE_SWAGGER_2_0 = "#/definitions/{model}"
 QueryParamDoc = TypedDict(
    "QueryParamDoc",
    {
        "in": NotRequired[str],
        "type": NotRequired[str],
        "items": NotRequired[dict[str, object]],
        "required": NotRequired[bool],
        "description": NotRequired[str],
        "enum": NotRequired[list[object]],
        "default": NotRequired[object],
        "minimum": NotRequired[int | float],
        "maximum": NotRequired[int | float],
        "minLength": NotRequired[int],
        "maxLength": NotRequired[int],
        "minItems": NotRequired[int],
        "maxItems": NotRequired[int],
    },
 )
 def _register_json_schema(namespace: Namespace, name: str, schema: dict) -> None:
    """Register a JSON schema and promote any nested Pydantic `$defs`."""
    schema = _swagger_2_compatible_schema(schema)
    nested_definitions = schema.get("$defs")
    schema_to_register = dict(schema)
    if isinstance(nested_definitions, dict):
        schema_to_register.pop("$defs")
    namespace.schema_model(name, schema_to_register)
    if not isinstance(nested_definitions, dict):
        return
    for nested_name, nested_schema in nested_definitions.items():
        if isinstance(nested_schema, dict):
            _register_json_schema(namespace, nested_name, nested_schema)
 JsonSchemaMode = Literal["validation", "serialization"]
 def _register_schema_model(namespace: Namespace, model: type[BaseModel], *, mode: JsonSchemaMode) -> None:
    _register_json_schema(
        namespace,
        model.__name__,
        model.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0, mode=mode),
    )
 def _swagger_2_compatible_schema(value: Any) -> Any:
    if isinstance(value, list):
        return [_swagger_2_compatible_schema(item) for item in value]
    if not isinstance(value, dict):
        return value
    converted = {key: _swagger_2_compatible_schema(child) for key, child in value.items()}
    any_of = value.get("anyOf")
    if not isinstance(any_of, list):
        return converted
    non_null_candidates = [
        candidate for candidate in any_of if isinstance(candidate, Mapping) and candidate.get("type") != "null"
    ]
    has_null_candidate = any(isinstance(candidate, Mapping) and candidate.get("type") == "null" for candidate in any_of)
    if not has_null_candidate or len(non_null_candidates) != 1:
        return converted
    non_null_schema = _swagger_2_compatible_schema(dict(non_null_candidates[0]))
    if not isinstance(non_null_schema, dict):
        return converted
    converted.pop("anyOf", None)
    converted.update(non_null_schema)
    converted["x-nullable"] = True
    return converted
 def register_schema_model(namespace: Namespace, model: type[BaseModel]) -> None:
-    """Register a BaseModel and its nested schema definitions for Swagger documentation."""
+    """Register a single BaseModel with a namespace for Swagger documentation."""
-    _register_schema_model(namespace, model, mode="validation")
+    namespace.schema_model(model.__name__, model.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0))
 def register_schema_models(namespace: Namespace, *models: type[BaseModel]) -> None:
@ -108,19 +21,6 @@ def register_schema_models(namespace: Namespace, *models: type[BaseModel]) -> No
        register_schema_model(namespace, model)
 def register_response_schema_model(namespace: Namespace, model: type[BaseModel]) -> None:
    """Register a BaseModel using its serialized response shape."""
    _register_schema_model(namespace, model, mode="serialization")
 def register_response_schema_models(namespace: Namespace, *models: type[BaseModel]) -> None:
    """Register multiple response BaseModels using their serialized response shape."""
    for model in models:
        register_response_schema_model(namespace, model)
 def get_or_create_model(model_name: str, field_def):
    # Import lazily to avoid circular imports between console controllers and schema helpers.
    from controllers.console import console_ns
@ -134,114 +34,15 @@ def get_or_create_model(model_name: str, field_def):
 def register_enum_models(namespace: Namespace, *models: type[StrEnum]) -> None:
    """Register multiple StrEnum with a namespace."""
    for model in models:
-        _register_json_schema(
+        namespace.schema_model(
-            namespace,
+            model.__name__, TypeAdapter(model).json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0)
            model.__name__,
            TypeAdapter(model).json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0),
        )
 def query_params_from_model(model: type[BaseModel]) -> dict[str, QueryParamDoc]:
    """Build Flask-RESTX query parameter docs from a flat Pydantic model.
    `Namespace.expect()` treats Pydantic schema models as request bodies, so GET
    endpoints should keep runtime validation on the Pydantic model and feed this
    derived mapping to `Namespace.doc(params=...)` for Swagger documentation.
    """
    schema = model.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0)
    properties = schema.get("properties", {})
    if not isinstance(properties, Mapping):
        return {}
    required = schema.get("required", [])
    required_names = set(required) if isinstance(required, list) else set()
    params: dict[str, QueryParamDoc] = {}
    for name, property_schema in properties.items():
        if not isinstance(name, str) or not isinstance(property_schema, Mapping):
            continue
        params[name] = _query_param_from_property(property_schema, required=name in required_names)
    return params
 def _query_param_from_property(property_schema: Mapping[str, Any], *, required: bool) -> QueryParamDoc:
    param_schema = _nullable_property_schema(property_schema)
    param_doc: QueryParamDoc = {"in": "query", "required": required}
    description = param_schema.get("description")
    if isinstance(description, str):
        param_doc["description"] = description
    schema_type = param_schema.get("type")
    if isinstance(schema_type, str) and schema_type in {"array", "boolean", "integer", "number", "string"}:
        param_doc["type"] = schema_type
        if schema_type == "array":
            items = param_schema.get("items")
            if isinstance(items, Mapping):
                item_type = items.get("type")
                if isinstance(item_type, str):
                    param_doc["items"] = {"type": item_type}
    enum = param_schema.get("enum")
    if isinstance(enum, list):
        param_doc["enum"] = enum
    default = param_schema.get("default")
    if default is not None:
        param_doc["default"] = default
    minimum = param_schema.get("minimum")
    if isinstance(minimum, int | float):
        param_doc["minimum"] = minimum
    maximum = param_schema.get("maximum")
    if isinstance(maximum, int | float):
        param_doc["maximum"] = maximum
    min_length = param_schema.get("minLength")
    if isinstance(min_length, int):
        param_doc["minLength"] = min_length
    max_length = param_schema.get("maxLength")
    if isinstance(max_length, int):
        param_doc["maxLength"] = max_length
    min_items = param_schema.get("minItems")
    if isinstance(min_items, int):
        param_doc["minItems"] = min_items
    max_items = param_schema.get("maxItems")
    if isinstance(max_items, int):
        param_doc["maxItems"] = max_items
    return param_doc
 def _nullable_property_schema(property_schema: Mapping[str, Any]) -> Mapping[str, Any]:
    any_of = property_schema.get("anyOf")
    if not isinstance(any_of, list):
        return property_schema
    non_null_candidates = [
        candidate for candidate in any_of if isinstance(candidate, Mapping) and candidate.get("type") != "null"
    ]
    if len(non_null_candidates) == 1:
        return {**property_schema, **non_null_candidates[0]}
    return property_schema
 __all__ = [
    "DEFAULT_REF_TEMPLATE_SWAGGER_2_0",
    "get_or_create_model",
    "query_params_from_model",
    "register_enum_models",
    "register_response_schema_model",
    "register_response_schema_models",
    "register_schema_model",
    "register_schema_models",
 ]
--- a/api/controllers/console/init.py
+++ b/api/controllers/console/init.py
@ -33,6 +33,7 @@ for module_name in RESOURCE_MODULES:
 # Ensure resource modules are imported so route decorators are evaluated.
 # Import other controllers
 from . import (
    admin,
    apikey,
    extension,
    feature,
@ -64,7 +65,6 @@ from .app import (
    statistic,
    workflow,
    workflow_app_log,
    workflow_comment,
    workflow_draft_variable,
    workflow_run,
    workflow_statistic,
@ -116,7 +116,6 @@ from .explore import (
    saved_message,
    trial,
 )
 from .socketio import workflow as socketio_workflow
 # Import tag controllers
 from .tag import tags
@ -141,6 +140,7 @@ api.add_namespace(console_ns)
 __all__ = [
    "account",
    "activate",
    "admin",
    "advanced_prompt_template",
    "agent",
    "agent_providers",
@ -201,7 +201,6 @@ __all__ = [
    "saved_message",
    "setup",
    "site",
    "socketio_workflow",
    "spec",
    "statistic",
    "tags",
@ -212,7 +211,6 @@ __all__ = [
    "website",
    "workflow",
    "workflow_app_log",
    "workflow_comment",
    "workflow_draft_variable",
    "workflow_run",
    "workflow_statistic",
--- a/api/controllers/console/admin.py
+++ b/api/controllers/console/admin.py
@ -1,11 +1,71 @@
 import csv
 import io
 from collections.abc import Callable
 from functools import wraps
 from flask import request
-from werkzeug.exceptions import Unauthorized
+from flask_restx import Resource
 from pydantic import BaseModel, Field, field_validator
 from sqlalchemy import select
 from werkzeug.exceptions import BadRequest, NotFound, Unauthorized
 from configs import dify_config
 from constants.languages import supported_language
 from controllers.console import console_ns
 from controllers.console.wraps import only_edition_cloud
 from core.db.session_factory import session_factory
 from extensions.ext_database import db
 from libs.token import extract_access_token
 from models.model import App, ExporleBanner, InstalledApp, RecommendedApp, TrialApp
 from services.billing_service import BillingService
 DEFAULT_REF_TEMPLATE_SWAGGER_2_0 = "#/definitions/{model}"
 class InsertExploreAppPayload(BaseModel):
    app_id: str = Field(...)
    desc: str | None = None
    copyright: str | None = None
    privacy_policy: str | None = None
    custom_disclaimer: str | None = None
    language: str = Field(...)
    category: str = Field(...)
    position: int = Field(...)
    can_trial: bool = Field(default=False)
    trial_limit: int = Field(default=0)
    @field_validator("language")
    @classmethod
    def validate_language(cls, value: str) -> str:
        return supported_language(value)
 class InsertExploreBannerPayload(BaseModel):
    category: str = Field(...)
    title: str = Field(...)
    description: str = Field(...)
    img_src: str = Field(..., alias="img-src")
    language: str = Field(default="en-US")
    link: str = Field(...)
    sort: int = Field(...)
    @field_validator("language")
    @classmethod
    def validate_language(cls, value: str) -> str:
        return supported_language(value)
    model_config = {"populate_by_name": True}
 console_ns.schema_model(
    InsertExploreAppPayload.__name__,
    InsertExploreAppPayload.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0),
 )
 console_ns.schema_model(
    InsertExploreBannerPayload.__name__,
    InsertExploreBannerPayload.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0),
 )
 def admin_required[**P, R](view: Callable[P, R]) -> Callable[P, R]:
@ -23,3 +83,361 @@ def admin_required[**P, R](view: Callable[P, R]) -> Callable[P, R]:
        return view(*args, **kwargs)
    return decorated
@console_ns.route("/admin/insert-explore-apps")
 class InsertExploreAppListApi(Resource):
    @console_ns.doc("insert_explore_app")
    @console_ns.doc(description="Insert or update an app in the explore list")
    @console_ns.expect(console_ns.models[InsertExploreAppPayload.__name__])
    @console_ns.response(200, "App updated successfully")
    @console_ns.response(201, "App inserted successfully")
    @console_ns.response(404, "App not found")
    @only_edition_cloud
    @admin_required
    def post(self):
        payload = InsertExploreAppPayload.model_validate(console_ns.payload)
        app = db.session.execute(select(App).where(App.id == payload.app_id)).scalar_one_or_none()
        if not app:
            raise NotFound(f"App '{payload.app_id}' is not found")
        site = app.site
        if not site:
            desc = payload.desc or ""
            copy_right = payload.copyright or ""
            privacy_policy = payload.privacy_policy or ""
            custom_disclaimer = payload.custom_disclaimer or ""
        else:
            desc = site.description or payload.desc or ""
            copy_right = site.copyright or payload.copyright or ""
            privacy_policy = site.privacy_policy or payload.privacy_policy or ""
            custom_disclaimer = site.custom_disclaimer or payload.custom_disclaimer or ""
        with session_factory.create_session() as session:
            recommended_app = session.execute(
                select(RecommendedApp).where(RecommendedApp.app_id == payload.app_id)
            ).scalar_one_or_none()
            if not recommended_app:
                recommended_app = RecommendedApp(
                    app_id=app.id,
                    description=desc,
                    copyright=copy_right,
                    privacy_policy=privacy_policy,
                    custom_disclaimer=custom_disclaimer,
                    language=payload.language,
                    category=payload.category,
                    position=payload.position,
                )
                db.session.add(recommended_app)
                if payload.can_trial:
                    trial_app = db.session.execute(
                        select(TrialApp).where(TrialApp.app_id == payload.app_id)
                    ).scalar_one_or_none()
                    if not trial_app:
                        db.session.add(
                            TrialApp(
                                app_id=payload.app_id,
                                tenant_id=app.tenant_id,
                                trial_limit=payload.trial_limit,
                            )
                        )
                    else:
                        trial_app.trial_limit = payload.trial_limit
                app.is_public = True
                db.session.commit()
                return {"result": "success"}, 201
            else:
                recommended_app.description = desc
                recommended_app.copyright = copy_right
                recommended_app.privacy_policy = privacy_policy
                recommended_app.custom_disclaimer = custom_disclaimer
                recommended_app.language = payload.language
                recommended_app.category = payload.category
                recommended_app.position = payload.position
                if payload.can_trial:
                    trial_app = db.session.execute(
                        select(TrialApp).where(TrialApp.app_id == payload.app_id)
                    ).scalar_one_or_none()
                    if not trial_app:
                        db.session.add(
                            TrialApp(
                                app_id=payload.app_id,
                                tenant_id=app.tenant_id,
                                trial_limit=payload.trial_limit,
                            )
                        )
                    else:
                        trial_app.trial_limit = payload.trial_limit
                app.is_public = True
                db.session.commit()
                return {"result": "success"}, 200
@console_ns.route("/admin/insert-explore-apps/<uuid:app_id>")
 class InsertExploreAppApi(Resource):
    @console_ns.doc("delete_explore_app")
    @console_ns.doc(description="Remove an app from the explore list")
    @console_ns.doc(params={"app_id": "Application ID to remove"})
    @console_ns.response(204, "App removed successfully")
    @only_edition_cloud
    @admin_required
    def delete(self, app_id):
        with session_factory.create_session() as session:
            recommended_app = session.execute(
                select(RecommendedApp).where(RecommendedApp.app_id == str(app_id))
            ).scalar_one_or_none()
        if not recommended_app:
            return {"result": "success"}, 204
        with session_factory.create_session() as session:
            app = session.execute(select(App).where(App.id == recommended_app.app_id)).scalar_one_or_none()
        if app:
            app.is_public = False
        with session_factory.create_session() as session:
            installed_apps = (
                session.execute(
                    select(InstalledApp).where(
                        InstalledApp.app_id == recommended_app.app_id,
                        InstalledApp.tenant_id != InstalledApp.app_owner_tenant_id,
                    )
                )
                .scalars()
                .all()
            )
            for installed_app in installed_apps:
                session.delete(installed_app)
            trial_app = session.execute(
                select(TrialApp).where(TrialApp.app_id == recommended_app.app_id)
            ).scalar_one_or_none()
            if trial_app:
                session.delete(trial_app)
        db.session.delete(recommended_app)
        db.session.commit()
        return {"result": "success"}, 204
@console_ns.route("/admin/insert-explore-banner")
 class InsertExploreBannerApi(Resource):
    @console_ns.doc("insert_explore_banner")
    @console_ns.doc(description="Insert an explore banner")
    @console_ns.expect(console_ns.models[InsertExploreBannerPayload.__name__])
    @console_ns.response(201, "Banner inserted successfully")
    @only_edition_cloud
    @admin_required
    def post(self):
        payload = InsertExploreBannerPayload.model_validate(console_ns.payload)
        banner = ExporleBanner(
            content={
                "category": payload.category,
                "title": payload.title,
                "description": payload.description,
                "img-src": payload.img_src,
            },
            link=payload.link,
            sort=payload.sort,
            language=payload.language,
        )
        db.session.add(banner)
        db.session.commit()
        return {"result": "success"}, 201
@console_ns.route("/admin/delete-explore-banner/<uuid:banner_id>")
 class DeleteExploreBannerApi(Resource):
    @console_ns.doc("delete_explore_banner")
    @console_ns.doc(description="Delete an explore banner")
    @console_ns.doc(params={"banner_id": "Banner ID to delete"})
    @console_ns.response(204, "Banner deleted successfully")
    @only_edition_cloud
    @admin_required
    def delete(self, banner_id):
        banner = db.session.execute(select(ExporleBanner).where(ExporleBanner.id == banner_id)).scalar_one_or_none()
        if not banner:
            raise NotFound(f"Banner '{banner_id}' is not found")
        db.session.delete(banner)
        db.session.commit()
        return {"result": "success"}, 204
 class LangContentPayload(BaseModel):
    lang: str = Field(..., description="Language tag: 'zh' | 'en' | 'jp'")
    title: str = Field(...)
    subtitle: str | None = Field(default=None)
    body: str = Field(...)
    title_pic_url: str | None = Field(default=None)
 class UpsertNotificationPayload(BaseModel):
    notification_id: str | None = Field(default=None, description="Omit to create; supply UUID to update")
    contents: list[LangContentPayload] = Field(..., min_length=1)
    start_time: str | None = Field(default=None, description="RFC3339, e.g. 2026-03-01T00:00:00Z")
    end_time: str | None = Field(default=None, description="RFC3339, e.g. 2026-03-20T23:59:59Z")
    frequency: str = Field(default="once", description="'once' | 'every_page_load'")
    status: str = Field(default="active", description="'active' | 'inactive'")
 class BatchAddNotificationAccountsPayload(BaseModel):
    notification_id: str = Field(...)
    user_email: list[str] = Field(..., description="List of account email addresses")
 console_ns.schema_model(
    UpsertNotificationPayload.__name__,
    UpsertNotificationPayload.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0),
 )
 console_ns.schema_model(
    BatchAddNotificationAccountsPayload.__name__,
    BatchAddNotificationAccountsPayload.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0),
 )
@console_ns.route("/admin/upsert_notification")
 class UpsertNotificationApi(Resource):
    @console_ns.doc("upsert_notification")
    @console_ns.doc(
        description=(
            "Create or update an in-product notification. "
            "Supply notification_id to update an existing one; omit it to create a new one. "
            "Pass at least one language variant in contents (zh / en / jp)."
        )
    )
    @console_ns.expect(console_ns.models[UpsertNotificationPayload.__name__])
    @console_ns.response(200, "Notification upserted successfully")
    @only_edition_cloud
    @admin_required
    def post(self):
        payload = UpsertNotificationPayload.model_validate(console_ns.payload)
        result = BillingService.upsert_notification(
            contents=[c.model_dump() for c in payload.contents],
            frequency=payload.frequency,
            status=payload.status,
            notification_id=payload.notification_id,
            start_time=payload.start_time,
            end_time=payload.end_time,
        )
        return {"result": "success", "notification_id": result.get("notificationId")}, 200
@console_ns.route("/admin/batch_add_notification_accounts")
 class BatchAddNotificationAccountsApi(Resource):
    @console_ns.doc("batch_add_notification_accounts")
    @console_ns.doc(
        description=(
            "Register target accounts for a notification by email address. "
            'JSON body: {"notification_id": "...", "user_email": ["a@example.com", ...]}. '
            "File upload: multipart/form-data with a 'file' field (CSV or TXT, one email per line) "
            "plus a 'notification_id' field. "
            "Emails that do not match any account are silently skipped."
        )
    )
    @console_ns.response(200, "Accounts added successfully")
    @only_edition_cloud
    @admin_required
    def post(self):
        from models.account import Account
        if "file" in request.files:
            notification_id = request.form.get("notification_id", "").strip()
            if not notification_id:
                raise BadRequest("notification_id is required.")
            emails = self._parse_emails_from_file()
        else:
            payload = BatchAddNotificationAccountsPayload.model_validate(console_ns.payload)
            notification_id = payload.notification_id
            emails = payload.user_email
        if not emails:
            raise BadRequest("No valid email addresses provided.")
        # Resolve emails → account IDs in chunks to avoid large IN-clause
        account_ids: list[str] = []
        chunk_size = 500
        for i in range(0, len(emails), chunk_size):
            chunk = emails[i : i + chunk_size]
            rows = db.session.execute(select(Account.id, Account.email).where(Account.email.in_(chunk))).all()
            account_ids.extend(str(row.id) for row in rows)
        if not account_ids:
            raise BadRequest("None of the provided emails matched an existing account.")
        # Send to dify-saas in batches of 1000
        total_count = 0
        batch_size = 1000
        for i in range(0, len(account_ids), batch_size):
            batch = account_ids[i : i + batch_size]
            result = BillingService.batch_add_notification_accounts(
                notification_id=notification_id,
                account_ids=batch,
            )
            total_count += result.get("count", 0)
        return {
            "result": "success",
            "emails_provided": len(emails),
            "accounts_matched": len(account_ids),
            "count": total_count,
        }, 200
    @staticmethod
    def _parse_emails_from_file() -> list[str]:
        """Parse email addresses from an uploaded CSV or TXT file."""
        file = request.files["file"]
        if not file.filename:
            raise BadRequest("Uploaded file has no filename.")
        filename_lower = file.filename.lower()
        if not filename_lower.endswith((".csv", ".txt")):
            raise BadRequest("Invalid file type. Only CSV (.csv) and TXT (.txt) files are allowed.")
        try:
            content = file.read().decode("utf-8")
        except UnicodeDecodeError:
            try:
                file.seek(0)
                content = file.read().decode("gbk")
            except UnicodeDecodeError:
                raise BadRequest("Unable to decode the file. Please use UTF-8 or GBK encoding.")
        emails: list[str] = []
        if filename_lower.endswith(".csv"):
            reader = csv.reader(io.StringIO(content))
            for row in reader:
                for cell in row:
                    cell = cell.strip()
                    if cell:
                        emails.append(cell)
        else:
            for line in content.splitlines():
                line = line.strip()
                if line:
                    emails.append(line)
        # Deduplicate while preserving order
        seen: set[str] = set()
        unique_emails: list[str] = []
        for email in emails:
            if email.lower() not in seen:
                seen.add(email.lower())
                unique_emails.append(email)
        return unique_emails
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
yyh	142f94e27a	Merge remote-tracking branch 'origin/main' into codex/dify-ui-package-migration	2026-04-03 12:14:22 +08:00
yyh	a1bd929b3c	remove	2026-04-02 18:35:02 +08:00
yyh	ffb9ee3e36	fix(web): support lint tooling package exports	2026-04-02 18:29:44 +08:00
yyh	485586f49a	feat(web): extract dify ui package	2026-04-02 18:25:16 +08:00
		`@ -1 +0,0 @@`
			`../../.agents/skills/e2e-cucumber-playwright`