fix(device): display sso_error query param on /device page

2026-05-29 05:07:55 +08:00 · 2026-05-28 02:05:15 -07:00
789 changed files with 8562 additions and 23466 deletions
--- a/.agents/skills/frontend-code-review/SKILL.md
+++ b/.agents/skills/frontend-code-review/SKILL.md
@ -1,6 +1,6 @@
 ---
 name: frontend-code-review
-description: "Trigger when the user requests a review of frontend files (e.g., `.tsx`, `.ts`, `.js`). Support pending-change and focused file reviews while applying checklist rules, shared component reuse checks, and React component structure guidance from how-to-write-component."
+description: "Trigger when the user requests a review of frontend files (e.g., `.tsx`, `.ts`, `.js`). Support both pending-change reviews and focused file reviews while applying the checklist rules."
 ---

 # Frontend Code Review
@ -16,12 +16,10 @@ Stick to the checklist below for every applicable file and mode.
 ## Checklist
 See [references/code-quality.md](references/code-quality.md), [references/performance.md](references/performance.md), [references/business-logic.md](references/business-logic.md) for the living checklist split by category—treat it as the canonical set of rules to follow.

-When reviewing React/TypeScript components, also apply the repo-local `how-to-write-component` skill as the component architecture checklist. In particular, check ownership boundaries, props and API types, query/mutation usage, navigation choices, effect usage, unnecessary wrappers, and unnecessary memoization.
-
 Flag each rule violation with urgency metadata so future reviewers can prioritize fixes.

 ## Review Process
-1. Open the relevant component/module. Gather lines that relate to shared base/dify-ui component reuse, class names, styling/CSS imports, file size and component boundaries, i18n keys, behavior-sensitive UI interactions, React Flow hooks, and prop memoization.
+1. Open the relevant component/module. Gather lines that relate to class names, React Flow hooks, prop memoization, and styling.
 2. For each rule in the review point, note where the code deviates and capture a representative snippet.
 3. Compose the review section per the template below. Group violations first by **Urgent** flag, then by category order (Code Quality, Performance, Business Logic).

@ -72,3 +70,4 @@ If you use Template A (i.e., there are issues to fix) and at least one issue req
 ## Code review
 No issues found.
 ```
+
--- a/.agents/skills/frontend-code-review/references/business-logic.md
+++ b/.agents/skills/frontend-code-review/references/business-logic.md
@ -13,29 +13,3 @@ Node components are also used when creating a RAG Pipe from a template, but in t
 ### Suggested Fix

 Use `import { useNodes } from 'reactflow'` instead of `import useNodes from '@/app/components/workflow/store/workflow/use-nodes'`.
-
-## Locale keys must be complete
-
-IsUrgent: True
-Category: Business Logic
-
-### Description
-
-When adding or changing user-facing i18n keys, ensure every supported locale file has the same key set as `web/i18n/en-US/`. Do not add only English keys or only a partial subset of locales; `pnpm i18n:check --file <name>` should pass for the touched translation file.
-
-### Suggested Fix
-
-Add matching keys to every existing supported locale file for the touched translation namespace, keeping key paths aligned with the English entry.
-
-## Preserve behavior-sensitive interactions
-
-IsUrgent: True
-Category: Business Logic
-
-### Description
-
-When changing existing navigation, sidebar, dropdown, webapp list, or app-switching UI, compare behavior against the existing implementation before approving the change. Watch for regressions in expand/collapse arrows, hover persistence, pin/delete controls, routing, keyboard/focus handling, and open-state ownership.
-
-### Suggested Fix
-
-Reuse or extend the existing component when it already owns the interaction logic. If a refactor is needed, preserve the old interaction contract and add or update focused tests for the changed behavior.
--- a/.agents/skills/frontend-code-review/references/code-quality.md
+++ b/.agents/skills/frontend-code-review/references/code-quality.md
@ -7,12 +7,12 @@ Category: Code Quality

 ### Description

-Ensure conditional CSS and multi-line class composition are handled via the shared `cn` helper instead of custom ternaries, string concatenation, array `.join(' ')`, or template strings. Centralizing class logic keeps components consistent and easier to maintain.
+Ensure conditional CSS is handled via the shared `classNames` instead of custom ternaries, string concatenation, or template strings. Centralizing class logic keeps components consistent and easier to maintain.

 ### Suggested Fix

 ```ts
-import { cn } from '@langgenius/dify-ui/cn'
+import { cn } from '@/utils/classnames'
 const classNames = cn(isActive ? 'text-primary-600' : 'text-gray-500')
 ```

@ -25,34 +25,7 @@ Category: Code Quality

 Favor Tailwind CSS utility classes instead of adding new `.module.css` files unless a Tailwind combination cannot achieve the required styling. Keeping styles in Tailwind improves consistency and reduces maintenance overhead.

-## CSS files must be scoped
-
-IsUrgent: True
-Category: Code Quality
-
-### Description
-
-When CSS is truly necessary, use component-scoped `*.module.css`. Do not add component-level CSS through plain `.css` files, and do not import component CSS from `globals.css`; both patterns risk style leakage across the app.
-
-## Split oversized components cautiously
-
-Category: Code Quality
-
-### Description
-
-When a frontend file grows large or mixes multiple responsibilities, suggest splitting it into focused components, hooks, or utilities. Prefer shallow local structure that matches existing repo patterns, such as a sibling `components/` folder, and avoid deep folder hierarchies unless the surrounding code already uses them.
-
-## Reuse base and dify-ui components before hand-rolling UI
-
-Category: Code Quality
-
-### Description
-
-Before approving new or modified frontend UI, check whether the code manually recreates behavior or styling already owned by `@langgenius/dify-ui/*` or `web/app/components/base/*`. Common examples include `Button`, `Input`, `ToggleGroup`, `Popover`, `DropdownMenu`, `AlertDialog`, `Switch`, `Avatar`, `ScrollArea`, `toast`, and existing feature components. Prefer composing existing primitives instead of duplicating borders, focus states, disabled states, segmented controls, inputs, overlays, or buttons.
-
-### Suggested Fix
-
-Replace hand-written UI chrome with the nearest shared primitive, keeping feature-specific layout, state ownership, labels, and workflow behavior local.
+Update this file when adding, editing, or removing Code Quality rules so the catalog remains accurate.

 ## Classname ordering for easy overrides

@ -63,11 +36,9 @@ When writing components, always place the incoming `className` prop after the co
 Example:

 ```tsx
-import { cn } from '@langgenius/dify-ui/cn'
+import { cn } from '@/utils/classnames'

 const Button = ({ className }) => {
  return <div className={cn('bg-primary-600', className)}></div>
 }
 ```
-
-Update this file when adding, editing, or removing Code Quality rules so the catalog remains accurate.
--- a/.agents/skills/frontend-code-review/references/performance.md
+++ b/.agents/skills/frontend-code-review/references/performance.md
@ -43,14 +43,3 @@ const config = useMemo(() => ({
    config={config}
 />
 ```
-
-## Custom SVG icon generation
-
-IsUrgent: False
-Category: Performance
-
-### Description
-
-New custom SVG icons should be added to `packages/iconify-collections/assets/...`, generated with `pnpm --filter @dify/iconify-collections generate`, checked with `pnpm --filter @dify/iconify-collections check:dimensions`, and consumed through Tailwind `i-custom-*` classes. Do not add new generated React icon components or JSON files under `web/app/components/base/icons/src/...` for new custom SVG icons.
-
-When reviewing generated `packages/iconify-collections/custom-*/icons.json` diffs, verify unrelated existing icons did not lose or change intrinsic `width` / `height`.
--- a/.agents/skills/karpathy-guidelines/SKILL.md
+++ b/.agents/skills/karpathy-guidelines/SKILL.md
@ -1,33 +0,0 @@
---
-name: karpathy-guidelines
-description: Lightweight coding guardrails for making focused, simple, and verifiable changes in this repo. Use for all coding work.
---
-
-# Karpathy Guidelines
-
-Use this skill whenever you touch code in this repository.
-
-## Principles
-
- Keep the change small and directly tied to the user request.
- Prefer the simplest implementation that fits the existing codebase.
- Read the nearby code first, then match its patterns.
- Avoid unrelated refactors, broad rewrites, or style churn.
- Preserve existing behavior unless the user explicitly asked to change it.
- Treat regressions as a signal to narrow the change, not to add workaround layers.
-
-## Workflow
-
-1. Inspect the current implementation and tests around the change.
-2. Make the smallest coherent edit.
-3. Add or update focused tests when the behavior changes or the risk is non-trivial.
-4. Run the narrowest relevant verification first.
-5. Report exactly what was verified and anything left unverified.
-
-## Review Checklist
-
- Does this change solve the stated problem without expanding scope?
- Did it preserve existing route/component/data-flow semantics?
- Are new abstractions justified by real complexity?
- Are tests focused on the behavior that could regress?
- Are unrelated files and generated artifacts left alone?
--- a/MOCKS_TO_REMOVE_BEFORE_RELEASE.md
+++ b/MOCKS_TO_REMOVE_BEFORE_RELEASE.md
@ -1,4 +0,0 @@
-# Mocks to Remove Before Release
-
- `emptyAppList=true`: frontend URL preview flag for forcing the `/apps` page into the first-empty state. Remove the parser and rendering override before release.
- `emptyDataList=true`: frontend URL preview flag for forcing the `/datasets` page into the first-empty state. Remove the parser and rendering override before release.
--- a/api/commands/init.py
+++ b/api/commands/init.py
@ -11,7 +11,6 @@ from .data_migration import (
    migration_data_wizard,
 )
 from .plugin import (
-    backfill_plugin_auto_upgrade,
    extract_plugins,
    extract_unique_plugins,
    install_plugins,
@ -50,7 +49,6 @@ from .vector import (
 __all__ = [
    "add_qdrant_index",
    "archive_workflow_runs",
-    "backfill_plugin_auto_upgrade",
    "clean_expired_messages",
    "clean_workflow_runs",
    "cleanup_orphaned_draft_variables",
--- a/api/commands/plugin.py
+++ b/api/commands/plugin.py
@ -1,11 +1,10 @@
 import json
 import logging
-import time
 from typing import Any, cast

 import click
 from pydantic import TypeAdapter
-from sqlalchemy import delete, func, select
+from sqlalchemy import delete, select
 from sqlalchemy.engine import CursorResult

 from configs import dify_config
@ -16,13 +15,11 @@ from core.plugin.plugin_service import PluginService
 from core.tools.utils.system_encryption import encrypt_system_params
 from extensions.ext_database import db
 from models import Tenant
-from models.account import TenantPluginAutoUpgradeStrategy
 from models.oauth import DatasourceOauthParamConfig, DatasourceProvider
 from models.provider_ids import DatasourceProviderID, ToolProviderID
 from models.source import DataSourceApiKeyAuthBinding, DataSourceOauthBinding
 from models.tools import ToolOAuthSystemClient
 from services.plugin.data_migration import PluginDataMigration
-from services.plugin.plugin_auto_upgrade_service import PluginAutoUpgradeService
 from services.plugin.plugin_migration import PluginMigration

 logger = logging.getLogger(__name__)
@ -405,110 +402,6 @@ def migrate_data_for_plugin():
    click.echo(click.style("Migrate data for plugin completed.", fg="green"))


-def _candidate_auto_upgrade_strategy_tenant_ids_stmt(limit: int | None = None):
-    category_count = len(TenantPluginAutoUpgradeStrategy.PluginCategory)
-    stmt = (
-        select(TenantPluginAutoUpgradeStrategy.tenant_id)
-        .group_by(TenantPluginAutoUpgradeStrategy.tenant_id)
-        .having(func.count(func.distinct(TenantPluginAutoUpgradeStrategy.category)) < category_count)
-        .order_by(TenantPluginAutoUpgradeStrategy.tenant_id)
-    )
-
-    if limit is not None:
-        stmt = stmt.limit(limit)
-
-    return stmt
-
-
-def _count_auto_upgrade_strategy_tenant_ids(limit: int | None) -> int:
-    candidate_stmt = _candidate_auto_upgrade_strategy_tenant_ids_stmt(limit).subquery()
-    return db.session.scalar(select(func.count()).select_from(candidate_stmt)) or 0
-
-
-def _iter_auto_upgrade_strategy_tenant_ids(limit: int | None):
-    stmt = _candidate_auto_upgrade_strategy_tenant_ids_stmt(limit).execution_options(yield_per=1000)
-    yield from db.session.scalars(stmt)
-
-
-@click.command(
-    "backfill-plugin-auto-upgrade",
-    help="Backfill category-scoped plugin auto-upgrade strategies and normalize plugin lists.",
-)
-@click.option("--tenant-id", multiple=True, help="Tenant ID to backfill. Can be passed multiple times.")
-@click.option("--limit", type=int, default=None, help="Maximum number of candidate tenants to process.")
-@click.option("--batch-size", type=int, default=500, show_default=True, help="Progress reporting batch size.")
-@click.option("--dry-run", is_flag=True, help="Only print candidate tenant count.")
-def backfill_plugin_auto_upgrade(
-    tenant_id: tuple[str, ...],
-    limit: int | None,
-    batch_size: int,
-    dry_run: bool,
-):
-    """
-    Backfill historical auto-upgrade strategies after the category column exists.
-
-    Missing category rows are created from the tenant's tool/default row. Pure default
-    strategies become latest for model plugins and fix-only for all other categories.
-    Tenants with include/exclude plugin IDs are split
-    by installed plugin category using plugin daemon metadata.
-    """
-    start_at = time.perf_counter()
-    candidate_count = len(tenant_id) if tenant_id else _count_auto_upgrade_strategy_tenant_ids(limit)
-    click.echo(click.style(f"Found {candidate_count} candidate tenants.", fg="yellow"))
-
-    if dry_run:
-        elapsed = time.perf_counter() - start_at
-        click.echo(click.style(f"Dry run completed. elapsed={elapsed:.2f}s", fg="green"))
-        return
-
-    tenant_ids = list(tenant_id) if tenant_id else _iter_auto_upgrade_strategy_tenant_ids(limit)
-
-    backfilled_count = 0
-    created_count = 0
-    normalized_count = 0
-    skipped_count = 0
-    failed_count = 0
-    for index, current_tenant_id in enumerate(tenant_ids, start=1):
-        try:
-            result = PluginAutoUpgradeService.backfill_strategy_categories(
-                current_tenant_id,
-            )
-        except Exception as e:
-            failed_count += 1
-            click.echo(click.style(f"Failed tenant {current_tenant_id}: {str(e)}", fg="red"))
-            continue
-
-        if result.created_count > 0:
-            backfilled_count += 1
-            created_count += result.created_count
-        elif not result.normalized:
-            skipped_count += 1
-        if result.normalized:
-            normalized_count += 1
-
-        if batch_size > 0 and index % batch_size == 0:
-            click.echo(
-                click.style(
-                    f"Processed {index}/{candidate_count} tenants. "
-                    f"backfilled={backfilled_count}, created_rows={created_count}, "
-                    f"normalized={normalized_count}, skipped={skipped_count}, failed={failed_count}, "
-                    f"elapsed={time.perf_counter() - start_at:.2f}s",
-                    fg="yellow",
-                )
-            )
-
-    elapsed = time.perf_counter() - start_at
-    click.echo(
-        click.style(
-            f"Backfill plugin auto-upgrade strategy categories completed. "
-            f"backfilled={backfilled_count}, created_rows={created_count}, "
-            f"normalized={normalized_count}, skipped={skipped_count}, failed={failed_count}, "
-            f"elapsed={elapsed:.2f}s",
-            fg="green",
-        )
-    )
-
-
@click.command("extract-plugins", help="Extract plugins.")
@click.option("--output_file", prompt=True, help="The file to store the extracted plugins.", default="plugins.jsonl")
@click.option("--workers", prompt=True, help="The number of workers to extract plugins.", default=10)
--- a/api/controllers/console/explore/installed_app.py
+++ b/api/controllers/console/explore/installed_app.py
@ -149,28 +149,19 @@ class InstalledAppsListApi(Resource):
        if current_user.current_tenant is None:
            raise ValueError("current_user.current_tenant must not be None")
        current_user.role = TenantService.get_user_role(current_user, current_user.current_tenant)
-
-        app_ids = [installed_app.app_id for installed_app in installed_apps]
-        apps = db.session.scalars(select(App).where(App.id.in_(app_ids))).all() if app_ids else []
-        apps_by_id = {app.id: app for app in apps}
-
-        installed_app_list: list[dict[str, Any]] = []
-        for installed_app in installed_apps:
-            app_model = apps_by_id.get(installed_app.app_id)
-            if app_model is None:
-                continue
-
-            installed_app_list.append(
-                {
-                    "id": installed_app.id,
-                    "app": app_model,
-                    "app_owner_tenant_id": installed_app.app_owner_tenant_id,
-                    "is_pinned": installed_app.is_pinned,
-                    "last_used_at": installed_app.last_used_at,
-                    "editable": current_user.role in {"owner", "admin"},
-                    "uninstallable": current_tenant_id == installed_app.app_owner_tenant_id,
-                }
-            )
+        installed_app_list: list[dict[str, Any]] = [
+            {
+                "id": installed_app.id,
+                "app": installed_app.app,
+                "app_owner_tenant_id": installed_app.app_owner_tenant_id,
+                "is_pinned": installed_app.is_pinned,
+                "last_used_at": installed_app.last_used_at,
+                "editable": current_user.role in {"owner", "admin"},
+                "uninstallable": current_tenant_id == installed_app.app_owner_tenant_id,
+            }
+            for installed_app in installed_apps
+            if installed_app.app is not None
+        ]

        # filter out apps that user doesn't have access to
        if FeatureService.get_system_features().webapp_auth.enabled:
--- a/api/controllers/console/explore/recommended_app.py
+++ b/api/controllers/console/explore/recommended_app.py
@ -64,28 +64,15 @@ class RecommendedAppListResponse(ResponseModel):
    categories: list[str]


-class LearnDifyAppListResponse(ResponseModel):
-    recommended_apps: list[RecommendedAppResponse]
-
-
 register_schema_models(
    console_ns,
    RecommendedAppsQuery,
    RecommendedAppInfoResponse,
    RecommendedAppResponse,
    RecommendedAppListResponse,
-    LearnDifyAppListResponse,
 )


-def _resolve_language(language: str | None) -> str:
-    if language and language in languages:
-        return language
-    if current_user and current_user.interface_language:
-        return current_user.interface_language
-    return languages[0]
-
-
@console_ns.route("/explore/apps")
 class RecommendedAppListApi(Resource):
    @console_ns.doc(params=query_params_from_model(RecommendedAppsQuery))
@ -95,7 +82,13 @@ class RecommendedAppListApi(Resource):
    def get(self):
        # language args
        args = RecommendedAppsQuery.model_validate(request.args.to_dict(flat=True))
-        language_prefix = _resolve_language(args.language)
+        language = args.language
+        if language and language in languages:
+            language_prefix = language
+        elif current_user and current_user.interface_language:
+            language_prefix = current_user.interface_language
+        else:
+            language_prefix = languages[0]

        return RecommendedAppListResponse.model_validate(
            RecommendedAppService.get_recommended_apps_and_categories(language_prefix),
@ -103,22 +96,6 @@ class RecommendedAppListApi(Resource):
        ).model_dump(mode="json")


-@console_ns.route("/explore/apps/learn-dify")
-class LearnDifyAppListApi(Resource):
-    @console_ns.doc(params=query_params_from_model(RecommendedAppsQuery))
-    @console_ns.response(200, "Success", console_ns.models[LearnDifyAppListResponse.__name__])
-    @login_required
-    @account_initialization_required
-    def get(self):
-        args = RecommendedAppsQuery.model_validate(request.args.to_dict(flat=True))
-        language_prefix = _resolve_language(args.language)
-
-        return LearnDifyAppListResponse.model_validate(
-            RecommendedAppService.get_learn_dify_apps(language_prefix),
-            from_attributes=True,
-        ).model_dump(mode="json")
-
-
@console_ns.route("/explore/apps/<uuid:app_id>")
 class RecommendedAppApi(Resource):
    @login_required
--- a/api/controllers/console/workspace/plugin.py
+++ b/api/controllers/console/workspace/plugin.py
@ -1,21 +1,16 @@
 import io
 from collections.abc import Mapping
-from typing import Any, Literal, TypedDict
+from typing import Any, Literal

 from flask import request, send_file
 from flask_restx import Resource
-from pydantic import BaseModel, ConfigDict, Field
+from pydantic import BaseModel, Field
 from werkzeug.datastructures import FileStorage
 from werkzeug.exceptions import Forbidden

 from configs import dify_config
 from controllers.common.fields import SuccessResponse
-from controllers.common.schema import (
-    query_params_from_model,
-    register_enum_models,
-    register_response_schema_models,
-    register_schema_models,
-)
+from controllers.common.schema import register_enum_models, register_response_schema_models, register_schema_models
 from controllers.console import console_ns
 from controllers.console.workspace import plugin_permission_required
 from controllers.console.wraps import account_initialization_required, is_admin_or_owner_required, setup_required
@ -30,14 +25,6 @@ from services.plugin.plugin_parameter_service import PluginParameterService
 from services.plugin.plugin_permission_service import PluginPermissionService


-class AutoUpgradeSettingsResponse(TypedDict):
-    strategy_setting: TenantPluginAutoUpgradeStrategy.StrategySetting
-    upgrade_time_of_day: int
-    upgrade_mode: TenantPluginAutoUpgradeStrategy.UpgradeMode
-    exclude_plugins: list[str]
-    include_plugins: list[str]
-
-
 class ParserList(BaseModel):
    page: int = Field(default=1, ge=1, description="Page number")
    page_size: int = Field(default=256, ge=1, le=256, description="Page size (1-256)")
@ -101,8 +88,8 @@ class ParserUninstall(BaseModel):


 class ParserPermissionChange(BaseModel):
-    install_permission: TenantPluginPermission.InstallPermission = TenantPluginPermission.InstallPermission.EVERYONE
-    debug_permission: TenantPluginPermission.DebugPermission = TenantPluginPermission.DebugPermission.EVERYONE
+    install_permission: TenantPluginPermission.InstallPermission
+    debug_permission: TenantPluginPermission.DebugPermission


 class ParserDynamicOptions(BaseModel):
@ -138,40 +125,13 @@ class PluginAutoUpgradeSettingsPayload(BaseModel):
    include_plugins: list[str] = Field(default_factory=list)


-class PluginAutoUpgradeChangeResponse(ResponseModel):
-    success: bool
-    message: str | None = None
-
-
-class PluginAutoUpgradeSettingsResponseModel(ResponseModel):
-    strategy_setting: TenantPluginAutoUpgradeStrategy.StrategySetting
-    upgrade_time_of_day: int
-    upgrade_mode: TenantPluginAutoUpgradeStrategy.UpgradeMode
-    exclude_plugins: list[str]
-    include_plugins: list[str]
-
-
-class PluginAutoUpgradeFetchResponse(ResponseModel):
-    category: TenantPluginAutoUpgradeStrategy.PluginCategory
-    auto_upgrade: PluginAutoUpgradeSettingsResponseModel
-
-
-class ParserAutoUpgradeChange(BaseModel):
-    model_config = ConfigDict(extra="forbid")
-
-    category: TenantPluginAutoUpgradeStrategy.PluginCategory
+class ParserPreferencesChange(BaseModel):
+    permission: PluginPermissionSettingsPayload
    auto_upgrade: PluginAutoUpgradeSettingsPayload


-class ParserAutoUpgradeFetch(BaseModel):
-    category: TenantPluginAutoUpgradeStrategy.PluginCategory
-
-
 class ParserExcludePlugin(BaseModel):
-    model_config = ConfigDict(extra="forbid")
-
    plugin_id: str
-    category: TenantPluginAutoUpgradeStrategy.PluginCategory


 class ParserReadme(BaseModel):
@ -204,53 +164,21 @@ register_schema_models(
    ParserPermissionChange,
    ParserDynamicOptions,
    ParserDynamicOptionsWithCredentials,
-    ParserAutoUpgradeChange,
-    ParserAutoUpgradeFetch,
+    ParserPreferencesChange,
    ParserExcludePlugin,
    ParserReadme,
 )
-register_response_schema_models(
-    console_ns,
-    PluginAutoUpgradeChangeResponse,
-    PluginAutoUpgradeFetchResponse,
-    PluginAutoUpgradeSettingsResponseModel,
-    PluginDebuggingKeyResponse,
-    SuccessResponse,
-)
+register_response_schema_models(console_ns, PluginDebuggingKeyResponse, SuccessResponse)

 register_enum_models(
    console_ns,
    TenantPluginPermission.DebugPermission,
-    TenantPluginAutoUpgradeStrategy.PluginCategory,
    TenantPluginAutoUpgradeStrategy.UpgradeMode,
    TenantPluginAutoUpgradeStrategy.StrategySetting,
    TenantPluginPermission.InstallPermission,
 )


-def _default_auto_upgrade_settings(
-    tenant_id: str,
-    category: TenantPluginAutoUpgradeStrategy.PluginCategory,
-) -> AutoUpgradeSettingsResponse:
-    return {
-        "strategy_setting": PluginAutoUpgradeService.default_strategy_setting_for_category(category),
-        "upgrade_time_of_day": PluginAutoUpgradeService.default_upgrade_time_of_day(tenant_id),
-        "upgrade_mode": TenantPluginAutoUpgradeStrategy.UpgradeMode.EXCLUDE,
-        "exclude_plugins": [],
-        "include_plugins": [],
-    }
-
-
-def _auto_upgrade_settings_to_dict(strategy: TenantPluginAutoUpgradeStrategy) -> AutoUpgradeSettingsResponse:
-    return {
-        "strategy_setting": strategy.strategy_setting,
-        "upgrade_time_of_day": strategy.upgrade_time_of_day,
-        "upgrade_mode": strategy.upgrade_mode,
-        "exclude_plugins": strategy.exclude_plugins,
-        "include_plugins": strategy.include_plugins,
-    }
-
-
 def _read_upload_content(file: FileStorage, max_size: int) -> bytes:
    """
    Read the uploaded file and validate its actual size before delegating to the plugin service.
@ -704,13 +632,11 @@ class PluginChangePermissionApi(Resource):

        tenant_id = current_tenant_id

-        set_permission_result = PluginPermissionService.change_permission(
-            tenant_id, args.install_permission, args.debug_permission
-        )
-        if not set_permission_result:
-            return jsonable_encoder({"success": False, "message": "Failed to set permission"})
-
-        return jsonable_encoder({"success": True})
+        return {
+            "success": PluginPermissionService.change_permission(
+                tenant_id, args.install_permission, args.debug_permission
+            )
+        }


@console_ns.route("/workspaces/current/plugin/permission/fetch")
@ -799,10 +725,9 @@ class PluginFetchDynamicSelectOptionsWithCredentialsApi(Resource):
        return jsonable_encoder({"options": options})


-@console_ns.route("/workspaces/current/plugin/auto-upgrade/change")
-class PluginChangeAutoUpgradeApi(Resource):
-    @console_ns.expect(console_ns.models[ParserAutoUpgradeChange.__name__])
-    @console_ns.response(200, "Success", console_ns.models[PluginAutoUpgradeChangeResponse.__name__])
+@console_ns.route("/workspaces/current/plugin/preferences/change")
+class PluginChangePreferencesApi(Resource):
+    @console_ns.expect(console_ns.models[ParserPreferencesChange.__name__])
    @setup_required
    @login_required
    @account_initialization_required
@ -811,17 +736,38 @@ class PluginChangeAutoUpgradeApi(Resource):
        if not user.is_admin_or_owner:
            raise Forbidden()

-        args = ParserAutoUpgradeChange.model_validate(console_ns.payload)
+        args = ParserPreferencesChange.model_validate(console_ns.payload)
+
+        permission = args.permission
+
+        install_permission = permission.install_permission
+        debug_permission = permission.debug_permission

        auto_upgrade = args.auto_upgrade
+
+        strategy_setting = auto_upgrade.strategy_setting
+        upgrade_time_of_day = auto_upgrade.upgrade_time_of_day
+        upgrade_mode = auto_upgrade.upgrade_mode
+        exclude_plugins = auto_upgrade.exclude_plugins
+        include_plugins = auto_upgrade.include_plugins
+
+        # set permission
+        set_permission_result = PluginPermissionService.change_permission(
+            tenant_id,
+            install_permission,
+            debug_permission,
+        )
+        if not set_permission_result:
+            return jsonable_encoder({"success": False, "message": "Failed to set permission"})
+
+        # set auto upgrade strategy
        set_auto_upgrade_strategy_result = PluginAutoUpgradeService.change_strategy(
            tenant_id,
-            auto_upgrade.strategy_setting,
-            auto_upgrade.upgrade_time_of_day,
-            auto_upgrade.upgrade_mode,
-            auto_upgrade.exclude_plugins,
-            auto_upgrade.include_plugins,
-            category=args.category,
+            strategy_setting,
+            upgrade_time_of_day,
+            upgrade_mode,
+            exclude_plugins,
+            include_plugins,
        )
        if not set_auto_upgrade_strategy_result:
            return jsonable_encoder({"success": False, "message": "Failed to set auto upgrade strategy"})
@ -829,36 +775,48 @@ class PluginChangeAutoUpgradeApi(Resource):
        return jsonable_encoder({"success": True})


-@console_ns.route("/workspaces/current/plugin/auto-upgrade/fetch")
-class PluginFetchAutoUpgradeApi(Resource):
-    @console_ns.doc(params=query_params_from_model(ParserAutoUpgradeFetch))
-    @console_ns.response(200, "Success", console_ns.models[PluginAutoUpgradeFetchResponse.__name__])
+@console_ns.route("/workspaces/current/plugin/preferences/fetch")
+class PluginFetchPreferencesApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
    def get(self):
        _, tenant_id = current_account_with_tenant()

-        args = ParserAutoUpgradeFetch.model_validate(request.args.to_dict(flat=True))
-        auto_upgrade = PluginAutoUpgradeService.get_strategy(tenant_id, args.category)
-        auto_upgrade_dict = (
-            _auto_upgrade_settings_to_dict(auto_upgrade)
-            if auto_upgrade
-            else _default_auto_upgrade_settings(tenant_id, args.category)
-        )
+        permission = PluginPermissionService.get_permission(tenant_id)
+        permission_dict = {
+            "install_permission": TenantPluginPermission.InstallPermission.EVERYONE,
+            "debug_permission": TenantPluginPermission.DebugPermission.EVERYONE,
+        }

-        return jsonable_encoder(
-            {
-                "category": args.category,
-                "auto_upgrade": auto_upgrade_dict,
+        if permission:
+            permission_dict["install_permission"] = permission.install_permission
+            permission_dict["debug_permission"] = permission.debug_permission
+
+        auto_upgrade = PluginAutoUpgradeService.get_strategy(tenant_id)
+        auto_upgrade_dict = {
+            "strategy_setting": TenantPluginAutoUpgradeStrategy.StrategySetting.DISABLED,
+            "upgrade_time_of_day": 0,
+            "upgrade_mode": TenantPluginAutoUpgradeStrategy.UpgradeMode.EXCLUDE,
+            "exclude_plugins": [],
+            "include_plugins": [],
+        }
+
+        if auto_upgrade:
+            auto_upgrade_dict = {
+                "strategy_setting": auto_upgrade.strategy_setting,
+                "upgrade_time_of_day": auto_upgrade.upgrade_time_of_day,
+                "upgrade_mode": auto_upgrade.upgrade_mode,
+                "exclude_plugins": auto_upgrade.exclude_plugins,
+                "include_plugins": auto_upgrade.include_plugins,
            }
-        )
+
+        return jsonable_encoder({"permission": permission_dict, "auto_upgrade": auto_upgrade_dict})


-@console_ns.route("/workspaces/current/plugin/auto-upgrade/exclude")
+@console_ns.route("/workspaces/current/plugin/preferences/autoupgrade/exclude")
 class PluginAutoUpgradeExcludePluginApi(Resource):
    @console_ns.expect(console_ns.models[ParserExcludePlugin.__name__])
-    @console_ns.response(200, "Success", console_ns.models[SuccessResponse.__name__])
    @setup_required
    @login_required
    @account_initialization_required
@ -868,9 +826,7 @@ class PluginAutoUpgradeExcludePluginApi(Resource):

        args = ParserExcludePlugin.model_validate(console_ns.payload)

-        return jsonable_encoder(
-            {"success": PluginAutoUpgradeService.exclude_plugin(tenant_id, args.plugin_id, args.category)}
-        )
+        return jsonable_encoder({"success": PluginAutoUpgradeService.exclude_plugin(tenant_id, args.plugin_id)})


@console_ns.route("/workspaces/current/plugin/readme")
--- a/api/extensions/ext_commands.py
+++ b/api/extensions/ext_commands.py
@ -5,7 +5,6 @@ def init_app(app: DifyApp):
    from commands import (
        add_qdrant_index,
        archive_workflow_runs,
-        backfill_plugin_auto_upgrade,
        clean_expired_messages,
        clean_workflow_runs,
        cleanup_orphaned_draft_variables,
@ -54,7 +53,6 @@ def init_app(app: DifyApp):
        upgrade_db,
        fix_app_site_missing,
        migrate_data_for_plugin,
-        backfill_plugin_auto_upgrade,
        extract_plugins,
        extract_unique_plugins,
        install_plugins,
--- a/api/migrations/versions/2026_05_15_1200-f6a7b8c9d012_add_plugin_auto_upgrade_category.py
+++ b/api/migrations/versions/2026_05_15_1200-f6a7b8c9d012_add_plugin_auto_upgrade_category.py
@ -1,42 +0,0 @@
-"""add plugin auto upgrade category
-
-Revision ID: f6a7b8c9d012
-Revises: a4f2d8c9b731
-Create Date: 2026-05-15 12:00:00.000000
-
-"""
-
-import sqlalchemy as sa
-from alembic import op
-
-# revision identifiers, used by Alembic.
-revision = "f6a7b8c9d012"
-down_revision = "a4f2d8c9b731"
-branch_labels = None
-depends_on = None
-
-
-LEGACY_CATEGORY = "tool"
-UNIQUE_CONSTRAINT_NAME = "unique_tenant_plugin_auto_upgrade_strategy"
-UPGRADE_TIME_INDEX_NAME = "idx_tenant_plugin_auto_upgrade_strategy_time"
-STRATEGY_TABLE_NAME = "tenant_plugin_auto_upgrade_strategies"
-
-
-def upgrade():
-    with op.batch_alter_table(STRATEGY_TABLE_NAME, schema=None) as batch_op:
-        batch_op.add_column(
-            sa.Column("category", sa.String(length=32), server_default=LEGACY_CATEGORY, nullable=False)
-        )
-        batch_op.drop_constraint(UNIQUE_CONSTRAINT_NAME, type_="unique")
-        batch_op.create_unique_constraint(UNIQUE_CONSTRAINT_NAME, ["tenant_id", "category"])
-        batch_op.create_index(UPGRADE_TIME_INDEX_NAME, ["upgrade_time_of_day"])
-
-
-def downgrade():
-    op.execute(sa.text(f"DELETE FROM {STRATEGY_TABLE_NAME} WHERE category != '{LEGACY_CATEGORY}'"))
-
-    with op.batch_alter_table(STRATEGY_TABLE_NAME, schema=None) as batch_op:
-        batch_op.drop_index(UPGRADE_TIME_INDEX_NAME)
-        batch_op.drop_constraint(UNIQUE_CONSTRAINT_NAME, type_="unique")
-        batch_op.drop_column("category")
-        batch_op.create_unique_constraint(UNIQUE_CONSTRAINT_NAME, ["tenant_id"])
--- a/api/migrations/versions/2026_05_18_1500-f5e8a9c0d2b3_add_learn_dify_flag_to_recommended_apps.py
+++ b/api/migrations/versions/2026_05_18_1500-f5e8a9c0d2b3_add_learn_dify_flag_to_recommended_apps.py
@ -1,26 +0,0 @@
-"""add learn dify flag to recommended apps
-
-Revision ID: f5e8a9c0d2b3
-Revises: a4f2d8c9b731
-Create Date: 2026-05-18 15:00:00.000000
-
-"""
-
-import sqlalchemy as sa
-from alembic import op
-
-# revision identifiers, used by Alembic.
-revision = "f5e8a9c0d2b3"
-down_revision = "a4f2d8c9b731"
-branch_labels = None
-depends_on = None
-
-
-def upgrade():
-    with op.batch_alter_table("recommended_apps", schema=None) as batch_op:
-        batch_op.add_column(sa.Column("is_learn_dify", sa.Boolean(), server_default=sa.text("false"), nullable=False))
-
-
-def downgrade():
-    with op.batch_alter_table("recommended_apps", schema=None) as batch_op:
-        batch_op.drop_column("is_learn_dify")
--- a/api/models/account.py
+++ b/api/models/account.py
@ -389,14 +389,6 @@ class TenantPluginPermission(TypeBase):


 class TenantPluginAutoUpgradeStrategy(TypeBase):
-    class PluginCategory(enum.StrEnum):
-        TOOL = "tool"
-        MODEL = "model"
-        EXTENSION = "extension"
-        AGENT_STRATEGY = "agent-strategy"
-        DATASOURCE = "datasource"
-        TRIGGER = "trigger"
-
    class StrategySetting(enum.StrEnum):
        DISABLED = "disabled"
        FIX_ONLY = "fix_only"
@ -410,20 +402,13 @@ class TenantPluginAutoUpgradeStrategy(TypeBase):
    __tablename__ = "tenant_plugin_auto_upgrade_strategies"
    __table_args__ = (
        sa.PrimaryKeyConstraint("id", name="tenant_plugin_auto_upgrade_strategy_pkey"),
-        sa.UniqueConstraint("tenant_id", "category", name="unique_tenant_plugin_auto_upgrade_strategy"),
-        sa.Index("idx_tenant_plugin_auto_upgrade_strategy_time", "upgrade_time_of_day"),
+        sa.UniqueConstraint("tenant_id", name="unique_tenant_plugin_auto_upgrade_strategy"),
    )

    id: Mapped[str] = mapped_column(
        StringUUID, insert_default=lambda: str(uuid4()), default_factory=lambda: str(uuid4()), init=False
    )
    tenant_id: Mapped[str] = mapped_column(StringUUID, nullable=False)
-    category: Mapped[PluginCategory] = mapped_column(
-        EnumText(PluginCategory, length=32),
-        nullable=False,
-        server_default="tool",
-        default=PluginCategory.TOOL,
-    )
    strategy_setting: Mapped[StrategySetting] = mapped_column(
        EnumText(StrategySetting, length=16),
        nullable=False,
--- a/api/models/model.py
+++ b/api/models/model.py
@ -882,9 +882,6 @@ class RecommendedApp(TypeBase):
    custom_disclaimer: Mapped[str] = mapped_column(LongText, default="")
    position: Mapped[int] = mapped_column(sa.Integer, nullable=False, default=0)
    is_listed: Mapped[bool] = mapped_column(sa.Boolean, nullable=False, default=True)
-    is_learn_dify: Mapped[bool] = mapped_column(
-        sa.Boolean, nullable=False, server_default=sa.text("false"), default=False
-    )
    install_count: Mapped[int] = mapped_column(sa.Integer, nullable=False, default=0)
    language: Mapped[str] = mapped_column(
        String(255),
--- a/api/openapi/markdown/console-swagger.md
+++ b/api/openapi/markdown/console-swagger.md
@ -5827,21 +5827,6 @@ Delete an API key for a dataset
 | ---- | ----------- | ------ |
 | 200 | Success | [RecommendedAppListResponse](#recommendedapplistresponse) |

-### /explore/apps/learn-dify
-
-#### GET
-##### Parameters
-
-| Name | Located in | Description | Required | Schema |
-| ---- | ---------- | ----------- | -------- | ------ |
-| language | query | Language code for recommended app localization | No | string |
-
-##### Responses
-
-| Code | Description | Schema |
-| ---- | ----------- | ------ |
-| 200 | Success | [LearnDifyAppListResponse](#learndifyapplistresponse) |
-
 ### /explore/apps/{app_id}

 #### GET
@ -9105,51 +9090,6 @@ Returns permission flags that control workspace features like member invitations
 | ---- | ----------- |
 | 200 | Success |

-### /workspaces/current/plugin/auto-upgrade/change
-
-#### POST
-##### Parameters
-
-| Name | Located in | Description | Required | Schema |
-| ---- | ---------- | ----------- | -------- | ------ |
-| payload | body |  | Yes | [ParserAutoUpgradeChange](#parserautoupgradechange) |
-
-##### Responses
-
-| Code | Description |
-| ---- | ----------- |
-| 200 | Success |
-
-### /workspaces/current/plugin/auto-upgrade/exclude
-
-#### POST
-##### Parameters
-
-| Name | Located in | Description | Required | Schema |
-| ---- | ---------- | ----------- | -------- | ------ |
-| payload | body |  | Yes | [ParserExcludePlugin](#parserexcludeplugin) |
-
-##### Responses
-
-| Code | Description |
-| ---- | ----------- |
-| 200 | Success |
-
-### /workspaces/current/plugin/auto-upgrade/fetch
-
-#### GET
-##### Parameters
-
-| Name | Located in | Description | Required | Schema |
-| ---- | ---------- | ----------- | -------- | ------ |
-| category | query |  | Yes | string |
-
-##### Responses
-
-| Code | Description |
-| ---- | ----------- |
-| 200 | Success |
-
 ### /workspaces/current/plugin/debugging-key

 #### GET
@ -9352,6 +9292,45 @@ Fetch dynamic options using credentials directly (for edit mode)
 | ---- | ----------- |
 | 200 | Success |

+### /workspaces/current/plugin/preferences/autoupgrade/exclude
+
+#### POST
+##### Parameters
+
+| Name | Located in | Description | Required | Schema |
+| ---- | ---------- | ----------- | -------- | ------ |
+| payload | body |  | Yes | [ParserExcludePlugin](#parserexcludeplugin) |
+
+##### Responses
+
+| Code | Description |
+| ---- | ----------- |
+| 200 | Success |
+
+### /workspaces/current/plugin/preferences/change
+
+#### POST
+##### Parameters
+
+| Name | Located in | Description | Required | Schema |
+| ---- | ---------- | ----------- | -------- | ------ |
+| payload | body |  | Yes | [ParserPreferencesChange](#parserpreferenceschange) |
+
+##### Responses
+
+| Code | Description |
+| ---- | ----------- |
+| 200 | Success |
+
+### /workspaces/current/plugin/preferences/fetch
+
+#### GET
+##### Responses
+
+| Code | Description |
+| ---- | ----------- |
+| 200 | Success |
+
 ### /workspaces/current/plugin/readme

 #### GET
@ -13420,12 +13399,6 @@ Enum class for large language model mode.
 | ---- | ---- | ----------- | -------- |
 | LLMMode | string | Enum class for large language model mode. |  |

-#### LearnDifyAppListResponse
-
-| Name | Type | Description | Required |
-| ---- | ---- | ----------- | -------- |
-| recommended_apps | [ [RecommendedAppResponse](#recommendedappresponse) ] |  | Yes |
-
 #### LegacyEndpointUpdatePayload

 | Name | Type | Description | Required |
@ -13935,19 +13908,6 @@ Form input definition.
 | file_name | string |  | Yes |
 | plugin_unique_identifier | string |  | Yes |

-#### ParserAutoUpgradeChange
-
-| Name | Type | Description | Required |
-| ---- | ---- | ----------- | -------- |
-| auto_upgrade | [PluginAutoUpgradeSettingsPayload](#pluginautoupgradesettingspayload) |  | Yes |
-| category | [PluginCategory](#plugincategory) |  | Yes |
-
-#### ParserAutoUpgradeFetch
-
-| Name | Type | Description | Required |
-| ---- | ---- | ----------- | -------- |
-| category | [PluginCategory](#plugincategory) |  | Yes |
-
 #### ParserCreateCredential

 | Name | Type | Description | Required |
@ -14044,7 +14004,6 @@ Form input definition.

 | Name | Type | Description | Required |
 | ---- | ---- | ----------- | -------- |
-| category | [PluginCategory](#plugincategory) |  | Yes |
 | plugin_id | string |  | Yes |

 #### ParserGetCredentials
@ -14132,8 +14091,8 @@ Form input definition.

 | Name | Type | Description | Required |
 | ---- | ---- | ----------- | -------- |
-| debug_permission | [DebugPermission](#debugpermission) |  | No |
-| install_permission | [InstallPermission](#installpermission) |  | No |
+| debug_permission | [DebugPermission](#debugpermission) |  | Yes |
+| install_permission | [InstallPermission](#installpermission) |  | Yes |

 #### ParserPluginIdentifierQuery

@ -14163,6 +14122,13 @@ Form input definition.
 | model | string |  | Yes |
 | model_type | [ModelType](#modeltype) |  | Yes |

+#### ParserPreferencesChange
+
+| Name | Type | Description | Required |
+| ---- | ---- | ----------- | -------- |
+| auto_upgrade | [PluginAutoUpgradeSettingsPayload](#pluginautoupgradesettingspayload) |  | Yes |
+| permission | [PluginPermissionSettingsPayload](#pluginpermissionsettingspayload) |  | Yes |
+
 #### ParserPreferredProviderType

 | Name | Type | Description | Required |
@ -14272,12 +14238,6 @@ Form input definition.
 | upgrade_mode | [UpgradeMode](#upgrademode) |  | No |
 | upgrade_time_of_day | integer |  | No |

-#### PluginCategory
-
-| Name | Type | Description | Required |
-| ---- | ---- | ----------- | -------- |
-| PluginCategory | string |  |  |
-
 #### PluginDebuggingKeyResponse

 | Name | Type | Description | Required |
--- a/api/schedule/check_upgradable_plugin_task.py
+++ b/api/schedule/check_upgradable_plugin_task.py
@ -73,7 +73,6 @@ def check_upgradable_plugin_task():
                strategy.upgrade_mode,
                strategy.exclude_plugins,
                strategy.include_plugins,
-                strategy.category,
            )

        # Only sleep if batch_interval_time > 0.0001 AND current batch is not the last one
--- a/api/services/account_service.py
+++ b/api/services/account_service.py
@ -70,7 +70,6 @@ from services.errors.account import (
 )
 from services.errors.workspace import WorkSpaceNotAllowedCreateError, WorkspacesLimitExceededError
 from services.feature_service import FeatureService
-from services.plugin.plugin_auto_upgrade_service import PluginAutoUpgradeService
 from tasks.delete_account_task import delete_account_task
 from tasks.mail_account_deletion_task import send_account_deletion_verification_code
 from tasks.mail_change_mail_task import (
@ -1134,17 +1133,15 @@ class TenantService:
        db.session.add(tenant)
        db.session.commit()

-        for category in TenantPluginAutoUpgradeStrategy.PluginCategory:
-            plugin_upgrade_strategy = TenantPluginAutoUpgradeStrategy(
-                tenant_id=tenant.id,
-                category=category,
-                strategy_setting=PluginAutoUpgradeService.default_strategy_setting_for_category(category),
-                upgrade_time_of_day=PluginAutoUpgradeService.default_upgrade_time_of_day(tenant.id),
-                upgrade_mode=TenantPluginAutoUpgradeStrategy.UpgradeMode.EXCLUDE,
-                exclude_plugins=[],
-                include_plugins=[],
-            )
-            db.session.add(plugin_upgrade_strategy)
+        plugin_upgrade_strategy = TenantPluginAutoUpgradeStrategy(
+            tenant_id=tenant.id,
+            strategy_setting=TenantPluginAutoUpgradeStrategy.StrategySetting.FIX_ONLY,
+            upgrade_time_of_day=0,
+            upgrade_mode=TenantPluginAutoUpgradeStrategy.UpgradeMode.EXCLUDE,
+            exclude_plugins=[],
+            include_plugins=[],
+        )
+        db.session.add(plugin_upgrade_strategy)
        db.session.commit()

        tenant.encrypt_public_key = generate_key_pair(tenant.id)
--- a/api/services/app_service.py
+++ b/api/services/app_service.py
@ -149,7 +149,7 @@ class AppService:
                return None

        app_models = db.paginate(
-            sa.select(App).where(*filters).order_by(App.updated_at.desc()),
+            sa.select(App).where(*filters).order_by(App.created_at.desc()),
            page=params.page,
            per_page=params.limit,
            error_out=False,
--- a/api/services/plugin/plugin_auto_upgrade_service.py
+++ b/api/services/plugin/plugin_auto_upgrade_service.py
@ -1,296 +1,19 @@
-"""Manage tenant plugin auto-upgrade strategies.
-
-The storage is category-scoped: each tenant can have one strategy per plugin
-category. Public mutation helpers require an explicit category so callers do
-not accidentally overwrite every plugin type with one workspace-level policy.
-"""
-
-import logging
-from dataclasses import dataclass
-from hashlib import sha256
-
 from sqlalchemy import select
-from sqlalchemy.orm import Session

 from core.db.session_factory import session_factory
-from core.plugin.impl.plugin import PluginInstaller
 from models.account import TenantPluginAutoUpgradeStrategy

-logger = logging.getLogger(__name__)
-
-PluginCategory = TenantPluginAutoUpgradeStrategy.PluginCategory
-PLUGIN_CATEGORIES = tuple(PluginCategory)
-SECONDS_PER_DAY = 24 * 60 * 60
-AUTO_UPGRADE_CHECK_SLOT_SECONDS = 15 * 60
-AUTO_UPGRADE_CHECK_SLOT_COUNT = SECONDS_PER_DAY // AUTO_UPGRADE_CHECK_SLOT_SECONDS
-
-
-@dataclass(frozen=True)
-class PluginAutoUpgradeBackfillResult:
-    created_count: int
-    normalized: bool
-

 class PluginAutoUpgradeService:
    @staticmethod
-    def default_strategy_setting_for_category(
-        category: PluginCategory,
-    ) -> TenantPluginAutoUpgradeStrategy.StrategySetting:
-        if category == PluginCategory.MODEL:
-            return TenantPluginAutoUpgradeStrategy.StrategySetting.LATEST
-        return TenantPluginAutoUpgradeStrategy.StrategySetting.FIX_ONLY
-
-    @staticmethod
-    def default_upgrade_time_of_day(tenant_id: str) -> int:
-        """Spread default checks across 15-minute aligned slots by tenant."""
-        hash_input = tenant_id.encode()
-        slot = int.from_bytes(sha256(hash_input).digest()[:8], "big") % AUTO_UPGRADE_CHECK_SLOT_COUNT
-        return slot * AUTO_UPGRADE_CHECK_SLOT_SECONDS
-
-    @staticmethod
-    def _coerce_category(category: object) -> PluginCategory | None:
-        """Accept daemon enum/string categories and ignore unknown values."""
-        category_value = getattr(category, "value", category)
-        if category_value is None:
-            return None
-
-        try:
-            return PluginCategory(str(category_value))
-        except ValueError:
-            return None
-
-    @staticmethod
-    def _get_installed_plugin_categories(tenant_id: str) -> dict[str, PluginCategory]:
-        """Build a plugin_id -> category map for splitting legacy include/exclude lists."""
-        installed_plugins = PluginInstaller().list_plugins(tenant_id)
-        plugin_categories: dict[str, PluginCategory] = {}
-
-        for plugin in installed_plugins:
-            plugin_category = PluginAutoUpgradeService._coerce_category(plugin.declaration.category)
-            if plugin_category is not None:
-                plugin_categories[plugin.plugin_id] = plugin_category
-
-        return plugin_categories
-
-    @staticmethod
-    def _filter_plugin_ids_for_category(
-        plugin_ids: list[str],
-        category: PluginCategory,
-        plugin_categories: dict[str, PluginCategory],
-    ) -> list[str]:
-        return [plugin_id for plugin_id in plugin_ids if plugin_categories.get(plugin_id) == category]
-
-    @staticmethod
-    def _log_unknown_plugin_ids(
-        tenant_id: str,
-        field_name: str,
-        plugin_ids: list[str],
-        plugin_categories: dict[str, PluginCategory],
-    ) -> None:
-        unknown_plugin_ids = [plugin_id for plugin_id in plugin_ids if plugin_id not in plugin_categories]
-        if not unknown_plugin_ids:
-            return
-
-        logger.warning(
-            "Skipped unknown plugin IDs while backfilling plugin auto-upgrade strategies: "
-            "tenant_id=%s, field=%s, plugin_ids=%s",
-            tenant_id,
-            field_name,
-            unknown_plugin_ids,
-        )
-
-    @staticmethod
-    def _has_default_strategy(strategy: TenantPluginAutoUpgradeStrategy) -> bool:
-        return (
-            strategy.strategy_setting == TenantPluginAutoUpgradeStrategy.StrategySetting.FIX_ONLY
-            and strategy.upgrade_time_of_day == 0
-            and strategy.upgrade_mode == TenantPluginAutoUpgradeStrategy.UpgradeMode.EXCLUDE
-            and not strategy.exclude_plugins
-            and not strategy.include_plugins
-        )
-
-    @staticmethod
-    def _strategy_setting_for_category(
-        source_strategy: TenantPluginAutoUpgradeStrategy,
-        category: PluginCategory,
-        source_has_default_strategy: bool,
-    ) -> TenantPluginAutoUpgradeStrategy.StrategySetting:
-        # Only pure legacy defaults adopt the new model=latest default. User-edited
-        # strategies keep their original setting across all categories.
-        if source_has_default_strategy:
-            return PluginAutoUpgradeService.default_strategy_setting_for_category(category)
-        return source_strategy.strategy_setting
-
-    @staticmethod
-    def _upgrade_time_of_day_for_category(
-        tenant_id: str,
-        source_strategy: TenantPluginAutoUpgradeStrategy,
-        source_has_default_strategy: bool,
-    ) -> int:
-        # Pure legacy defaults are spread by tenant so all default rows do not
-        # concentrate in the same scheduler window. User-edited schedules keep their time.
-        if source_has_default_strategy:
-            return PluginAutoUpgradeService.default_upgrade_time_of_day(tenant_id)
-        return source_strategy.upgrade_time_of_day
-
-    @staticmethod
-    def backfill_strategy_categories(
-        tenant_id: str,
-    ) -> PluginAutoUpgradeBackfillResult:
-        """Create missing category strategies and split include/exclude lists when needed.
-
-        The historical row is treated as the workspace-level source strategy.
-        New category rows copy it first, then plugin lists are narrowed by real
-        plugin category when the source strategy contains include/exclude IDs.
-        """
-        with session_factory.create_session() as session, session.begin():
-            strategies = list(
-                session.scalars(
-                    select(TenantPluginAutoUpgradeStrategy).where(
-                        TenantPluginAutoUpgradeStrategy.tenant_id == tenant_id
-                    )
-                ).all()
-            )
-            if not strategies:
-                return PluginAutoUpgradeBackfillResult(created_count=0, normalized=False)
-
-            # Schema migration marks the historical workspace-level row as tool.
-            source_strategy = next(
-                (strategy for strategy in strategies if strategy.category == PluginCategory.TOOL),
-                strategies[0],
-            )
-            source_has_default_strategy = PluginAutoUpgradeService._has_default_strategy(source_strategy)
-            strategies_by_category = {strategy.category: strategy for strategy in strategies}
-            exclude_plugins = source_strategy.exclude_plugins
-            include_plugins = source_strategy.include_plugins
-            should_split_plugin_lists = bool(exclude_plugins or include_plugins)
-            # Query daemon only for tenants that actually customized plugin lists.
-            plugin_categories = (
-                PluginAutoUpgradeService._get_installed_plugin_categories(tenant_id)
-                if should_split_plugin_lists
-                else {}
-            )
-            if should_split_plugin_lists:
-                PluginAutoUpgradeService._log_unknown_plugin_ids(
-                    tenant_id,
-                    "exclude_plugins",
-                    exclude_plugins,
-                    plugin_categories,
-                )
-                PluginAutoUpgradeService._log_unknown_plugin_ids(
-                    tenant_id,
-                    "include_plugins",
-                    include_plugins,
-                    plugin_categories,
-                )
-
-            created_count = 0
-            for category in PLUGIN_CATEGORIES:
-                strategy = strategies_by_category.get(category)
-                if strategy is None:
-                    # Start from the legacy workspace-level behavior before narrowing lists.
-                    strategy = TenantPluginAutoUpgradeStrategy(
-                        tenant_id=tenant_id,
-                        category=category,
-                        strategy_setting=PluginAutoUpgradeService._strategy_setting_for_category(
-                            source_strategy, category, source_has_default_strategy
-                        ),
-                        upgrade_time_of_day=PluginAutoUpgradeService._upgrade_time_of_day_for_category(
-                            tenant_id, source_strategy, source_has_default_strategy
-                        ),
-                        upgrade_mode=source_strategy.upgrade_mode,
-                        exclude_plugins=source_strategy.exclude_plugins.copy(),
-                        include_plugins=source_strategy.include_plugins.copy(),
-                    )
-                    session.add(strategy)
-                    created_count += 1
-                elif source_has_default_strategy:
-                    strategy.strategy_setting = PluginAutoUpgradeService.default_strategy_setting_for_category(
-                        strategy.category
-                    )
-                    strategy.upgrade_time_of_day = PluginAutoUpgradeService.default_upgrade_time_of_day(tenant_id)
-
-                if not should_split_plugin_lists:
-                    continue
-
-                # Narrow include/exclude lists to the current category after all rows exist.
-                strategy.exclude_plugins = PluginAutoUpgradeService._filter_plugin_ids_for_category(
-                    exclude_plugins,
-                    strategy.category,
-                    plugin_categories,
-                )
-                strategy.include_plugins = PluginAutoUpgradeService._filter_plugin_ids_for_category(
-                    include_plugins,
-                    strategy.category,
-                    plugin_categories,
-                )
-
-            return PluginAutoUpgradeBackfillResult(created_count=created_count, normalized=should_split_plugin_lists)
-
-    @staticmethod
-    def _get_strategy(
-        session: Session,
-        tenant_id: str,
-        category: PluginCategory,
-    ) -> TenantPluginAutoUpgradeStrategy | None:
-        return session.scalar(
-            select(TenantPluginAutoUpgradeStrategy)
-            .where(
-                TenantPluginAutoUpgradeStrategy.tenant_id == tenant_id,
-                TenantPluginAutoUpgradeStrategy.category == category,
-            )
-            .limit(1)
-        )
-
-    @staticmethod
-    def get_strategy(
-        tenant_id: str,
-        category: PluginCategory,
-    ) -> TenantPluginAutoUpgradeStrategy | None:
+    def get_strategy(tenant_id: str) -> TenantPluginAutoUpgradeStrategy | None:
        with session_factory.create_session() as session:
-            return PluginAutoUpgradeService._get_strategy(session, tenant_id, category)
-
-    @staticmethod
-    def get_strategies(tenant_id: str) -> list[TenantPluginAutoUpgradeStrategy]:
-        with session_factory.create_session() as session:
-            return list(
-                session.scalars(
-                    select(TenantPluginAutoUpgradeStrategy).where(
-                        TenantPluginAutoUpgradeStrategy.tenant_id == tenant_id
-                    )
-                ).all()
+            return session.scalar(
+                select(TenantPluginAutoUpgradeStrategy)
+                .where(TenantPluginAutoUpgradeStrategy.tenant_id == tenant_id)
+                .limit(1)
            )

-    @staticmethod
-    def _change_strategy(
-        session: Session,
-        tenant_id: str,
-        category: PluginCategory,
-        strategy_setting: TenantPluginAutoUpgradeStrategy.StrategySetting,
-        upgrade_time_of_day: int,
-        upgrade_mode: TenantPluginAutoUpgradeStrategy.UpgradeMode,
-        exclude_plugins: list[str],
-        include_plugins: list[str],
-    ) -> None:
-        exist_strategy = PluginAutoUpgradeService._get_strategy(session, tenant_id, category)
-        if not exist_strategy:
-            strategy = TenantPluginAutoUpgradeStrategy(
-                tenant_id=tenant_id,
-                category=category,
-                strategy_setting=strategy_setting,
-                upgrade_time_of_day=upgrade_time_of_day,
-                upgrade_mode=upgrade_mode,
-                exclude_plugins=exclude_plugins,
-                include_plugins=include_plugins,
-            )
-            session.add(strategy)
-        else:
-            exist_strategy.strategy_setting = strategy_setting
-            exist_strategy.upgrade_time_of_day = upgrade_time_of_day
-            exist_strategy.upgrade_mode = upgrade_mode
-            exist_strategy.exclude_plugins = exclude_plugins
-            exist_strategy.include_plugins = include_plugins
-
    @staticmethod
    def change_strategy(
        tenant_id: str,
@ -299,72 +22,64 @@ class PluginAutoUpgradeService:
        upgrade_mode: TenantPluginAutoUpgradeStrategy.UpgradeMode,
        exclude_plugins: list[str],
        include_plugins: list[str],
-        category: PluginCategory,
    ) -> bool:
        with session_factory.create_session() as session, session.begin():
-            PluginAutoUpgradeService._change_strategy(
-                session,
-                tenant_id=tenant_id,
-                category=category,
-                strategy_setting=strategy_setting,
-                upgrade_time_of_day=upgrade_time_of_day,
-                upgrade_mode=upgrade_mode,
-                exclude_plugins=exclude_plugins,
-                include_plugins=include_plugins,
+            exist_strategy = session.scalar(
+                select(TenantPluginAutoUpgradeStrategy)
+                .where(TenantPluginAutoUpgradeStrategy.tenant_id == tenant_id)
+                .limit(1)
            )
+            if not exist_strategy:
+                strategy = TenantPluginAutoUpgradeStrategy(
+                    tenant_id=tenant_id,
+                    strategy_setting=strategy_setting,
+                    upgrade_time_of_day=upgrade_time_of_day,
+                    upgrade_mode=upgrade_mode,
+                    exclude_plugins=exclude_plugins,
+                    include_plugins=include_plugins,
+                )
+                session.add(strategy)
+            else:
+                exist_strategy.strategy_setting = strategy_setting
+                exist_strategy.upgrade_time_of_day = upgrade_time_of_day
+                exist_strategy.upgrade_mode = upgrade_mode
+                exist_strategy.exclude_plugins = exclude_plugins
+                exist_strategy.include_plugins = include_plugins

            return True

    @staticmethod
-    def _exclude_plugin(
-        session: Session,
-        tenant_id: str,
-        category: PluginCategory,
-        plugin_id: str,
-    ) -> None:
-        """Remove one plugin from automatic updates for a single category strategy."""
-        exist_strategy = PluginAutoUpgradeService._get_strategy(session, tenant_id, category)
-        if not exist_strategy:
-            PluginAutoUpgradeService._change_strategy(
-                session,
-                tenant_id,
-                category,
-                TenantPluginAutoUpgradeStrategy.StrategySetting.FIX_ONLY,
-                0,
-                TenantPluginAutoUpgradeStrategy.UpgradeMode.EXCLUDE,
-                [plugin_id],
-                [],
-            )
-        else:
-            if exist_strategy.upgrade_mode == TenantPluginAutoUpgradeStrategy.UpgradeMode.EXCLUDE:
-                # In exclude mode, disabling one plugin means adding it to exclude_plugins.
-                if plugin_id not in exist_strategy.exclude_plugins:
-                    new_exclude_plugins = exist_strategy.exclude_plugins.copy()
-                    new_exclude_plugins.append(plugin_id)
-                    exist_strategy.exclude_plugins = new_exclude_plugins
-            elif exist_strategy.upgrade_mode == TenantPluginAutoUpgradeStrategy.UpgradeMode.PARTIAL:
-                # In partial mode, disabling one plugin means removing it from include_plugins.
-                if plugin_id in exist_strategy.include_plugins:
-                    new_include_plugins = exist_strategy.include_plugins.copy()
-                    new_include_plugins.remove(plugin_id)
-                    exist_strategy.include_plugins = new_include_plugins
-            elif exist_strategy.upgrade_mode == TenantPluginAutoUpgradeStrategy.UpgradeMode.ALL:
-                # In all mode, switch to exclude mode so only this plugin is skipped.
-                exist_strategy.upgrade_mode = TenantPluginAutoUpgradeStrategy.UpgradeMode.EXCLUDE
-                exist_strategy.exclude_plugins = [plugin_id]
-
-    @staticmethod
-    def exclude_plugin(
-        tenant_id: str,
-        plugin_id: str,
-        category: PluginCategory,
-    ) -> bool:
+    def exclude_plugin(tenant_id: str, plugin_id: str) -> bool:
        with session_factory.create_session() as session, session.begin():
-            PluginAutoUpgradeService._exclude_plugin(
-                session,
-                tenant_id,
-                category,
-                plugin_id,
+            exist_strategy = session.scalar(
+                select(TenantPluginAutoUpgradeStrategy)
+                .where(TenantPluginAutoUpgradeStrategy.tenant_id == tenant_id)
+                .limit(1)
            )
+            if not exist_strategy:
+                # create for this tenant
+                PluginAutoUpgradeService.change_strategy(
+                    tenant_id,
+                    TenantPluginAutoUpgradeStrategy.StrategySetting.FIX_ONLY,
+                    0,
+                    TenantPluginAutoUpgradeStrategy.UpgradeMode.EXCLUDE,
+                    [plugin_id],
+                    [],
+                )
+                return True
+            else:
+                if exist_strategy.upgrade_mode == TenantPluginAutoUpgradeStrategy.UpgradeMode.EXCLUDE:
+                    if plugin_id not in exist_strategy.exclude_plugins:
+                        new_exclude_plugins = exist_strategy.exclude_plugins.copy()
+                        new_exclude_plugins.append(plugin_id)
+                        exist_strategy.exclude_plugins = new_exclude_plugins
+                elif exist_strategy.upgrade_mode == TenantPluginAutoUpgradeStrategy.UpgradeMode.PARTIAL:
+                    if plugin_id in exist_strategy.include_plugins:
+                        new_include_plugins = exist_strategy.include_plugins.copy()
+                        new_include_plugins.remove(plugin_id)
+                        exist_strategy.include_plugins = new_include_plugins
+                elif exist_strategy.upgrade_mode == TenantPluginAutoUpgradeStrategy.UpgradeMode.ALL:
+                    exist_strategy.upgrade_mode = TenantPluginAutoUpgradeStrategy.UpgradeMode.EXCLUDE
+                    exist_strategy.exclude_plugins = [plugin_id]

-            return True
+                return True
--- a/api/services/recommend_app/database/database_retrieval.py
+++ b/api/services/recommend_app/database/database_retrieval.py
@ -1,4 +1,4 @@
-from typing import Any, NotRequired, TypedDict
+from typing import Any, TypedDict

 from sqlalchemy import select

@ -22,7 +22,6 @@ class RecommendedAppItemDict(TypedDict):
    categories: list[str]
    position: int
    is_listed: bool
-    can_trial: NotRequired[bool]


 class RecommendedAppsResultDict(TypedDict):
@ -62,47 +61,14 @@ class DatabaseRecommendAppRetrieval(RecommendAppRetrievalBase):
        :param language: language
        :return:
        """
-        recommended_apps = cls._fetch_listed_recommended_apps(language)
+        recommended_apps = db.session.scalars(
+            select(RecommendedApp).where(RecommendedApp.is_listed == True, RecommendedApp.language == language)
+        ).all()

        if len(recommended_apps) == 0:
-            recommended_apps = cls._fetch_listed_recommended_apps(languages[0])
-
-        return cls._format_recommended_apps(recommended_apps, language)
-
-    @classmethod
-    def fetch_learn_dify_apps_from_db(cls, language: str) -> RecommendedAppsResultDict:
-        """
-        Fetch listed recommended apps explicitly marked for the Learn Dify section.
-        :param language: language
-        :return:
-        """
-        recommended_apps = cls._fetch_listed_recommended_apps(language, is_learn_dify=True)
-
-        if len(recommended_apps) == 0 and language != languages[0]:
-            recommended_apps = cls._fetch_listed_recommended_apps(languages[0], is_learn_dify=True)
-
-        return cls._format_recommended_apps(recommended_apps, language)
-
-    @classmethod
-    def _fetch_listed_recommended_apps(
-        cls, language: str, *, is_learn_dify: bool | None = None
-    ) -> list[RecommendedApp]:
-        filters = [RecommendedApp.is_listed.is_(True), RecommendedApp.language == language]
-        if is_learn_dify is not None:
-            filters.append(RecommendedApp.is_learn_dify.is_(is_learn_dify))
-
-        return db.session.scalars(select(RecommendedApp).where(*filters)).all()
-
-    @classmethod
-    def _format_recommended_apps(
-        cls, recommended_apps: list[RecommendedApp], language: str
-    ) -> RecommendedAppsResultDict:
-        """
-        Serialize DB recommended app rows into the Explore list response shape.
-        :param recommended_apps: recommended app rows
-        :param language: language used for category ordering
-        :return:
-        """
+            recommended_apps = db.session.scalars(
+                select(RecommendedApp).where(RecommendedApp.is_listed == True, RecommendedApp.language == languages[0])
+            ).all()

        categories = set()
        recommended_apps_result: list[RecommendedAppItemDict] = []
--- a/api/services/recommended_app_service.py
+++ b/api/services/recommended_app_service.py
@ -6,7 +6,6 @@ from configs import dify_config
 from extensions.ext_database import db
 from models.model import AccountTrialAppRecord, TrialApp
 from services.feature_service import FeatureService
-from services.recommend_app.database.database_retrieval import DatabaseRecommendAppRetrieval
 from services.recommend_app.recommend_app_factory import RecommendAppRetrievalFactory


@ -32,24 +31,13 @@ class RecommendedAppService:
            apps = result["recommended_apps"]
            for app in apps:
                app_id = app["app_id"]
-                app["can_trial"] = cls._can_trial_app(app_id)
+                trial_app_model = db.session.scalar(select(TrialApp).where(TrialApp.app_id == app_id).limit(1))
+                if trial_app_model:
+                    app["can_trial"] = True
+                else:
+                    app["can_trial"] = False
        return result

-    @classmethod
-    def get_learn_dify_apps(cls, language: str) -> dict[str, Any]:
-        """
-        Get database-backed recommended apps marked as Learn Dify.
-        :param language: language
-        :return:
-        """
-        result = DatabaseRecommendAppRetrieval.fetch_learn_dify_apps_from_db(language)
-
-        if FeatureService.get_system_features().enable_trial_app:
-            for app in result["recommended_apps"]:
-                app["can_trial"] = cls._can_trial_app(app["app_id"])
-
-        return {"recommended_apps": result["recommended_apps"]}
-
    @classmethod
    def get_recommend_app_detail(cls, app_id: str) -> dict[str, Any] | None:
        """
@ -64,7 +52,11 @@ class RecommendedAppService:
            return None
        if FeatureService.get_system_features().enable_trial_app:
            app_id = result["id"]
-            result["can_trial"] = cls._can_trial_app(app_id)
+            trial_app_model = db.session.scalar(select(TrialApp).where(TrialApp.app_id == app_id).limit(1))
+            if trial_app_model:
+                result["can_trial"] = True
+            else:
+                result["can_trial"] = False
        return result

    @classmethod
@ -85,8 +77,3 @@ class RecommendedAppService:
        else:
            db.session.add(AccountTrialAppRecord(app_id=app_id, count=1, account_id=account_id))
            db.session.commit()
-
-    @staticmethod
-    def _can_trial_app(app_id: str) -> bool:
-        trial_app_model = db.session.scalar(select(TrialApp).where(TrialApp.app_id == app_id).limit(1))
-        return trial_app_model is not None
--- a/api/tasks/process_tenant_plugin_autoupgrade_check_task.py
+++ b/api/tasks/process_tenant_plugin_autoupgrade_check_task.py
@ -7,7 +7,7 @@ import click
 from celery import shared_task

 from core.plugin.entities.marketplace import MarketplacePluginSnapshot
-from core.plugin.entities.plugin import PluginInstallation, PluginInstallationSource
+from core.plugin.entities.plugin import PluginInstallationSource
 from core.plugin.impl.plugin import PluginInstaller
 from core.plugin.plugin_service import PluginService
 from extensions.ext_redis import redis_client
@ -15,7 +15,6 @@ from models.account import TenantPluginAutoUpgradeStrategy

 logger = logging.getLogger(__name__)

-PluginCategory = TenantPluginAutoUpgradeStrategy.PluginCategory
 RETRY_TIMES_OF_ONE_PLUGIN_IN_ONE_TENANT = 3
 CACHE_REDIS_KEY_PREFIX = "plugin_autoupgrade_check_task:cached_plugin_snapshot:"
 CACHE_REDIS_TTL = 60 * 60  # 1 hour
@ -73,25 +72,6 @@ def marketplace_batch_fetch_plugin_manifests(
    return result


-def _normalize_category(category: PluginCategory | str | None) -> str | None:
-    if category is None:
-        return None
-    if isinstance(category, PluginCategory):
-        return category.value
-    return str(category)
-
-
-def _plugin_matches_category(plugin: PluginInstallation, category: str | None) -> bool:
-    """Return whether an installed plugin should be checked by a category strategy."""
-    if category is None:
-        return True
-
-    declaration = getattr(plugin, "declaration", None)
-    plugin_category = getattr(declaration, "category", None)
-    plugin_category_value = getattr(plugin_category, "value", plugin_category)
-    return plugin_category_value == category
-
-
@shared_task(queue="plugin")
 def process_tenant_plugin_autoupgrade_check_task(
    tenant_id: str,
@ -100,15 +80,13 @@ def process_tenant_plugin_autoupgrade_check_task(
    upgrade_mode: TenantPluginAutoUpgradeStrategy.UpgradeMode,
    exclude_plugins: list[str],
    include_plugins: list[str],
-    category: PluginCategory | str | None = None,
 ):
    try:
        manager = PluginInstaller()
-        category_value = _normalize_category(category)

        click.echo(
            click.style(
-                f"Checking upgradable plugin for tenant: {tenant_id}, category: {category_value or 'all'}",
+                f"Checking upgradable plugin for tenant: {tenant_id}",
                fg="green",
            )
        )
@ -124,11 +102,7 @@ def process_tenant_plugin_autoupgrade_check_task(
            all_plugins = manager.list_plugins(tenant_id)

            for plugin in all_plugins:
-                if (
-                    plugin.source == PluginInstallationSource.Marketplace
-                    and plugin.plugin_id in include_plugins
-                    and _plugin_matches_category(plugin, category_value)
-                ):
+                if plugin.source == PluginInstallationSource.Marketplace and plugin.plugin_id in include_plugins:
                    plugin_ids.append(
                        (
                            plugin.plugin_id,
@ -143,9 +117,7 @@ def process_tenant_plugin_autoupgrade_check_task(
            plugin_ids = [
                (plugin.plugin_id, plugin.version, plugin.plugin_unique_identifier)
                for plugin in all_plugins
-                if plugin.source == PluginInstallationSource.Marketplace
-                and plugin.plugin_id not in exclude_plugins
-                and _plugin_matches_category(plugin, category_value)
+                if plugin.source == PluginInstallationSource.Marketplace and plugin.plugin_id not in exclude_plugins
            ]
        elif upgrade_mode == TenantPluginAutoUpgradeStrategy.UpgradeMode.ALL:
            all_plugins = manager.list_plugins(tenant_id)
@ -153,7 +125,6 @@ def process_tenant_plugin_autoupgrade_check_task(
                (plugin.plugin_id, plugin.version, plugin.plugin_unique_identifier)
                for plugin in all_plugins
                if plugin.source == PluginInstallationSource.Marketplace
-                and _plugin_matches_category(plugin, category_value)
            ]

        if not plugin_ids:
--- a/api/tests/integration_tests/services/plugin/test_plugin_lifecycle.py
+++ b/api/tests/integration_tests/services/plugin/test_plugin_lifecycle.py
@ -7,8 +7,6 @@ from models.account import TenantPluginAutoUpgradeStrategy, TenantPluginPermissi
 from services.plugin.plugin_auto_upgrade_service import PluginAutoUpgradeService
 from services.plugin.plugin_permission_service import PluginPermissionService

-PLUGIN_CATEGORY = TenantPluginAutoUpgradeStrategy.PluginCategory.TOOL
-

@pytest.fixture
 def tenant(flask_req_ctx):
@ -73,7 +71,7 @@ class TestPluginPermissionLifecycle:

 class TestPluginAutoUpgradeLifecycle:
    def test_get_returns_none_for_new_tenant(self, tenant):
-        assert PluginAutoUpgradeService.get_strategy(tenant, PLUGIN_CATEGORY) is None
+        assert PluginAutoUpgradeService.get_strategy(tenant) is None

    def test_change_creates_row(self, tenant):
        result = PluginAutoUpgradeService.change_strategy(
@ -83,11 +81,10 @@ class TestPluginAutoUpgradeLifecycle:
            upgrade_mode=TenantPluginAutoUpgradeStrategy.UpgradeMode.ALL,
            exclude_plugins=[],
            include_plugins=[],
-            category=PLUGIN_CATEGORY,
        )
        assert result is True

-        strategy = PluginAutoUpgradeService.get_strategy(tenant, PLUGIN_CATEGORY)
+        strategy = PluginAutoUpgradeService.get_strategy(tenant)
        assert strategy is not None
        assert strategy.strategy_setting == TenantPluginAutoUpgradeStrategy.StrategySetting.LATEST
        assert strategy.upgrade_time_of_day == 3
@ -100,7 +97,6 @@ class TestPluginAutoUpgradeLifecycle:
            upgrade_mode=TenantPluginAutoUpgradeStrategy.UpgradeMode.ALL,
            exclude_plugins=[],
            include_plugins=[],
-            category=PLUGIN_CATEGORY,
        )
        PluginAutoUpgradeService.change_strategy(
            tenant,
@ -109,10 +105,9 @@ class TestPluginAutoUpgradeLifecycle:
            upgrade_mode=TenantPluginAutoUpgradeStrategy.UpgradeMode.PARTIAL,
            exclude_plugins=[],
            include_plugins=["plugin-a"],
-            category=PLUGIN_CATEGORY,
        )

-        strategy = PluginAutoUpgradeService.get_strategy(tenant, PLUGIN_CATEGORY)
+        strategy = PluginAutoUpgradeService.get_strategy(tenant)
        assert strategy is not None
        assert strategy.strategy_setting == TenantPluginAutoUpgradeStrategy.StrategySetting.LATEST
        assert strategy.upgrade_time_of_day == 12
@ -120,9 +115,9 @@ class TestPluginAutoUpgradeLifecycle:
        assert strategy.include_plugins == ["plugin-a"]

    def test_exclude_plugin_creates_strategy_when_none_exists(self, tenant):
-        PluginAutoUpgradeService.exclude_plugin(tenant, "my-plugin", PLUGIN_CATEGORY)
+        PluginAutoUpgradeService.exclude_plugin(tenant, "my-plugin")

-        strategy = PluginAutoUpgradeService.get_strategy(tenant, PLUGIN_CATEGORY)
+        strategy = PluginAutoUpgradeService.get_strategy(tenant)
        assert strategy is not None
        assert strategy.upgrade_mode == TenantPluginAutoUpgradeStrategy.UpgradeMode.EXCLUDE
        assert "my-plugin" in strategy.exclude_plugins
@ -135,11 +130,10 @@ class TestPluginAutoUpgradeLifecycle:
            upgrade_mode=TenantPluginAutoUpgradeStrategy.UpgradeMode.EXCLUDE,
            exclude_plugins=["existing"],
            include_plugins=[],
-            category=PLUGIN_CATEGORY,
        )
-        PluginAutoUpgradeService.exclude_plugin(tenant, "new-plugin", PLUGIN_CATEGORY)
+        PluginAutoUpgradeService.exclude_plugin(tenant, "new-plugin")

-        strategy = PluginAutoUpgradeService.get_strategy(tenant, PLUGIN_CATEGORY)
+        strategy = PluginAutoUpgradeService.get_strategy(tenant)
        assert strategy is not None
        assert "existing" in strategy.exclude_plugins
        assert "new-plugin" in strategy.exclude_plugins
@ -152,11 +146,10 @@ class TestPluginAutoUpgradeLifecycle:
            upgrade_mode=TenantPluginAutoUpgradeStrategy.UpgradeMode.EXCLUDE,
            exclude_plugins=["same-plugin"],
            include_plugins=[],
-            category=PLUGIN_CATEGORY,
        )
-        PluginAutoUpgradeService.exclude_plugin(tenant, "same-plugin", PLUGIN_CATEGORY)
+        PluginAutoUpgradeService.exclude_plugin(tenant, "same-plugin")

-        strategy = PluginAutoUpgradeService.get_strategy(tenant, PLUGIN_CATEGORY)
+        strategy = PluginAutoUpgradeService.get_strategy(tenant)
        assert strategy is not None
        assert strategy.exclude_plugins.count("same-plugin") == 1

@ -168,11 +161,10 @@ class TestPluginAutoUpgradeLifecycle:
            upgrade_mode=TenantPluginAutoUpgradeStrategy.UpgradeMode.PARTIAL,
            exclude_plugins=[],
            include_plugins=["p1", "p2"],
-            category=PLUGIN_CATEGORY,
        )
-        PluginAutoUpgradeService.exclude_plugin(tenant, "p1", PLUGIN_CATEGORY)
+        PluginAutoUpgradeService.exclude_plugin(tenant, "p1")

-        strategy = PluginAutoUpgradeService.get_strategy(tenant, PLUGIN_CATEGORY)
+        strategy = PluginAutoUpgradeService.get_strategy(tenant)
        assert strategy is not None
        assert "p1" not in strategy.include_plugins
        assert "p2" in strategy.include_plugins
@ -185,11 +177,10 @@ class TestPluginAutoUpgradeLifecycle:
            upgrade_mode=TenantPluginAutoUpgradeStrategy.UpgradeMode.ALL,
            exclude_plugins=[],
            include_plugins=[],
-            category=PLUGIN_CATEGORY,
        )
-        PluginAutoUpgradeService.exclude_plugin(tenant, "excluded-plugin", PLUGIN_CATEGORY)
+        PluginAutoUpgradeService.exclude_plugin(tenant, "excluded-plugin")

-        strategy = PluginAutoUpgradeService.get_strategy(tenant, PLUGIN_CATEGORY)
+        strategy = PluginAutoUpgradeService.get_strategy(tenant)
        assert strategy is not None
        assert strategy.upgrade_mode == TenantPluginAutoUpgradeStrategy.UpgradeMode.EXCLUDE
        assert "excluded-plugin" in strategy.exclude_plugins
--- a/api/tests/test_containers_integration_tests/conftest.py
+++ b/api/tests/test_containers_integration_tests/conftest.py
@ -505,7 +505,7 @@ def _truncate_container_database(app: Flask) -> None:
    session_factory-created sessions. Truncating after each test gives the suite
    a central DB isolation contract that does not depend on which session a test used.
    This only covers SQLAlchemy application tables in db.metadata for now;
-    object storage and custom ad hoc metadata still need their own cleanup.
+    Redis, object storage, and custom ad hoc metadata still need their own cleanup.
    """
    with app.app_context():
        db.session.remove()
@ -524,27 +524,13 @@ def _truncate_container_database(app: Flask) -> None:
        db.session.remove()


-def _flush_container_redis(app: Flask) -> None:
-    """
-    Reset Redis after a container integration test.
-
-    Tests in this package share one Redis container for performance. Application
-    code stores temporary tokens, rate-limit counters, locks, and cache entries
-    there, so flushing after each test gives Redis-backed state the same
-    isolation contract as the PostgreSQL container.
-    """
-    with app.app_context():
-        app.extensions["redis"].flushdb()
-
-
@pytest.fixture(autouse=True)
 def isolate_container_database(request: pytest.FixtureRequest) -> Generator[None, None, None]:
    """
-    Clean DB and Redis state after tests that use the containerized Flask app.
+    Clean DB state after tests that use the containerized Flask app.

    This fixture intentionally does not depend on flask_app_with_containers so
-    tests under this package do not start the full app/container stack just to
-    run state cleanup.
+    non-DB tests under this package do not start the full app/container stack.
    """
    yield

@ -552,10 +538,7 @@ def isolate_container_database(request: pytest.FixtureRequest) -> Generator[None
        return

    app = request.getfixturevalue("flask_app_with_containers")
-    try:
-        _truncate_container_database(app)
-    finally:
-        _flush_container_redis(app)
+    _truncate_container_database(app)


@pytest.fixture(scope="package", autouse=True)
--- a/api/tests/test_containers_integration_tests/services/recommend_app/test_database_retrieval.py
+++ b/api/tests/test_containers_integration_tests/services/recommend_app/test_database_retrieval.py
@ -51,7 +51,6 @@ def _create_recommended_app(
    categories: list[str] | None = None,
    language: str = "en-US",
    is_listed: bool = True,
-    is_learn_dify: bool = False,
    position: int = 1,
 ) -> RecommendedApp:
    rec = RecommendedApp(
@ -63,7 +62,6 @@ def _create_recommended_app(
        categories=[category] if categories is None else categories,
        language=language,
        is_listed=is_listed,
-        is_learn_dify=is_learn_dify,
        position=position,
    )
    rec.id = str(uuid4())
@ -207,65 +205,6 @@ class TestFetchRecommendedAppsFromDb:
        app_ids = {r["app_id"] for r in result["recommended_apps"]}
        assert app1.id not in app_ids

-    def test_fetch_learn_dify_apps_uses_flag_not_categories(
-        self,
-        flask_app_with_containers,
-        db_session_with_containers: Session,
-    ):
-        tenant_id = str(uuid4())
-        learn_dify_app = _create_app(db_session_with_containers, tenant_id=tenant_id)
-        _create_site(db_session_with_containers, app_id=learn_dify_app.id)
-        _create_recommended_app(
-            db_session_with_containers,
-            app_id=learn_dify_app.id,
-            category="workflow",
-            categories=["Workflow"],
-            is_learn_dify=True,
-        )
-
-        category_only_app = _create_app(db_session_with_containers, tenant_id=tenant_id)
-        _create_site(db_session_with_containers, app_id=category_only_app.id)
-        _create_recommended_app(
-            db_session_with_containers,
-            app_id=category_only_app.id,
-            category="Learn Dify",
-            categories=["Learn Dify"],
-            is_learn_dify=False,
-        )
-
-        db_session_with_containers.expire_all()
-
-        result = DatabaseRecommendAppRetrieval.fetch_learn_dify_apps_from_db("en-US")
-
-        app_ids = {r["app_id"] for r in result["recommended_apps"]}
-        assert learn_dify_app.id in app_ids
-        assert category_only_app.id not in app_ids
-        recommended_app = next(item for item in result["recommended_apps"] if item["app_id"] == learn_dify_app.id)
-        assert recommended_app["categories"] == ["Workflow"]
-
-    def test_fetch_learn_dify_apps_falls_back_to_default_language(
-        self,
-        flask_app_with_containers,
-        db_session_with_containers: Session,
-    ):
-        tenant_id = str(uuid4())
-        learn_dify_app = _create_app(db_session_with_containers, tenant_id=tenant_id)
-        _create_site(db_session_with_containers, app_id=learn_dify_app.id)
-        _create_recommended_app(
-            db_session_with_containers,
-            app_id=learn_dify_app.id,
-            categories=["Workflow"],
-            is_learn_dify=True,
-            language="en-US",
-        )
-
-        db_session_with_containers.expire_all()
-
-        result = DatabaseRecommendAppRetrieval.fetch_learn_dify_apps_from_db("fr-FR")
-
-        app_ids = {r["app_id"] for r in result["recommended_apps"]}
-        assert learn_dify_app.id in app_ids
-

 class TestFetchRecommendedAppDetailFromDb:
    def test_returns_none_when_not_listed(self, flask_app_with_containers: Flask, db_session_with_containers: Session):
--- a/api/tests/test_containers_integration_tests/test_container_state_isolation.py
+++ b/api/tests/test_containers_integration_tests/test_container_state_isolation.py
@ -1,39 +0,0 @@
-from __future__ import annotations
-
-from uuid import uuid4
-
-from extensions.ext_redis import redis_client
-from models.account import Account
-
-ACCOUNT_EMAIL = f"container-state-isolation-{uuid4()}@example.com"
-REDIS_KEY = f"container-state-isolation:{uuid4()}"
-
-
-def test_1_container_state_can_be_written(
-    flask_app_with_containers,
-    db_session_with_containers,
-) -> None:
-    account = Account(
-        name="Container State Isolation",
-        email=ACCOUNT_EMAIL,
-        password="hashed-password",
-        password_salt="salt",
-        interface_language="en-US",
-        timezone="UTC",
-    )
-    db_session_with_containers.add(account)
-    db_session_with_containers.commit()
-
-    with flask_app_with_containers.app_context():
-        redis_client.set(REDIS_KEY, "leaked")
-        assert redis_client.get(REDIS_KEY) == b"leaked"
-
-
-def test_2_container_state_is_flushed_between_tests(
-    flask_app_with_containers,
-    db_session_with_containers,
-) -> None:
-    assert db_session_with_containers.query(Account).filter_by(email=ACCOUNT_EMAIL).one_or_none() is None
-
-    with flask_app_with_containers.app_context():
-        assert redis_client.get(REDIS_KEY) is None
--- a/api/tests/unit_tests/controllers/console/explore/test_installed_app.py
+++ b/api/tests/unit_tests/controllers/console/explore/test_installed_app.py
@ -31,7 +31,6 @@ def current_user(tenant_id):
 def installed_app():
    app = MagicMock()
    app.id = "ia1"
-    app.app_id = "a1"
    app.app = MagicMock(id="a1")
    app.app_owner_tenant_id = "t2"
    app.is_pinned = False
@ -39,22 +38,6 @@ def installed_app():
    return app


-def make_scalars_result(items: list[MagicMock]) -> MagicMock:
-    result = MagicMock()
-    result.all.return_value = items
-    return result
-
-
-def make_installed_apps_session(installed_apps: list[MagicMock]) -> MagicMock:
-    session = MagicMock()
-    app_models = [installed_app.app for installed_app in installed_apps if installed_app.app is not None]
-    session.scalars.side_effect = [
-        make_scalars_result(installed_apps),
-        make_scalars_result(app_models),
-    ]
-    return session
-
-
@pytest.fixture
 def payload_patch():
    def _patch(payload):
@ -73,7 +56,8 @@ class TestInstalledAppsListApi:
        api = module.InstalledAppsListApi()
        method = unwrap(api.get)

-        session = make_installed_apps_session([installed_app])
+        session = MagicMock()
+        session.scalars.return_value.all.return_value = [installed_app]

        with (
            app.test_request_context("/"),
@ -96,7 +80,8 @@ class TestInstalledAppsListApi:
        api = module.InstalledAppsListApi()
        method = unwrap(api.get)

-        session = make_installed_apps_session([])
+        session = MagicMock()
+        session.scalars.return_value.all.return_value = []

        with (
            app.test_request_context("/?app_id=a1"),
@ -118,7 +103,8 @@ class TestInstalledAppsListApi:
        api = module.InstalledAppsListApi()
        method = unwrap(api.get)

-        session = make_installed_apps_session([installed_app])
+        session = MagicMock()
+        session.scalars.return_value.all.return_value = [installed_app]

        mock_webapp_setting = MagicMock()
        mock_webapp_setting.access_mode = "restricted"
@ -153,7 +139,8 @@ class TestInstalledAppsListApi:
        api = module.InstalledAppsListApi()
        method = unwrap(api.get)

-        session = make_installed_apps_session([installed_app])
+        session = MagicMock()
+        session.scalars.return_value.all.return_value = [installed_app]

        mock_webapp_setting = MagicMock()
        mock_webapp_setting.access_mode = "restricted"
@ -188,7 +175,8 @@ class TestInstalledAppsListApi:
        api = module.InstalledAppsListApi()
        method = unwrap(api.get)

-        session = make_installed_apps_session([installed_app])
+        session = MagicMock()
+        session.scalars.return_value.all.return_value = [installed_app]

        mock_webapp_setting = MagicMock()
        mock_webapp_setting.access_mode = "sso_verified"
@ -219,10 +207,10 @@ class TestInstalledAppsListApi:
        method = unwrap(api.get)

        installed_app_with_null = MagicMock()
-        installed_app_with_null.app_id = "a1"
        installed_app_with_null.app = None

-        session = make_installed_apps_session([installed_app_with_null])
+        session = MagicMock()
+        session.scalars.return_value.all.return_value = [installed_app_with_null]

        with (
            app.test_request_context("/"),
@ -247,7 +235,8 @@ class TestInstalledAppsListApi:
        current_user = MagicMock()
        current_user.current_tenant = None

-        session = make_installed_apps_session([installed_app])
+        session = MagicMock()
+        session.scalars.return_value.all.return_value = [installed_app]

        with (
            app.test_request_context("/"),
--- a/api/tests/unit_tests/controllers/console/explore/test_recommended_app.py
+++ b/api/tests/unit_tests/controllers/console/explore/test_recommended_app.py
@ -74,48 +74,6 @@ class TestRecommendedAppListApi:
        assert result == result_data


-class TestLearnDifyAppListApi:
-    def test_get_with_language_param(self, app: Flask):
-        api = module.LearnDifyAppListApi()
-        method = unwrap(api.get)
-
-        result_data = {"recommended_apps": []}
-
-        with (
-            app.test_request_context("/", query_string={"language": "en-US"}),
-            patch.object(module, "current_user", MagicMock(interface_language="fr-FR")),
-            patch.object(
-                module.RecommendedAppService,
-                "get_learn_dify_apps",
-                return_value=result_data,
-            ) as service_mock,
-        ):
-            result = method(api)
-
-        service_mock.assert_called_once_with("en-US")
-        assert result == result_data
-
-    def test_get_fallback_to_user_language(self, app: Flask):
-        api = module.LearnDifyAppListApi()
-        method = unwrap(api.get)
-
-        result_data = {"recommended_apps": []}
-
-        with (
-            app.test_request_context("/", query_string={"language": "invalid"}),
-            patch.object(module, "current_user", MagicMock(interface_language="fr-FR")),
-            patch.object(
-                module.RecommendedAppService,
-                "get_learn_dify_apps",
-                return_value=result_data,
-            ) as service_mock,
-        ):
-            result = method(api)
-
-        service_mock.assert_called_once_with("fr-FR")
-        assert result == result_data
-
-
 class TestRecommendedAppApi:
    def test_get_success(self, app: Flask):
        api = module.RecommendedAppApi()
@ -181,29 +139,3 @@ class TestRecommendedAppResponseModels:
        assert response["recommended_apps"][0]["app_id"] == "app-1"
        assert response["recommended_apps"][0]["categories"] == ["cat", "other"]
        assert response["categories"] == ["cat"]
-
-    def test_learn_dify_app_list_response_serialization(self):
-        response = module.LearnDifyAppListResponse.model_validate(
-            {
-                "recommended_apps": [
-                    {
-                        "app": {
-                            "id": "app-1",
-                            "name": "App",
-                            "mode": "chat",
-                            "icon": "icon.png",
-                            "icon_type": "emoji",
-                            "icon_background": "#fff",
-                        },
-                        "app_id": "app-1",
-                        "description": "desc",
-                        "categories": ["Workflow"],
-                        "position": 1,
-                        "is_listed": True,
-                    }
-                ],
-            }
-        ).model_dump(mode="json")
-
-        assert response["recommended_apps"][0]["app_id"] == "app-1"
-        assert response["recommended_apps"][0]["categories"] == ["Workflow"]
--- a/api/tests/unit_tests/controllers/console/workspace/test_plugin.py
+++ b/api/tests/unit_tests/controllers/console/workspace/test_plugin.py
@ -9,13 +9,12 @@ from werkzeug.exceptions import Forbidden
 from controllers.console.workspace.plugin import (
    PluginAssetApi,
    PluginAutoUpgradeExcludePluginApi,
-    PluginChangeAutoUpgradeApi,
    PluginChangePermissionApi,
+    PluginChangePreferencesApi,
    PluginDebuggingKeyApi,
    PluginDeleteAllInstallTaskItemsApi,
    PluginDeleteInstallTaskApi,
    PluginDeleteInstallTaskItemApi,
-    PluginFetchAutoUpgradeApi,
    PluginFetchDynamicSelectOptionsApi,
    PluginFetchDynamicSelectOptionsWithCredentialsApi,
    PluginFetchInstallTaskApi,
@ -23,6 +22,7 @@ from controllers.console.workspace.plugin import (
    PluginFetchManifestApi,
    PluginFetchMarketplacePkgApi,
    PluginFetchPermissionApi,
+    PluginFetchPreferencesApi,
    PluginIconApi,
    PluginInstallFromGithubApi,
    PluginInstallFromMarketplaceApi,
@ -901,15 +901,18 @@ class TestPluginFetchDynamicSelectOptionsWithCredentialsApi:
            assert result == ({"code": "plugin_error", "message": "error"}, 400)


-class TestPluginChangeAutoUpgradeApi:
+class TestPluginChangePreferencesApi:
    def test_success(self, app: Flask):
-        api = PluginChangeAutoUpgradeApi()
+        api = PluginChangePreferencesApi()
        method = unwrap(api.post)

        user = MagicMock(is_admin_or_owner=True)

        payload = {
-            "category": TenantPluginAutoUpgradeStrategy.PluginCategory.TOOL.value,
+            "permission": {
+                "install_permission": TenantPluginPermission.InstallPermission.EVERYONE,
+                "debug_permission": TenantPluginPermission.DebugPermission.EVERYONE,
+            },
            "auto_upgrade": {
                "strategy_setting": TenantPluginAutoUpgradeStrategy.StrategySetting.FIX_ONLY,
                "upgrade_time_of_day": 0,
@ -922,53 +925,24 @@ class TestPluginChangeAutoUpgradeApi:
        with (
            app.test_request_context("/", json=payload),
            patch("controllers.console.workspace.plugin.current_account_with_tenant", return_value=(user, "t1")),
-            patch(
-                "controllers.console.workspace.plugin.PluginAutoUpgradeService.change_strategy", return_value=True
-            ) as change,
+            patch("controllers.console.workspace.plugin.PluginPermissionService.change_permission", return_value=True),
+            patch("controllers.console.workspace.plugin.PluginAutoUpgradeService.change_strategy", return_value=True),
        ):
            result = method(api)

        assert result["success"] is True
-        change.assert_called_once()

-    def test_success_with_model_category_auto_upgrade(self, app: Flask):
-        api = PluginChangeAutoUpgradeApi()
+    def test_permission_fail(self, app: Flask):
+        api = PluginChangePreferencesApi()
        method = unwrap(api.post)

        user = MagicMock(is_admin_or_owner=True)

        payload = {
-            "category": TenantPluginAutoUpgradeStrategy.PluginCategory.MODEL.value,
-            "auto_upgrade": {
-                "strategy_setting": TenantPluginAutoUpgradeStrategy.StrategySetting.LATEST,
-                "upgrade_time_of_day": 3600,
-                "upgrade_mode": TenantPluginAutoUpgradeStrategy.UpgradeMode.ALL,
-                "exclude_plugins": [],
-                "include_plugins": [],
+            "permission": {
+                "install_permission": TenantPluginPermission.InstallPermission.EVERYONE,
+                "debug_permission": TenantPluginPermission.DebugPermission.EVERYONE,
            },
-        }
-
-        with (
-            app.test_request_context("/", json=payload),
-            patch("controllers.console.workspace.plugin.current_account_with_tenant", return_value=(user, "t1")),
-            patch(
-                "controllers.console.workspace.plugin.PluginAutoUpgradeService.change_strategy", return_value=True
-            ) as change,
-        ):
-            result = method(api)
-
-        assert result["success"] is True
-        change.assert_called_once()
-        assert change.call_args.kwargs["category"] == TenantPluginAutoUpgradeStrategy.PluginCategory.MODEL
-
-    def test_auto_upgrade_fail(self, app: Flask):
-        api = PluginChangeAutoUpgradeApi()
-        method = unwrap(api.post)
-
-        user = MagicMock(is_admin_or_owner=True)
-
-        payload = {
-            "category": TenantPluginAutoUpgradeStrategy.PluginCategory.TOOL.value,
            "auto_upgrade": {
                "strategy_setting": TenantPluginAutoUpgradeStrategy.StrategySetting.FIX_ONLY,
                "upgrade_time_of_day": 0,
@ -981,20 +955,24 @@ class TestPluginChangeAutoUpgradeApi:
        with (
            app.test_request_context("/", json=payload),
            patch("controllers.console.workspace.plugin.current_account_with_tenant", return_value=(user, "t1")),
-            patch("controllers.console.workspace.plugin.PluginAutoUpgradeService.change_strategy", return_value=False),
+            patch("controllers.console.workspace.plugin.PluginPermissionService.change_permission", return_value=False),
        ):
            result = method(api)

        assert result["success"] is False


-class TestPluginFetchAutoUpgradeApi:
+class TestPluginFetchPreferencesApi:
    def test_success(self, app: Flask):
-        api = PluginFetchAutoUpgradeApi()
+        api = PluginFetchPreferencesApi()
        method = unwrap(api.get)

+        permission = MagicMock(
+            install_permission=TenantPluginPermission.InstallPermission.EVERYONE,
+            debug_permission=TenantPluginPermission.DebugPermission.EVERYONE,
+        )
+
        auto_upgrade = MagicMock(
-            category=TenantPluginAutoUpgradeStrategy.PluginCategory.TOOL,
            strategy_setting=TenantPluginAutoUpgradeStrategy.StrategySetting.FIX_ONLY,
            upgrade_time_of_day=1,
            upgrade_mode=TenantPluginAutoUpgradeStrategy.UpgradeMode.EXCLUDE,
@ -1003,17 +981,19 @@ class TestPluginFetchAutoUpgradeApi:
        )

        with (
-            app.test_request_context(f"/?category={TenantPluginAutoUpgradeStrategy.PluginCategory.TOOL.value}"),
+            app.test_request_context("/"),
            patch("controllers.console.workspace.plugin.current_account_with_tenant", return_value=(None, "t1")),
            patch(
-                "controllers.console.workspace.plugin.PluginAutoUpgradeService.get_strategy",
-                return_value=auto_upgrade,
+                "controllers.console.workspace.plugin.PluginPermissionService.get_permission", return_value=permission
+            ),
+            patch(
+                "controllers.console.workspace.plugin.PluginAutoUpgradeService.get_strategy", return_value=auto_upgrade
            ),
        ):
            result = method(api)

-        assert result["category"] == TenantPluginAutoUpgradeStrategy.PluginCategory.TOOL
-        assert result["auto_upgrade"]["upgrade_time_of_day"] == 1
+        assert "permission" in result
+        assert "auto_upgrade" in result


 class TestPluginAutoUpgradeExcludePluginApi:
@ -1021,7 +1001,7 @@ class TestPluginAutoUpgradeExcludePluginApi:
        api = PluginAutoUpgradeExcludePluginApi()
        method = unwrap(api.post)

-        payload = {"plugin_id": "p", "category": TenantPluginAutoUpgradeStrategy.PluginCategory.TOOL.value}
+        payload = {"plugin_id": "p"}

        with (
            app.test_request_context("/", json=payload),
@ -1036,7 +1016,7 @@ class TestPluginAutoUpgradeExcludePluginApi:
        api = PluginAutoUpgradeExcludePluginApi()
        method = unwrap(api.post)

-        payload = {"plugin_id": "p", "category": TenantPluginAutoUpgradeStrategy.PluginCategory.TOOL.value}
+        payload = {"plugin_id": "p"}

        with (
            app.test_request_context("/", json=payload),
--- a/api/tests/unit_tests/services/plugin/test_plugin_auto_upgrade_service.py
+++ b/api/tests/unit_tests/services/plugin/test_plugin_auto_upgrade_service.py
@ -1,10 +1,8 @@
-from types import SimpleNamespace
 from unittest.mock import MagicMock, patch

 from models.account import TenantPluginAutoUpgradeStrategy

 MODULE = "services.plugin.plugin_auto_upgrade_service"
-PLUGIN_CATEGORY = TenantPluginAutoUpgradeStrategy.PluginCategory.TOOL


 def _patched_session():
@ -27,7 +25,7 @@ class TestGetStrategy:
        with p1:
            from services.plugin.plugin_auto_upgrade_service import PluginAutoUpgradeService

-            result = PluginAutoUpgradeService.get_strategy("t1", PLUGIN_CATEGORY)
+            result = PluginAutoUpgradeService.get_strategy("t1")

        assert result is strategy

@ -38,7 +36,7 @@ class TestGetStrategy:
        with p1:
            from services.plugin.plugin_auto_upgrade_service import PluginAutoUpgradeService

-            result = PluginAutoUpgradeService.get_strategy("t1", PLUGIN_CATEGORY)
+            result = PluginAutoUpgradeService.get_strategy("t1")

        assert result is None

@ -59,7 +57,6 @@ class TestChangeStrategy:
                TenantPluginAutoUpgradeStrategy.UpgradeMode.ALL,
                [],
                [],
-                category=PLUGIN_CATEGORY,
            )

        assert result is True
@ -80,7 +77,6 @@ class TestChangeStrategy:
                TenantPluginAutoUpgradeStrategy.UpgradeMode.PARTIAL,
                ["p1"],
                ["p2"],
-                category=PLUGIN_CATEGORY,
            )

        assert result is True
@ -100,19 +96,17 @@ class TestExcludePlugin:
            p1,
            patch(f"{MODULE}.select"),
            patch(f"{MODULE}.TenantPluginAutoUpgradeStrategy") as strat_cls,
+            patch(f"{MODULE}.PluginAutoUpgradeService.change_strategy") as cs,
        ):
            strat_cls.StrategySetting.FIX_ONLY = "fix_only"
            strat_cls.UpgradeMode.EXCLUDE = "exclude"
+            cs.return_value = True
            from services.plugin.plugin_auto_upgrade_service import PluginAutoUpgradeService

-            result = PluginAutoUpgradeService.exclude_plugin(
-                "t1",
-                "plugin-1",
-                PLUGIN_CATEGORY,
-            )
+            result = PluginAutoUpgradeService.exclude_plugin("t1", "plugin-1")

        assert result is True
-        session.add.assert_called_once()
+        cs.assert_called_once()

    def test_appends_to_exclude_list_in_exclude_mode(self):
        p1, session = _patched_session()
@ -127,7 +121,7 @@ class TestExcludePlugin:
            strat_cls.UpgradeMode.ALL = "all"
            from services.plugin.plugin_auto_upgrade_service import PluginAutoUpgradeService

-            result = PluginAutoUpgradeService.exclude_plugin("t1", "p-new", PLUGIN_CATEGORY)
+            result = PluginAutoUpgradeService.exclude_plugin("t1", "p-new")

        assert result is True
        assert existing.exclude_plugins == ["p-existing", "p-new"]
@ -145,7 +139,7 @@ class TestExcludePlugin:
            strat_cls.UpgradeMode.ALL = "all"
            from services.plugin.plugin_auto_upgrade_service import PluginAutoUpgradeService

-            result = PluginAutoUpgradeService.exclude_plugin("t1", "p1", PLUGIN_CATEGORY)
+            result = PluginAutoUpgradeService.exclude_plugin("t1", "p1")

        assert result is True
        assert existing.include_plugins == ["p2"]
@ -162,7 +156,7 @@ class TestExcludePlugin:
            strat_cls.UpgradeMode.ALL = "all"
            from services.plugin.plugin_auto_upgrade_service import PluginAutoUpgradeService

-            result = PluginAutoUpgradeService.exclude_plugin("t1", "p1", PLUGIN_CATEGORY)
+            result = PluginAutoUpgradeService.exclude_plugin("t1", "p1")

        assert result is True
        assert existing.upgrade_mode == "exclude"
@ -181,101 +175,6 @@ class TestExcludePlugin:
            strat_cls.UpgradeMode.ALL = "all"
            from services.plugin.plugin_auto_upgrade_service import PluginAutoUpgradeService

-            PluginAutoUpgradeService.exclude_plugin("t1", "p1", PLUGIN_CATEGORY)
+            PluginAutoUpgradeService.exclude_plugin("t1", "p1")

        assert existing.exclude_plugins == ["p1"]
-
-
-class TestBackfillStrategyCategories:
-    def test_creates_default_missing_categories_without_fetching_daemon(self):
-        p1, session = _patched_session()
-        tool_strategy = SimpleNamespace(
-            category=TenantPluginAutoUpgradeStrategy.PluginCategory.TOOL,
-            strategy_setting=TenantPluginAutoUpgradeStrategy.StrategySetting.FIX_ONLY,
-            upgrade_time_of_day=0,
-            upgrade_mode=TenantPluginAutoUpgradeStrategy.UpgradeMode.EXCLUDE,
-            exclude_plugins=[],
-            include_plugins=[],
-        )
-        session.scalars.return_value.all.return_value = [tool_strategy]
-        installer = MagicMock()
-
-        with p1, patch(f"{MODULE}.PluginInstaller", return_value=installer):
-            from services.plugin.plugin_auto_upgrade_service import PluginAutoUpgradeService
-
-            result = PluginAutoUpgradeService.backfill_strategy_categories("t1")
-            expected_time = PluginAutoUpgradeService.default_upgrade_time_of_day("t1")
-
-        assert result.created_count == len(TenantPluginAutoUpgradeStrategy.PluginCategory) - 1
-        assert result.normalized is False
-        installer.list_plugins.assert_not_called()
-        assert tool_strategy.upgrade_time_of_day == expected_time
-        created_strategies = [call.args[0] for call in session.add.call_args_list]
-        model_strategy = next(
-            strategy
-            for strategy in created_strategies
-            if strategy.category == TenantPluginAutoUpgradeStrategy.PluginCategory.MODEL
-        )
-        assert model_strategy.strategy_setting == TenantPluginAutoUpgradeStrategy.StrategySetting.LATEST
-        assert model_strategy.upgrade_time_of_day == expected_time
-
-    def test_default_upgrade_time_is_aligned_to_fifteen_minutes(self):
-        from services.plugin.plugin_auto_upgrade_service import PluginAutoUpgradeService
-
-        default_time = PluginAutoUpgradeService.default_upgrade_time_of_day("t1")
-
-        assert default_time % (15 * 60) == 0
-        assert 0 <= default_time < 24 * 60 * 60
-
-    def test_creates_missing_categories_and_splits_known_plugins(self):
-        p1, session = _patched_session()
-        tool_strategy = SimpleNamespace(
-            category=TenantPluginAutoUpgradeStrategy.PluginCategory.TOOL,
-            strategy_setting=TenantPluginAutoUpgradeStrategy.StrategySetting.FIX_ONLY,
-            upgrade_time_of_day=0,
-            upgrade_mode=TenantPluginAutoUpgradeStrategy.UpgradeMode.EXCLUDE,
-            exclude_plugins=["tool-plugin", "model-plugin", "unknown-plugin"],
-            include_plugins=["model-plugin", "tool-plugin"],
-        )
-        model_strategy = SimpleNamespace(
-            category=TenantPluginAutoUpgradeStrategy.PluginCategory.MODEL,
-            strategy_setting=TenantPluginAutoUpgradeStrategy.StrategySetting.FIX_ONLY,
-            upgrade_time_of_day=0,
-            upgrade_mode=TenantPluginAutoUpgradeStrategy.UpgradeMode.EXCLUDE,
-            exclude_plugins=["tool-plugin", "model-plugin", "unknown-plugin"],
-            include_plugins=["model-plugin", "tool-plugin"],
-        )
-        session.scalars.return_value.all.return_value = [tool_strategy, model_strategy]
-
-        installed_plugins = [
-            SimpleNamespace(
-                plugin_id="tool-plugin",
-                declaration=SimpleNamespace(category=TenantPluginAutoUpgradeStrategy.PluginCategory.TOOL),
-            ),
-            SimpleNamespace(
-                plugin_id="model-plugin",
-                declaration=SimpleNamespace(category=TenantPluginAutoUpgradeStrategy.PluginCategory.MODEL),
-            ),
-        ]
-        installer = MagicMock()
-        installer.list_plugins.return_value = installed_plugins
-
-        with p1, patch(f"{MODULE}.PluginInstaller", return_value=installer), patch(f"{MODULE}.logger") as logger:
-            from services.plugin.plugin_auto_upgrade_service import PluginAutoUpgradeService
-
-            result = PluginAutoUpgradeService.backfill_strategy_categories("t1")
-
-        assert result.created_count == len(TenantPluginAutoUpgradeStrategy.PluginCategory) - 2
-        assert result.normalized is True
-        assert session.add.call_count == len(TenantPluginAutoUpgradeStrategy.PluginCategory) - 2
-        assert tool_strategy.exclude_plugins == ["tool-plugin"]
-        assert tool_strategy.include_plugins == ["tool-plugin"]
-        assert model_strategy.exclude_plugins == ["model-plugin"]
-        assert model_strategy.include_plugins == ["model-plugin"]
-        logger.warning.assert_called_once_with(
-            "Skipped unknown plugin IDs while backfilling plugin auto-upgrade strategies: "
-            "tenant_id=%s, field=%s, plugin_ids=%s",
-            "t1",
-            "exclude_plugins",
-            ["unknown-plugin"],
-        )
--- a/api/tests/unit_tests/services/test_recommended_app_service.py
+++ b/api/tests/unit_tests/services/test_recommended_app_service.py
@ -7,7 +7,6 @@ returns None causes a TypeError / KeyError in self-hosted mode.
 from types import SimpleNamespace
 from unittest.mock import MagicMock, patch

-from services import recommended_app_service as service_module
 from services.recommended_app_service import RecommendedAppService


@ -45,40 +44,3 @@ class TestGetRecommendAppDetailNullCheck:

        assert result is None
        mock_instance.get_recommend_app_detail.assert_called_once_with("nonexistent")
-
-
-class TestGetLearnDifyApps:
-    @patch("services.recommended_app_service.FeatureService", autospec=True)
-    @patch("services.recommended_app_service.DatabaseRecommendAppRetrieval", autospec=True)
-    def test_returns_database_learn_dify_apps_without_remote_factory(
-        self, mock_database_retrieval, mock_feature_service
-    ):
-        expected_app = {"app_id": "app-1", "categories": ["Workflow"]}
-        mock_database_retrieval.fetch_learn_dify_apps_from_db.return_value = {
-            "recommended_apps": [expected_app],
-            "categories": ["Workflow"],
-        }
-        mock_feature_service.get_system_features.return_value = SimpleNamespace(enable_trial_app=False)
-
-        with patch.object(service_module.RecommendAppRetrievalFactory, "get_recommend_app_factory") as factory_mock:
-            result = RecommendedAppService.get_learn_dify_apps("en-US")
-
-        assert result == {"recommended_apps": [expected_app]}
-        mock_database_retrieval.fetch_learn_dify_apps_from_db.assert_called_once_with("en-US")
-        factory_mock.assert_not_called()
-
-    @patch("services.recommended_app_service.FeatureService", autospec=True)
-    @patch("services.recommended_app_service.DatabaseRecommendAppRetrieval", autospec=True)
-    def test_sets_can_trial_when_trial_feature_enabled(self, mock_database_retrieval, mock_feature_service):
-        app = {"app_id": "app-1", "categories": ["Workflow"]}
-        mock_database_retrieval.fetch_learn_dify_apps_from_db.return_value = {
-            "recommended_apps": [app],
-            "categories": ["Workflow"],
-        }
-        mock_feature_service.get_system_features.return_value = SimpleNamespace(enable_trial_app=True)
-
-        with patch.object(RecommendedAppService, "_can_trial_app", return_value=True) as can_trial_mock:
-            result = RecommendedAppService.get_learn_dify_apps("en-US")
-
-        assert result["recommended_apps"][0]["can_trial"] is True
-        can_trial_mock.assert_called_once_with("app-1")
--- a/api/tests/unit_tests/tasks/test_process_tenant_plugin_autoupgrade_check_task.py
+++ b/api/tests/unit_tests/tasks/test_process_tenant_plugin_autoupgrade_check_task.py
@ -4,25 +4,19 @@ from types import SimpleNamespace
 from unittest.mock import MagicMock, patch

 from core.plugin.entities.marketplace import MarketplacePluginSnapshot
-from core.plugin.entities.plugin import PluginCategory, PluginInstallationSource
+from core.plugin.entities.plugin import PluginInstallationSource
 from models.account import TenantPluginAutoUpgradeStrategy

 MODULE = "tasks.process_tenant_plugin_autoupgrade_check_task"


-def _make_plugin(
-    plugin_id: str,
-    version: str,
-    source=PluginInstallationSource.Marketplace,
-    category: PluginCategory = PluginCategory.Tool,
-):
+def _make_plugin(plugin_id: str, version: str, source=PluginInstallationSource.Marketplace):
    """Build a minimal stand-in for a PluginInstallation entry returned by manager.list_plugins."""
    return SimpleNamespace(
        plugin_id=plugin_id,
        version=version,
        plugin_unique_identifier=f"{plugin_id}:{version}@deadbeef",
        source=source,
-        declaration=SimpleNamespace(category=category),
    )


@ -45,7 +39,6 @@ def _run_task(
    upgrade_mode=TenantPluginAutoUpgradeStrategy.UpgradeMode.ALL,
    exclude_plugins=None,
    include_plugins=None,
-    category=None,
 ):
    """
    Execute the celery task synchronously with mocks for the plugin manager,
@ -79,7 +72,6 @@ def _run_task(
            upgrade_mode,
            exclude_plugins or [],
            include_plugins or [],
-            category,
        )

    return upgrade_mock, upgrade_calls
@ -254,26 +246,6 @@ class TestUpgradeMode:
        assert upgrade_mock.call_count == 1
        assert calls[0][1] == plugins[0].plugin_unique_identifier

-    def test_category_strategy_only_upgrades_matching_category(self):
-        plugins = [
-            _make_plugin("acme/model-provider", "1.0.0", category=PluginCategory.Model),
-            _make_plugin("acme/tool-provider", "1.0.0", category=PluginCategory.Tool),
-        ]
-        manifests = [
-            _make_manifest("acme/model-provider", "1.0.1"),
-            _make_manifest("acme/tool-provider", "1.0.1"),
-        ]
-
-        upgrade_mock, calls = _run_task(
-            plugins=plugins,
-            manifests=manifests,
-            upgrade_mode=TenantPluginAutoUpgradeStrategy.UpgradeMode.ALL,
-            category=TenantPluginAutoUpgradeStrategy.PluginCategory.MODEL,
-        )
-
-        upgrade_mock.assert_called_once()
-        assert calls[0][1] == plugins[0].plugin_unique_identifier
-

 class TestErrorIsolation:
    def test_one_plugin_failure_does_not_block_others(self):
--- a/cli/src/api/app-meta.test.ts
+++ b/cli/src/api/app-meta.test.ts
@ -6,8 +6,8 @@ import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 import { startMock } from '../../test/fixtures/dify-mock/server.js'
 import { loadAppInfoCache } from '../cache/app-info.js'
 import { createClient } from '../http/client.js'
-import { ENV_CACHE_DIR } from '../store/dir.js'
-import { CACHE_APP_INFO, getCache } from '../store/manager.js'
+import { CACHE_APP_INFO, cachePath } from '../store/manager.js'
+import { YamlStore } from '../store/store.js'
 import { FieldInfo, FieldParameters } from '../types/app-meta.js'
 import { AppMetaClient } from './app-meta.js'
 import { AppsClient } from './apps.js'
@ -15,24 +15,17 @@ import { AppsClient } from './apps.js'
 describe('AppMetaClient', () => {
  let mock: DifyMock
  let dir: string
-  let prevCacheDir: string | undefined
  beforeEach(async () => {
    mock = await startMock({ scenario: 'happy' })
    dir = await mkdtemp(join(tmpdir(), 'difyctl-meta-'))
-    prevCacheDir = process.env[ENV_CACHE_DIR]
-    process.env[ENV_CACHE_DIR] = dir
  })
  afterEach(async () => {
-    if (prevCacheDir === undefined)
-      delete process.env[ENV_CACHE_DIR]
-    else
-      process.env[ENV_CACHE_DIR] = prevCacheDir
    await mock.stop()
    await rm(dir, { recursive: true, force: true })
  })

  it('cache miss → fetch → populate; warm hit skips network', async () => {
-    const cache = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const cache = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    const apps = new AppsClient(createClient({ host: mock.url, bearer: 'dfoa_test' }))
    const spy = vi.spyOn(apps, 'describe')
    const client = new AppMetaClient({ apps, host: mock.url, cache })
@ -47,7 +40,7 @@ describe('AppMetaClient', () => {
  })

  it('slim hit + full request triggers fresh fetch + merges', async () => {
-    const cache = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const cache = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    const apps = new AppsClient(createClient({ host: mock.url, bearer: 'dfoa_test' }))
    const spy = vi.spyOn(apps, 'describe')
    const client = new AppMetaClient({ apps, host: mock.url, cache })
@ -61,7 +54,7 @@ describe('AppMetaClient', () => {
  })

  it('expired cache entry refetches', async () => {
-    const cache = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO), ttlMs: 100, now: () => new Date('2026-05-09T00:00:00Z') })
+    const cache = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)), ttlMs: 100, now: () => new Date('2026-05-09T00:00:00Z') })
    const apps = new AppsClient(createClient({ host: mock.url, bearer: 'dfoa_test' }))
    const spy = vi.spyOn(apps, 'describe')
    const client = new AppMetaClient({ apps, host: mock.url, cache, now: () => new Date('2026-05-09T00:00:00Z') })
@ -75,7 +68,7 @@ describe('AppMetaClient', () => {
  })

  it('invalidate forces next get to fetch', async () => {
-    const cache = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const cache = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    const apps = new AppsClient(createClient({ host: mock.url, bearer: 'dfoa_test' }))
    const spy = vi.spyOn(apps, 'describe')
    const client = new AppMetaClient({ apps, host: mock.url, cache })
--- a/cli/src/auth/file-backend.test.ts
+++ b/cli/src/auth/file-backend.test.ts
@ -0,0 +1,101 @@
+import { mkdtemp, rm, stat, writeFile } from 'node:fs/promises'
+import { tmpdir } from 'node:os'
+import { join } from 'node:path'
+import { afterEach, beforeEach, describe, expect, it } from 'vitest'
+import { FILE_PERM } from '../store/dir.js'
+import { FileBackend, TOKENS_FILE_NAME } from './file-backend.js'
+
+describe('FileBackend', () => {
+  let dir: string
+  let backend: FileBackend
+
+  beforeEach(async () => {
+    dir = await mkdtemp(join(tmpdir(), 'difyctl-tokens-'))
+    backend = new FileBackend(dir)
+  })
+
+  afterEach(async () => {
+    await rm(dir, { recursive: true, force: true })
+  })
+
+  it('returns undefined when file is missing', async () => {
+    expect(await backend.get('cloud.dify.ai', 'acct-1')).toBeUndefined()
+  })
+
+  it('returns empty list when file is missing', async () => {
+    expect(await backend.list('cloud.dify.ai')).toEqual([])
+  })
+
+  it('round-trips put/get for a single token', async () => {
+    await backend.put('cloud.dify.ai', 'acct-1', 'dfoa_abc')
+    expect(await backend.get('cloud.dify.ai', 'acct-1')).toBe('dfoa_abc')
+  })
+
+  it('list returns accountIds for the given host', async () => {
+    await backend.put('cloud.dify.ai', 'acct-1', 'dfoa_a')
+    await backend.put('cloud.dify.ai', 'acct-2', 'dfoa_b')
+    await backend.put('self.example.com', 'acct-3', 'dfoa_c')
+    const ids = await backend.list('cloud.dify.ai')
+    expect([...ids].sort()).toEqual(['acct-1', 'acct-2'])
+  })
+
+  it('list returns empty array for unknown host', async () => {
+    await backend.put('cloud.dify.ai', 'acct-1', 'dfoa_a')
+    expect(await backend.list('other.example.com')).toEqual([])
+  })
+
+  it('delete removes the entry', async () => {
+    await backend.put('cloud.dify.ai', 'acct-1', 'dfoa_a')
+    await backend.delete('cloud.dify.ai', 'acct-1')
+    expect(await backend.get('cloud.dify.ai', 'acct-1')).toBeUndefined()
+  })
+
+  it('delete is a no-op for missing entries', async () => {
+    await expect(backend.delete('cloud.dify.ai', 'missing')).resolves.toBeUndefined()
+  })
+
+  it('delete prunes empty host entries', async () => {
+    await backend.put('cloud.dify.ai', 'acct-1', 'dfoa_a')
+    await backend.delete('cloud.dify.ai', 'acct-1')
+    expect(await backend.list('cloud.dify.ai')).toEqual([])
+  })
+
+  it('overwrites existing token for same host+accountId', async () => {
+    await backend.put('cloud.dify.ai', 'acct-1', 'dfoa_old')
+    await backend.put('cloud.dify.ai', 'acct-1', 'dfoa_new')
+    expect(await backend.get('cloud.dify.ai', 'acct-1')).toBe('dfoa_new')
+  })
+
+  it('writes file with mode 0600', async () => {
+    await backend.put('cloud.dify.ai', 'acct-1', 'dfoa_a')
+    const info = await stat(join(dir, TOKENS_FILE_NAME))
+    expect(info.mode & 0o777).toBe(FILE_PERM)
+  })
+
+  it('rewrites existing file with mode 0600 even if previously permissive', async () => {
+    const path = join(dir, TOKENS_FILE_NAME)
+    await writeFile(path, 'hosts: {}\n', { mode: 0o644 })
+    await backend.put('cloud.dify.ai', 'acct-1', 'dfoa_a')
+    const info = await stat(path)
+    expect(info.mode & 0o777).toBe(FILE_PERM)
+  })
+
+  it('writes valid YAML readable by a fresh backend', async () => {
+    await backend.put('cloud.dify.ai', 'acct-1', 'dfoa_a')
+    const fresh = new FileBackend(dir)
+    expect(await fresh.get('cloud.dify.ai', 'acct-1')).toBe('dfoa_a')
+  })
+
+  it('persists multiple hosts simultaneously', async () => {
+    await backend.put('cloud.dify.ai', 'acct-1', 'dfoa_a')
+    await backend.put('self.example.com', 'acct-2', 'dfoa_b')
+    expect(await backend.get('cloud.dify.ai', 'acct-1')).toBe('dfoa_a')
+    expect(await backend.get('self.example.com', 'acct-2')).toBe('dfoa_b')
+  })
+
+  it('treats malformed YAML as empty', async () => {
+    const path = join(dir, TOKENS_FILE_NAME)
+    await writeFile(path, 'not: valid: yaml: [\n', { mode: FILE_PERM })
+    expect(await backend.get('cloud.dify.ai', 'acct-1')).toBeUndefined()
+  })
+})
--- a/cli/src/auth/file-backend.ts
+++ b/cli/src/auth/file-backend.ts
@ -0,0 +1,99 @@
+import type { TokenStore } from './store.js'
+import { mkdir, readFile, rename, stat, unlink, writeFile } from 'node:fs/promises'
+import { join } from 'node:path'
+import yaml from 'js-yaml'
+import { DIR_PERM, FILE_PERM } from '../store/dir.js'
+
+export const TOKENS_FILE_NAME = 'tokens.yml'
+
+type AccountMap = Record<string, string>
+type HostMap = Record<string, AccountMap>
+type TokensFile = { hosts?: HostMap }
+
+export class FileBackend implements TokenStore {
+  private readonly dir: string
+  private readonly path: string
+
+  constructor(dir: string) {
+    this.dir = dir
+    this.path = join(dir, TOKENS_FILE_NAME)
+  }
+
+  async put(host: string, accountId: string, token: string): Promise<void> {
+    const file = await this.read()
+    const hosts = file.hosts ?? {}
+    const accounts = hosts[host] ?? {}
+    accounts[accountId] = token
+    hosts[host] = accounts
+    await this.write({ hosts })
+  }
+
+  async get(host: string, accountId: string): Promise<string | undefined> {
+    const file = await this.read()
+    return file.hosts?.[host]?.[accountId]
+  }
+
+  async delete(host: string, accountId: string): Promise<void> {
+    const file = await this.read()
+    const accounts = file.hosts?.[host]
+    if (accounts === undefined || !(accountId in accounts))
+      return
+    delete accounts[accountId]
+    if (Object.keys(accounts).length === 0 && file.hosts !== undefined)
+      delete file.hosts[host]
+    await this.write(file)
+  }
+
+  async list(host: string): Promise<readonly string[]> {
+    const file = await this.read()
+    const accounts = file.hosts?.[host]
+    return accounts === undefined ? [] : Object.keys(accounts)
+  }
+
+  private async read(): Promise<TokensFile> {
+    let raw: string
+    try {
+      raw = await readFile(this.path, 'utf8')
+    }
+    catch (err) {
+      if ((err as NodeJS.ErrnoException).code === 'ENOENT')
+        return {}
+      throw err
+    }
+    let parsed: unknown
+    try {
+      parsed = yaml.load(raw)
+    }
+    catch {
+      return {}
+    }
+    if (parsed === null || typeof parsed !== 'object')
+      return {}
+    return parsed as TokensFile
+  }
+
+  private async write(file: TokensFile): Promise<void> {
+    await mkdir(this.dir, { recursive: true, mode: DIR_PERM })
+    const body = yaml.dump(file, { lineWidth: -1, noRefs: true })
+    const tmp = `${this.path}.tmp.${process.pid}.${Date.now()}`
+    try {
+      await writeFile(tmp, body, { mode: FILE_PERM })
+      await rename(tmp, this.path)
+    }
+    catch (err) {
+      try {
+        await unlink(tmp)
+      }
+      catch { /* tmp may not exist */ }
+      throw err
+    }
+    try {
+      const info = await stat(this.path)
+      if ((info.mode & 0o777) !== FILE_PERM) {
+        const { chmod } = await import('node:fs/promises')
+        await chmod(this.path, FILE_PERM)
+      }
+    }
+    catch { /* best-effort permission tighten */ }
+  }
+}
--- a/cli/src/auth/hosts.test.ts
+++ b/cli/src/auth/hosts.test.ts
@ -1,9 +1,9 @@
-import { mkdtemp, rm } from 'node:fs/promises'
+import { mkdtemp, readFile, rm, stat, writeFile } from 'node:fs/promises'
 import { tmpdir } from 'node:os'
 import { join } from 'node:path'
 import { afterEach, beforeEach, describe, expect, it } from 'vitest'
-import { ENV_CONFIG_DIR } from '../store/dir.js'
-import { HostsBundleSchema, loadHosts, saveHosts } from './hosts.js'
+import { FILE_PERM } from '../store/dir.js'
+import { HOSTS_FILE_NAME, HostsBundleSchema, loadHosts, saveHosts } from './hosts.js'

 describe('HostsBundleSchema', () => {
  it('parses a minimal logged-out bundle', () => {
@ -46,86 +46,86 @@ describe('HostsBundleSchema', () => {
    })
    expect(parsed.available_workspaces).toHaveLength(2)
  })
-
-  it('drops unknown top-level fields on parse', () => {
-    const parsed = HostsBundleSchema.parse({
-      current_host: 'cloud.dify.ai',
-      future_field: 42,
-      token_storage: 'file',
-    })
-    expect(parsed.current_host).toBe('cloud.dify.ai')
-    expect((parsed as Record<string, unknown>).future_field).toBeUndefined()
-  })
 })

 describe('loadHosts/saveHosts', () => {
  let dir: string
-  let prevConfigDir: string | undefined

  beforeEach(async () => {
    dir = await mkdtemp(join(tmpdir(), 'difyctl-hosts-'))
-    prevConfigDir = process.env[ENV_CONFIG_DIR]
-    process.env[ENV_CONFIG_DIR] = dir
  })

  afterEach(async () => {
-    if (prevConfigDir === undefined)
-      delete process.env[ENV_CONFIG_DIR]
-    else
-      process.env[ENV_CONFIG_DIR] = prevConfigDir
    await rm(dir, { recursive: true, force: true })
  })

-  it('returns undefined when nothing was saved', () => {
-    expect(loadHosts()).toBeUndefined()
+  it('returns undefined when file is missing', async () => {
+    expect(await loadHosts(dir)).toBeUndefined()
  })

-  it('round-trips a fully-populated bundle', () => {
-    saveHosts({
+  it('round-trips bundle through YAML', async () => {
+    await saveHosts(dir, {
      current_host: 'cloud.dify.ai',
-      scheme: 'https',
      account: { id: 'acct-1', email: 'a@b.c', name: 'A' },
      workspace: { id: 'ws-1', name: 'My Space', role: 'owner' },
-      available_workspaces: [
-        { id: 'ws-1', name: 'My Space', role: 'owner' },
-        { id: 'ws-2', name: 'Other', role: 'normal' },
-      ],
      token_storage: 'keychain',
      token_id: 'tok_xyz',
    })
-    const loaded = loadHosts()
+    const loaded = await loadHosts(dir)
    expect(loaded?.current_host).toBe('cloud.dify.ai')
-    expect(loaded?.scheme).toBe('https')
    expect(loaded?.account?.email).toBe('a@b.c')
-    expect(loaded?.workspace?.id).toBe('ws-1')
-    expect(loaded?.available_workspaces).toHaveLength(2)
-    expect(loaded?.token_storage).toBe('keychain')
-    expect(loaded?.token_id).toBe('tok_xyz')
-  })
-
-  it('round-trips a file-mode bundle with bearer token', () => {
-    saveHosts({
-      current_host: 'self.example.com',
-      token_storage: 'file',
-      tokens: { bearer: 'dfoa_test' },
-    })
-    const loaded = loadHosts()
-    expect(loaded?.tokens?.bearer).toBe('dfoa_test')
-    expect(loaded?.token_storage).toBe('file')
-  })
-
-  it('overwrites previous bundle on save', () => {
-    saveHosts({ current_host: 'old.example.com', token_storage: 'file' })
-    saveHosts({ current_host: 'new.example.com', token_storage: 'keychain' })
-    const loaded = loadHosts()
-    expect(loaded?.current_host).toBe('new.example.com')
    expect(loaded?.token_storage).toBe('keychain')
  })

-  it('rejects invalid input at save time', () => {
-    expect(() => saveHosts({
+  it('writes file with mode 0600', async () => {
+    await saveHosts(dir, { current_host: 'cloud.dify.ai', token_storage: 'file' })
+    const info = await stat(join(dir, HOSTS_FILE_NAME))
+    expect(info.mode & 0o777).toBe(FILE_PERM)
+  })
+
+  it('rewrites permissive existing file with mode 0600', async () => {
+    const path = join(dir, HOSTS_FILE_NAME)
+    await writeFile(path, 'current_host: ""\ntoken_storage: file\n', { mode: 0o644 })
+    await saveHosts(dir, { current_host: 'cloud.dify.ai', token_storage: 'file' })
+    const info = await stat(path)
+    expect(info.mode & 0o777).toBe(FILE_PERM)
+  })
+
+  it('atomic write: temp file does not survive on success', async () => {
+    await saveHosts(dir, { current_host: 'cloud.dify.ai', token_storage: 'file' })
+    const { readdir } = await import('node:fs/promises')
+    const entries = await readdir(dir)
+    expect(entries.filter(n => n.includes('.tmp.'))).toHaveLength(0)
+  })
+
+  it('drops unknown top-level fields', async () => {
+    const path = join(dir, HOSTS_FILE_NAME)
+    await writeFile(path, 'current_host: cloud.dify.ai\nfuture_field: 42\ntoken_storage: file\n', { mode: FILE_PERM })
+    const loaded = await loadHosts(dir)
+    expect(loaded?.current_host).toBe('cloud.dify.ai')
+    expect((loaded as Record<string, unknown> | undefined)?.future_field).toBeUndefined()
+  })
+
+  it('throws on malformed YAML', async () => {
+    const path = join(dir, HOSTS_FILE_NAME)
+    await writeFile(path, ': : :\n', { mode: FILE_PERM })
+    await expect(loadHosts(dir)).rejects.toThrow()
+  })
+
+  it('throws when YAML contradicts schema', async () => {
+    const path = join(dir, HOSTS_FILE_NAME)
+    await writeFile(path, 'token_storage: cloud\n', { mode: FILE_PERM })
+    await expect(loadHosts(dir)).rejects.toThrow()
+  })
+
+  it('produces YAML with stable keys', async () => {
+    await saveHosts(dir, {
      current_host: 'cloud.dify.ai',
-      token_storage: 'cloud',
-    } as never)).toThrow()
+      token_storage: 'file',
+      tokens: { bearer: 'dfoa_x' },
+    })
+    const raw = await readFile(join(dir, HOSTS_FILE_NAME), 'utf8')
+    expect(raw).toContain('current_host: cloud.dify.ai')
+    expect(raw).toContain('bearer: dfoa_x')
  })
 })
--- a/cli/src/auth/hosts.ts
+++ b/cli/src/auth/hosts.ts
@ -1,6 +1,10 @@
-import type { Store } from '../store/store.js'
+import { mkdir, readFile, rename, unlink, writeFile } from 'node:fs/promises'
+import { join } from 'node:path'
+import yaml from 'js-yaml'
 import { z } from 'zod'
-import { getHostStore, tokenKey } from '../store/manager.js'
+import { DIR_PERM, FILE_PERM } from '../store/dir.js'
+
+export const HOSTS_FILE_NAME = 'hosts.yml'

 const StorageModeSchema = z.enum(['keychain', 'file'])
 export type StorageMode = z.infer<typeof StorageModeSchema>
@ -44,23 +48,53 @@ export const HostsBundleSchema = z.object({
 })
 export type HostsBundle = z.infer<typeof HostsBundleSchema>

-export function loadHosts(): HostsBundle | undefined {
-  const raw = getHostStore().getTyped<Record<string, unknown>>()
-  if (raw === null)
-    return undefined
-  return HostsBundleSchema.parse(raw)
-}
-
-export function saveHosts(bundle: HostsBundle): void {
-  const validated = HostsBundleSchema.parse(bundle)
-  getHostStore().setTyped(validated)
-}
-
-export function clearLocal(bundle: HostsBundle, store: Store): void {
-  const accountId = bundle.account?.id ?? bundle.external_subject?.email ?? 'default'
+export async function loadHosts(dir: string): Promise<HostsBundle | undefined> {
+  const path = join(dir, HOSTS_FILE_NAME)
+  let raw: string
  try {
-    store.unset(tokenKey(bundle.current_host, accountId))
+    raw = await readFile(path, 'utf8')
+  }
+  catch (err) {
+    if ((err as NodeJS.ErrnoException).code === 'ENOENT')
+      return undefined
+    throw err
+  }
+  const parsed = yaml.load(raw)
+  return HostsBundleSchema.parse(parsed ?? {})
+}
+
+export async function saveHosts(dir: string, bundle: HostsBundle): Promise<void> {
+  await mkdir(dir, { recursive: true, mode: DIR_PERM })
+  const validated = HostsBundleSchema.parse(bundle)
+  const body = yaml.dump(stripUndefined(validated), { lineWidth: -1, noRefs: true, sortKeys: false })
+  const target = join(dir, HOSTS_FILE_NAME)
+  const tmp = `${target}.tmp.${process.pid}.${Date.now()}`
+  try {
+    await writeFile(tmp, body, { mode: FILE_PERM })
+    await rename(tmp, target)
+  }
+  catch (err) {
+    try {
+      await unlink(tmp)
+    }
+    catch { /* tmp may not exist */ }
+    throw err
+  }
+  const { chmod, stat } = await import('node:fs/promises')
+  try {
+    const info = await stat(target)
+    if ((info.mode & 0o777) !== FILE_PERM)
+      await chmod(target, FILE_PERM)
  }
  catch { /* best-effort */ }
-  getHostStore().rm()
+}
+
+function stripUndefined<T extends Record<string, unknown>>(input: T): Record<string, unknown> {
+  const out: Record<string, unknown> = {}
+  for (const [k, v] of Object.entries(input)) {
+    if (v === undefined)
+      continue
+    out[k] = v
+  }
+  return out
 }
--- a/cli/src/auth/keyring-backend.test.ts
+++ b/cli/src/auth/keyring-backend.test.ts
@ -0,0 +1,111 @@
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+
+const passwords = new Map<string, string>()
+const setPassword = vi.fn()
+const getPassword = vi.fn()
+const deletePassword = vi.fn()
+
+class FakeAsyncEntry {
+  private readonly key: string
+  constructor(service: string, username: string) {
+    this.key = `${service}::${username}`
+  }
+
+  async setPassword(value: string): Promise<void> {
+    setPassword(this.key, value)
+    passwords.set(this.key, value)
+  }
+
+  async getPassword(): Promise<string | undefined> {
+    getPassword(this.key)
+    return passwords.get(this.key)
+  }
+
+  async deletePassword(): Promise<boolean> {
+    deletePassword(this.key)
+    if (!passwords.has(this.key))
+      return false
+    passwords.delete(this.key)
+    return true
+  }
+}
+
+vi.mock('@napi-rs/keyring', () => ({
+  AsyncEntry: FakeAsyncEntry,
+}))
+
+const { KEYRING_SERVICE, KeyringBackend } = await import('./keyring-backend.js')
+
+beforeEach(() => {
+  passwords.clear()
+  setPassword.mockClear()
+  getPassword.mockClear()
+  deletePassword.mockClear()
+})
+
+describe('KeyringBackend', () => {
+  it('uses service name "difyctl"', () => {
+    expect(KEYRING_SERVICE).toBe('difyctl')
+  })
+
+  it('returns undefined when no password is stored', async () => {
+    const k = new KeyringBackend()
+    expect(await k.get('cloud.dify.ai', 'acct-1')).toBeUndefined()
+  })
+
+  it('round-trips put/get', async () => {
+    const k = new KeyringBackend()
+    await k.put('cloud.dify.ai', 'acct-1', 'dfoa_x')
+    expect(await k.get('cloud.dify.ai', 'acct-1')).toBe('dfoa_x')
+  })
+
+  it('keys by host::accountId', async () => {
+    const k = new KeyringBackend()
+    await k.put('cloud.dify.ai', 'acct-1', 'A')
+    await k.put('cloud.dify.ai', 'acct-2', 'B')
+    expect(await k.get('cloud.dify.ai', 'acct-1')).toBe('A')
+    expect(await k.get('cloud.dify.ai', 'acct-2')).toBe('B')
+  })
+
+  it('delete removes the entry', async () => {
+    const k = new KeyringBackend()
+    await k.put('cloud.dify.ai', 'acct-1', 'A')
+    await k.delete('cloud.dify.ai', 'acct-1')
+    expect(await k.get('cloud.dify.ai', 'acct-1')).toBeUndefined()
+  })
+
+  it('delete is a no-op for missing entries', async () => {
+    const k = new KeyringBackend()
+    await expect(k.delete('cloud.dify.ai', 'gone')).resolves.toBeUndefined()
+  })
+
+  it('list returns empty array (keyring does not enumerate)', async () => {
+    const k = new KeyringBackend()
+    await k.put('cloud.dify.ai', 'acct-1', 'A')
+    expect(await k.list('cloud.dify.ai')).toEqual([])
+  })
+
+  it('swallows getPassword exceptions and returns undefined', async () => {
+    const k = new KeyringBackend()
+    getPassword.mockImplementationOnce(() => {
+      throw new Error('NoEntry')
+    })
+    expect(await k.get('cloud.dify.ai', 'acct-1')).toBeUndefined()
+  })
+
+  it('swallows delete exceptions', async () => {
+    const k = new KeyringBackend()
+    deletePassword.mockImplementationOnce(() => {
+      throw new Error('NoEntry')
+    })
+    await expect(k.delete('cloud.dify.ai', 'acct-1')).resolves.toBeUndefined()
+  })
+
+  it('lets put propagate exceptions (caller decides fallback)', async () => {
+    const k = new KeyringBackend()
+    setPassword.mockImplementationOnce(() => {
+      throw new Error('keyring locked')
+    })
+    await expect(k.put('cloud.dify.ai', 'acct-1', 'tok')).rejects.toThrow(/keyring locked/)
+  })
+})
--- a/cli/src/auth/keyring-backend.ts
+++ b/cli/src/auth/keyring-backend.ts
@ -0,0 +1,35 @@
+import type { TokenStore } from './store.js'
+import { AsyncEntry } from '@napi-rs/keyring'
+
+export const KEYRING_SERVICE = 'difyctl'
+
+function username(host: string, accountId: string): string {
+  return `${host}::${accountId}`
+}
+
+export class KeyringBackend implements TokenStore {
+  async put(host: string, accountId: string, token: string): Promise<void> {
+    await new AsyncEntry(KEYRING_SERVICE, username(host, accountId)).setPassword(token)
+  }
+
+  async get(host: string, accountId: string): Promise<string | undefined> {
+    try {
+      const v = await new AsyncEntry(KEYRING_SERVICE, username(host, accountId)).getPassword()
+      return v ?? undefined
+    }
+    catch {
+      return undefined
+    }
+  }
+
+  async delete(host: string, accountId: string): Promise<void> {
+    try {
+      await new AsyncEntry(KEYRING_SERVICE, username(host, accountId)).deletePassword()
+    }
+    catch { /* missing entry is fine */ }
+  }
+
+  async list(_host: string): Promise<readonly string[]> {
+    return []
+  }
+}
--- a/cli/src/auth/store.test.ts
+++ b/cli/src/auth/store.test.ts
@ -0,0 +1,75 @@
+import type { TokenStore } from './store.js'
+import { describe, expect, it, vi } from 'vitest'
+import { selectStore } from './store.js'
+
+function memBackend(label: string): TokenStore & { _label: string } {
+  const map = new Map<string, string>()
+  const k = (h: string, a: string) => `${h}::${a}`
+  return {
+    _label: label,
+    async put(h, a, t) { map.set(k(h, a), t) },
+    async get(h, a) { return map.get(k(h, a)) },
+    async delete(h, a) { map.delete(k(h, a)) },
+    async list() { return [] },
+  }
+}
+
+describe('selectStore', () => {
+  it('returns keychain when probe succeeds', async () => {
+    const k = memBackend('keyring')
+    const f = memBackend('file')
+    const result = await selectStore({
+      configDir: '/tmp/x',
+      factory: { keyring: () => k, file: () => f },
+    })
+    expect(result.mode).toBe('keychain')
+    expect(result.store).toBe(k)
+  })
+
+  it('falls back to file when keyring put throws', async () => {
+    const k = memBackend('keyring')
+    const f = memBackend('file')
+    k.put = vi.fn().mockRejectedValue(new Error('locked'))
+    const result = await selectStore({
+      configDir: '/tmp/x',
+      factory: { keyring: () => k, file: () => f },
+    })
+    expect(result.mode).toBe('file')
+    expect(result.store).toBe(f)
+  })
+
+  it('falls back to file when probe round-trip mismatches', async () => {
+    const k = memBackend('keyring')
+    const f = memBackend('file')
+    k.get = vi.fn().mockResolvedValue('something-else')
+    const result = await selectStore({
+      configDir: '/tmp/x',
+      factory: { keyring: () => k, file: () => f },
+    })
+    expect(result.mode).toBe('file')
+    expect(result.store).toBe(f)
+  })
+
+  it('falls back to file when keyring constructor throws', async () => {
+    const f = memBackend('file')
+    const result = await selectStore({
+      configDir: '/tmp/x',
+      factory: {
+        keyring: () => { throw new Error('no backend') },
+        file: () => f,
+      },
+    })
+    expect(result.mode).toBe('file')
+    expect(result.store).toBe(f)
+  })
+
+  it('cleans up probe entry after successful probe', async () => {
+    const k = memBackend('keyring')
+    const f = memBackend('file')
+    await selectStore({
+      configDir: '/tmp/x',
+      factory: { keyring: () => k, file: () => f },
+    })
+    expect(await k.get('__difyctl_probe__', '__probe__')).toBeUndefined()
+  })
+})
--- a/cli/src/auth/store.ts
+++ b/cli/src/auth/store.ts
@ -0,0 +1,40 @@
+import { FileBackend } from './file-backend.js'
+import { KeyringBackend } from './keyring-backend.js'
+
+export type TokenStore = {
+  put: (host: string, accountId: string, token: string) => Promise<void>
+  get: (host: string, accountId: string) => Promise<string | undefined>
+  delete: (host: string, accountId: string) => Promise<void>
+  list: (host: string) => Promise<readonly string[]>
+}
+
+export type StorageMode = 'keychain' | 'file'
+
+export type SelectStoreOptions = {
+  readonly configDir: string
+  readonly factory?: {
+    readonly keyring?: () => TokenStore
+    readonly file?: (dir: string) => TokenStore
+  }
+}
+
+const PROBE_HOST = '__difyctl_probe__'
+const PROBE_ACCOUNT = '__probe__'
+const PROBE_VALUE = 'probe-v1'
+
+export async function selectStore(opts: SelectStoreOptions): Promise<{ store: TokenStore, mode: StorageMode }> {
+  const fileFactory = opts.factory?.file ?? ((dir: string) => new FileBackend(dir))
+  const keyringFactory = opts.factory?.keyring ?? (() => new KeyringBackend())
+  try {
+    const k = keyringFactory()
+    await k.put(PROBE_HOST, PROBE_ACCOUNT, PROBE_VALUE)
+    const got = await k.get(PROBE_HOST, PROBE_ACCOUNT)
+    await k.delete(PROBE_HOST, PROBE_ACCOUNT)
+    if (got !== PROBE_VALUE)
+      throw new Error('keyring round-trip mismatch')
+    return { store: k, mode: 'keychain' }
+  }
+  catch {
+    return { store: fileFactory(opts.configDir), mode: 'file' }
+  }
+}
--- a/cli/src/cache/app-info.test.ts
+++ b/cli/src/cache/app-info.test.ts
@ -4,8 +4,8 @@ import { tmpdir } from 'node:os'
 import { join } from 'node:path'
 import yaml from 'js-yaml'
 import { afterEach, beforeEach, describe, expect, it } from 'vitest'
-import { ENV_CACHE_DIR } from '../store/dir.js'
-import { CACHE_APP_INFO, cachePath, getCache } from '../store/manager.js'
+import { CACHE_APP_INFO, cachePath } from '../store/manager.js'
+import { YamlStore } from '../store/store.js'
 import { platform } from '../sys/index.js'
 import { FieldInfo, FieldParameters } from '../types/app-meta.js'
 import { APP_INFO_TTL_MS, loadAppInfoCache } from './app-info.js'
@ -35,25 +35,18 @@ function metaInfoOnly(): AppMeta {

 describe('app-info disk cache', () => {
  let dir: string
-  let prevCacheDir: string | undefined
  beforeEach(async () => {
    dir = await mkdtemp(join(tmpdir(), 'difyctl-cache-'))
-    prevCacheDir = process.env[ENV_CACHE_DIR]
-    process.env[ENV_CACHE_DIR] = dir
  })
  afterEach(async () => {
-    if (prevCacheDir === undefined)
-      delete process.env[ENV_CACHE_DIR]
-    else
-      process.env[ENV_CACHE_DIR] = prevCacheDir
    await rm(dir, { recursive: true, force: true })
  })

  it('round-trips an entry across reloads', async () => {
-    const c1 = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const c1 = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    await c1.set('http://localhost:9999', 'app-1', metaInfoOnly())

-    const c2 = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const c2 = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    const got = c2.get('http://localhost:9999', 'app-1')
    expect(got).toBeDefined()
    expect(got?.meta.info?.id).toBe('app-1')
@ -62,7 +55,7 @@ describe('app-info disk cache', () => {

  it('isFresh respects TTL', async () => {
    const now = new Date('2026-05-09T00:00:00Z')
-    const c = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO), now: () => now })
+    const c = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)), now: () => now })
    await c.set('h', 'app-1', metaInfoOnly())
    const r = c.get('h', 'app-1')
    expect(r).toBeDefined()
@ -73,23 +66,23 @@ describe('app-info disk cache', () => {
  })

  it('keys by (host, app_id) — different hosts isolate', async () => {
-    const c = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const c = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    await c.set('h1', 'app-1', metaInfoOnly())
    expect(c.get('h2', 'app-1')).toBeUndefined()
    expect(c.get('h1', 'app-1')).toBeDefined()
  })

  it('delete removes entry from disk', async () => {
-    const c1 = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const c1 = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    await c1.set('h', 'app-1', metaInfoOnly())
    await c1.delete('h', 'app-1')

-    const c2 = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const c2 = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    expect(c2.get('h', 'app-1')).toBeUndefined()
  })

  it('writes file with 0600 permission', async () => {
-    const c = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const c = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    await c.set('h', 'app-1', metaInfoOnly())
    const { stat } = await import('node:fs/promises')
    const s = await stat(appInfoPath(dir))
@ -98,19 +91,19 @@ describe('app-info disk cache', () => {
  })

  it('missing cache file is not an error', async () => {
-    const c = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const c = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    expect(c.get('h', 'app-1')).toBeUndefined()
  })

  it('corrupt cache file is treated as empty', async () => {
    const { writeFile } = await import('node:fs/promises')
    await writeFile(appInfoPath(dir), ': : not valid yaml', 'utf8')
-    const c = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const c = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    expect(c.get('h', 'app-1')).toBeUndefined()
  })

  it('updates same key in place (no growth)', async () => {
-    const c = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const c = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    await c.set('h', 'app-1', metaInfoOnly())
    const slim: AppMeta = {
      ...metaInfoOnly(),
--- a/cli/src/cache/nudge-store.test.ts
+++ b/cli/src/cache/nudge-store.test.ts
@ -3,8 +3,8 @@ import { tmpdir } from 'node:os'
 import { dirname, join } from 'node:path'
 import yaml from 'js-yaml'
 import { afterEach, beforeEach, describe, expect, it } from 'vitest'
-import { ENV_CACHE_DIR } from '../store/dir.js'
-import { CACHE_NUDGE, cachePath, getCache } from '../store/manager.js'
+import { CACHE_NUDGE, cachePath } from '../store/manager.js'
+import { YamlStore } from '../store/store.js'
 import { loadNudgeStore, WARN_INTERVAL_MS } from './nudge-store.js'

 function nudgeStorePath(dir: string): string {
@ -15,28 +15,21 @@ const HOST = 'https://cloud.dify.ai'

 describe('NudgeStore', () => {
  let dir: string
-  let prevCacheDir: string | undefined
  beforeEach(async () => {
    dir = await mkdtemp(join(tmpdir(), 'difyctl-nudge-'))
-    prevCacheDir = process.env[ENV_CACHE_DIR]
-    process.env[ENV_CACHE_DIR] = dir
  })
  afterEach(async () => {
-    if (prevCacheDir === undefined)
-      delete process.env[ENV_CACHE_DIR]
-    else
-      process.env[ENV_CACHE_DIR] = prevCacheDir
    await rm(dir, { recursive: true, force: true })
  })

  it('canWarn=true when no prior record exists', async () => {
-    const store = await loadNudgeStore({ store: getCache(CACHE_NUDGE) })
+    const store = await loadNudgeStore({ store: new YamlStore(cachePath(dir, CACHE_NUDGE)) })
    expect(store.canWarn(HOST)).toBe(true)
  })

  it('canWarn=false within the silence window, true past it', async () => {
    const t0 = new Date('2026-05-19T12:00:00.000Z')
-    const store = await loadNudgeStore({ store: getCache(CACHE_NUDGE), now: () => t0 })
+    const store = await loadNudgeStore({ store: new YamlStore(cachePath(dir, CACHE_NUDGE)), now: () => t0 })
    await store.markWarned(HOST)
    expect(store.canWarn(HOST, new Date('2026-05-19T18:00:00.000Z'))).toBe(false)
    expect(store.canWarn(HOST, new Date('2026-05-20T12:00:00.000Z'))).toBe(true)
@ -44,7 +37,7 @@ describe('NudgeStore', () => {

  it('canWarn clamps negative elapsed under clock skew (treats as still in window)', async () => {
    const t0 = new Date('2026-05-19T12:00:00.000Z')
-    const store = await loadNudgeStore({ store: getCache(CACHE_NUDGE), now: () => t0 })
+    const store = await loadNudgeStore({ store: new YamlStore(cachePath(dir, CACHE_NUDGE)), now: () => t0 })
    await store.markWarned(HOST)
    const pastClock = new Date('2026-05-19T11:00:00.000Z') // clock moved backwards 1h
    expect(store.canWarn(HOST, pastClock)).toBe(false)
@ -52,22 +45,22 @@ describe('NudgeStore', () => {

  it('markWarned persists across store reloads', async () => {
    const t0 = new Date('2026-05-19T12:00:00.000Z')
-    const s1 = await loadNudgeStore({ store: getCache(CACHE_NUDGE), now: () => t0 })
+    const s1 = await loadNudgeStore({ store: new YamlStore(cachePath(dir, CACHE_NUDGE)), now: () => t0 })
    await s1.markWarned(HOST)
-    const s2 = await loadNudgeStore({ store: getCache(CACHE_NUDGE), now: () => t0 })
+    const s2 = await loadNudgeStore({ store: new YamlStore(cachePath(dir, CACHE_NUDGE)), now: () => t0 })
    expect(s2.canWarn(HOST)).toBe(false)
  })

  it('treats a corrupt cache file as empty', async () => {
    const path = nudgeStorePath(dir)
    await writeCacheFile(path, '{ not valid json')
-    const store = await loadNudgeStore({ store: getCache(CACHE_NUDGE) })
+    const store = await loadNudgeStore({ store: new YamlStore(cachePath(dir, CACHE_NUDGE)) })
    expect(store.canWarn(HOST)).toBe(true)
  })

  it('writes ISO timestamps under warned/<host> on disk', async () => {
    const t = new Date('2026-05-19T12:00:00.000Z')
-    const store = await loadNudgeStore({ store: getCache(CACHE_NUDGE), now: () => t })
+    const store = await loadNudgeStore({ store: new YamlStore(cachePath(dir, CACHE_NUDGE)), now: () => t })
    await store.markWarned(HOST)
    const raw = await readFile(nudgeStorePath(dir), 'utf8')
    const parsed = yaml.load(raw) as Record<string, unknown>
@ -79,11 +72,11 @@ describe('NudgeStore', () => {
    // warns about a different host. Without merge-on-write the second writer
    // would clobber the first.
    const t = new Date('2026-05-19T12:00:00.000Z')
-    const a = await loadNudgeStore({ store: getCache(CACHE_NUDGE), now: () => t })
-    const b = await loadNudgeStore({ store: getCache(CACHE_NUDGE), now: () => t })
+    const a = await loadNudgeStore({ store: new YamlStore(cachePath(dir, CACHE_NUDGE)), now: () => t })
+    const b = await loadNudgeStore({ store: new YamlStore(cachePath(dir, CACHE_NUDGE)), now: () => t })
    await a.markWarned('https://a.example')
    await b.markWarned('https://b.example')
-    const reread = await loadNudgeStore({ store: getCache(CACHE_NUDGE), now: () => t })
+    const reread = await loadNudgeStore({ store: new YamlStore(cachePath(dir, CACHE_NUDGE)), now: () => t })
    expect(reread.canWarn('https://a.example')).toBe(false)
    expect(reread.canWarn('https://b.example')).toBe(false)
  })
--- a/cli/src/commands/_shared/authed-command.ts
+++ b/cli/src/commands/_shared/authed-command.ts
@ -12,6 +12,7 @@ import { BaseError } from '../../errors/base.js'
 import { ErrorCode } from '../../errors/codes.js'
 import { formatErrorForCli } from '../../errors/format.js'
 import { createClient } from '../../http/client.js'
+import { resolveConfigDir } from '../../store/dir.js'
 import { realStreams } from '../../sys/io/streams'
 import { hostWithScheme } from '../../util/host.js'
 import { versionInfo } from '../../version/info.js'
@ -23,6 +24,7 @@ export type AuthedContext = {
  readonly http: KyInstance
  readonly host: string
  readonly io: IOStreams
+  readonly configDir: string
  readonly cache?: AppInfoCache
 }

@ -36,8 +38,9 @@ export async function buildAuthedContext(
  cmd: Pick<Command, 'error'>,
  opts: AuthedContextOptions,
 ): Promise<AuthedContext> {
+  const configDir = resolveConfigDir()
  const io = realStreams(opts.format ?? '')
-  const bundle = loadHosts()
+  const bundle = await loadHosts(configDir)
  if (bundle === undefined || bundle.tokens?.bearer === undefined || bundle.tokens.bearer === '') {
    const err = new BaseError({
      code: ErrorCode.NotLoggedIn,
@ -58,7 +61,7 @@ export async function buildAuthedContext(

  await runCompatNudge({ host, io })

-  return { bundle, http, host, io, cache }
+  return { bundle, http, host, io, configDir, cache }
 }

 // Best-effort nudge: never throws, never blocks. Lives here so every authed
--- a/cli/src/commands/auth/devices/_shared/devices.test.ts
+++ b/cli/src/commands/auth/devices/_shared/devices.test.ts
@ -2,7 +2,7 @@ import type { SessionListResponse, SessionRow } from '@dify/contracts/api/openap
 import type { DifyMock } from '../../../../../test/fixtures/dify-mock/server.js'
 import type { AccountSessionsClient } from '../../../../api/account-sessions.js'
 import type { HostsBundle } from '../../../../auth/hosts.js'
-import type { Key, Store } from '../../../../store/store.js'
+import type { TokenStore } from '../../../../auth/store.js'
 import { mkdtemp, readFile, rm } from 'node:fs/promises'
 import { tmpdir } from 'node:os'
 import { join } from 'node:path'
@ -10,23 +10,26 @@ import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 import { startMock } from '../../../../../test/fixtures/dify-mock/server.js'
 import { saveHosts } from '../../../../auth/hosts.js'
 import { createClient } from '../../../../http/client.js'
-import { ENV_CONFIG_DIR, resolveConfigDir } from '../../../../store/dir.js'
-import { tokenKey } from '../../../../store/manager.js'
 import { bufferStreams } from '../../../../sys/io/streams'
 import { listAllSessions, runDevicesList, runDevicesRevoke } from './devices.js'

-class MemStore implements Store {
-  readonly entries = new Map<string, unknown>()
-  get<T>(key: Key<T>): T {
-    return (this.entries.get(key.key) as T | undefined) ?? key.default
+class MemStore implements TokenStore {
+  readonly entries = new Map<string, string>()
+  async put(host: string, accountId: string, token: string): Promise<void> {
+    this.entries.set(`${host}::${accountId}`, token)
  }

-  set<T>(key: Key<T>, value: T): void {
-    this.entries.set(key.key, value)
+  async get(host: string, accountId: string): Promise<string | undefined> {
+    return this.entries.get(`${host}::${accountId}`)
  }

-  unset<T>(key: Key<T>): void {
-    this.entries.delete(key.key)
+  async delete(host: string, accountId: string): Promise<void> {
+    this.entries.delete(`${host}::${accountId}`)
+  }
+
+  async list(host: string): Promise<readonly string[]> {
+    const prefix = `${host}::`
+    return Array.from(this.entries.keys()).filter(k => k.startsWith(prefix))
  }
 }

@ -90,18 +93,11 @@ describe('runDevicesList', () => {
 describe('runDevicesRevoke', () => {
  let mock: DifyMock
  let configDir: string
-  let prevConfigDir: string | undefined
  beforeEach(async () => {
    mock = await startMock({ scenario: 'happy' })
    configDir = await mkdtemp(join(tmpdir(), 'difyctl-devrevoke-'))
-    prevConfigDir = process.env[ENV_CONFIG_DIR]
-    process.env[ENV_CONFIG_DIR] = configDir
  })
  afterEach(async () => {
-    if (prevConfigDir === undefined)
-      delete process.env[ENV_CONFIG_DIR]
-    else
-      process.env[ENV_CONFIG_DIR] = prevConfigDir
    await mock.stop()
    await rm(configDir, { recursive: true, force: true })
  })
@ -110,11 +106,11 @@ describe('runDevicesRevoke', () => {
    const io = bufferStreams()
    const store = new MemStore()
    const b = bundleFor(mock.url, 'tok-1')
-    store.set(tokenKey(b.current_host, 'acct-1'), 'dfoa_test')
-    saveHosts(b)
+    await store.put(b.current_host, 'acct-1', 'dfoa_test')
+    await saveHosts(configDir, b)
    const http = createClient({ host: mock.url, bearer: 'dfoa_test' })

-    await runDevicesRevoke({ io, bundle: b, http, store, target: 'difyctl on desktop', all: false })
+    await runDevicesRevoke({ configDir, io, bundle: b, http, store, target: 'difyctl on desktop', all: false })
    expect(io.outBuf()).toContain('Revoked 1 session(s)')
    expect(store.entries.size).toBe(1)
  })
@ -125,7 +121,7 @@ describe('runDevicesRevoke', () => {
    const b = bundleFor(mock.url, 'tok-1')
    const http = createClient({ host: mock.url, bearer: 'dfoa_test' })

-    await runDevicesRevoke({ io, bundle: b, http, store, target: 'tok-2', all: false })
+    await runDevicesRevoke({ configDir, io, bundle: b, http, store, target: 'tok-2', all: false })
    expect(io.outBuf()).toContain('Revoked 1 session(s)')
  })

@ -135,7 +131,7 @@ describe('runDevicesRevoke', () => {
    const b = bundleFor(mock.url, 'tok-1')
    const http = createClient({ host: mock.url, bearer: 'dfoa_test' })

-    await runDevicesRevoke({ io, bundle: b, http, store, target: 'web', all: false })
+    await runDevicesRevoke({ configDir, io, bundle: b, http, store, target: 'web', all: false })
    expect(io.outBuf()).toContain('Revoked 1 session(s)')
  })

@ -145,7 +141,7 @@ describe('runDevicesRevoke', () => {
    const b = bundleFor(mock.url, 'tok-1')
    const http = createClient({ host: mock.url, bearer: 'dfoa_test' })

-    await expect(runDevicesRevoke({ io, bundle: b, http, store, target: 'difyctl', all: false }))
+    await expect(runDevicesRevoke({ configDir, io, bundle: b, http, store, target: 'difyctl', all: false }))
      .rejects
      .toThrow(/matches multiple/)
  })
@ -156,7 +152,7 @@ describe('runDevicesRevoke', () => {
    const b = bundleFor(mock.url, 'tok-1')
    const http = createClient({ host: mock.url, bearer: 'dfoa_test' })

-    await expect(runDevicesRevoke({ io, bundle: b, http, store, target: 'nonexistent', all: false }))
+    await expect(runDevicesRevoke({ configDir, io, bundle: b, http, store, target: 'nonexistent', all: false }))
      .rejects
      .toThrow(/no session matches/)
  })
@ -167,7 +163,7 @@ describe('runDevicesRevoke', () => {
    const b = bundleFor(mock.url, 'tok-1')
    const http = createClient({ host: mock.url, bearer: 'dfoa_test' })

-    await runDevicesRevoke({ io, bundle: b, http, store, all: true })
+    await runDevicesRevoke({ configDir, io, bundle: b, http, store, all: true })
    expect(io.outBuf()).toContain('Revoked 2 session(s)')
  })

@ -175,20 +171,20 @@ describe('runDevicesRevoke', () => {
    const io = bufferStreams()
    const store = new MemStore()
    const b = bundleFor(mock.url, 'tok-1')
-    store.set(tokenKey(b.current_host, 'acct-1'), 'dfoa_test')
-    saveHosts(b)
+    await store.put(b.current_host, 'acct-1', 'dfoa_test')
+    await saveHosts(configDir, b)
    const http = createClient({ host: mock.url, bearer: 'dfoa_test' })

-    await runDevicesRevoke({ io, bundle: b, http, store, target: 'tok-1', all: false })
+    await runDevicesRevoke({ configDir, io, bundle: b, http, store, target: 'tok-1', all: false })
    expect(store.entries.size).toBe(0)
-    await expect(readFile(join(resolveConfigDir(), 'hosts.yml'), 'utf8')).rejects.toThrow(/ENOENT/)
+    await expect(readFile(join(configDir, 'hosts.yml'), 'utf8')).rejects.toThrow(/ENOENT/)
  })

  it('no target + no --all: throws UsageMissingArg', async () => {
    const io = bufferStreams()
    const store = new MemStore()
    const http = createClient({ host: mock.url, bearer: 'dfoa_test' })
-    await expect(runDevicesRevoke({ io, bundle: bundleFor(mock.url), http, store, all: false }))
+    await expect(runDevicesRevoke({ configDir, io, bundle: bundleFor(mock.url), http, store, all: false }))
      .rejects
      .toThrow(/specify a device label/)
  })
--- a/cli/src/commands/auth/devices/_shared/devices.ts
+++ b/cli/src/commands/auth/devices/_shared/devices.ts
@ -1,14 +1,15 @@
 import type { SessionRow } from '@dify/contracts/api/openapi/types.gen'
 import type { KyInstance } from 'ky'
 import type { HostsBundle } from '../../../../auth/hosts.js'
-import type { Store } from '../../../../store/store.js'
+import type { TokenStore } from '../../../../auth/store.js'
 import type { IOStreams } from '../../../../sys/io/streams'
+import { unlink } from 'node:fs/promises'
+import { join } from 'node:path'
 import { AccountSessionsClient } from '../../../../api/account-sessions.js'
-import { clearLocal } from '../../../../auth/hosts.js'
+import { HOSTS_FILE_NAME } from '../../../../auth/hosts.js'
 import { BaseError } from '../../../../errors/base.js'
 import { ErrorCode } from '../../../../errors/codes.js'
 import { LIMIT_DEFAULT, LIMIT_MAX, parseLimit } from '../../../../limit/limit.js'
-import { getTokenStore } from '../../../../store/manager.js'
 import { colorEnabled, colorScheme } from '../../../../sys/io/color.js'
 import { runWithSpinner } from '../../../../sys/io/spinner.js'

@ -71,11 +72,11 @@ export async function listAllSessions(client: AccountSessionsClient): Promise<re
 }

 export type DevicesRevokeOptions = {
+  readonly configDir: string
  readonly io: IOStreams
  readonly bundle: HostsBundle | undefined
  readonly http: KyInstance
-  /** Optional override for tests; production code resolves via `getTokenStore`. */
-  readonly store?: Store
+  readonly store: TokenStore
  readonly target?: string
  readonly all: boolean
  readonly yes?: boolean
@ -103,10 +104,8 @@ export async function runDevicesRevoke(opts: DevicesRevokeOptions): Promise<void
  for (const id of ids)
    await sessions.revoke(id)

-  if (selfHit) {
-    const tokens = opts.store ?? getTokenStore().store
-    clearLocal(b, tokens)
-  }
+  if (selfHit)
+    await clearLocal(opts.configDir, b, opts.store)

  opts.io.out.write(`${cs.successIcon()} Revoked ${ids.length} session(s)\n`)
 }
@ -179,3 +178,18 @@ function renderTable(rows: readonly SessionRow[], currentId: string): string {
    cells.map((c, i) => c.padEnd(widths[i] ?? 0)).join('  ').trimEnd()
  return body.length === 0 ? `${fmt(header)}\n` : `${[fmt(header), ...body.map(fmt)].join('\n')}\n`
 }
+
+async function clearLocal(configDir: string, bundle: HostsBundle, store: TokenStore): Promise<void> {
+  const accountId = bundle.account?.id ?? bundle.external_subject?.email ?? 'default'
+  try {
+    await store.delete(bundle.current_host, accountId)
+  }
+  catch { /* best-effort */ }
+  try {
+    await unlink(join(configDir, HOSTS_FILE_NAME))
+  }
+  catch (err) {
+    if ((err as NodeJS.ErrnoException).code !== 'ENOENT')
+      throw err
+  }
+}
--- a/cli/src/commands/auth/devices/revoke/index.ts
+++ b/cli/src/commands/auth/devices/revoke/index.ts
@ -1,3 +1,4 @@
+import { selectStore } from '../../../../auth/store.js'
 import { Args, Flags } from '../../../../framework/flags.js'
 import { DifyCommand } from '../../../_shared/dify-command.js'
 import { httpRetryFlag } from '../../../_shared/global-flags.js'
@ -24,10 +25,13 @@ export default class DevicesRevoke extends DifyCommand {
  async run(argv: string[]): Promise<void> {
    const { args, flags } = this.parse(DevicesRevoke, argv)
    const ctx = await this.authedCtx({ retryFlag: flags['http-retry'] })
+    const { store } = await selectStore({ configDir: ctx.configDir })
    await runDevicesRevoke({
+      configDir: ctx.configDir,
      io: ctx.io,
      bundle: ctx.bundle,
      http: ctx.http,
+      store,
      target: args.target,
      all: flags.all,
      yes: flags.yes,
--- a/cli/src/commands/auth/login/index.ts
+++ b/cli/src/commands/auth/login/index.ts
@ -1,4 +1,5 @@
 import { Flags } from '../../../framework/flags.js'
+import { resolveConfigDir } from '../../../store/dir.js'
 import { realStreams } from '../../../sys/io/streams'
 import { DifyCommand } from '../../_shared/dify-command.js'
 import { runLogin } from './login.js'
@ -30,6 +31,7 @@ export default class Login extends DifyCommand {
  async run(argv: string[]): Promise<void> {
    const { flags } = this.parse(Login, argv)
    await runLogin({
+      configDir: resolveConfigDir(),
      io: realStreams(),
      host: flags.host,
      noBrowser: flags['no-browser'],
--- a/cli/src/commands/auth/login/login.test.ts
+++ b/cli/src/commands/auth/login/login.test.ts
@ -1,5 +1,5 @@
 import type { DifyMock } from '../../../../test/fixtures/dify-mock/server.js'
-import type { Key, Store } from '../../../store/store.js'
+import type { TokenStore } from '../../../auth/store.js'
 import type { Clock } from './device-flow.js'
 import { mkdtemp, readFile, rm } from 'node:fs/promises'
 import { tmpdir } from 'node:os'
@ -8,8 +8,6 @@ import { afterEach, beforeEach, describe, expect, it } from 'vitest'
 import { startMock } from '../../../../test/fixtures/dify-mock/server.js'
 import { DeviceFlowApi } from '../../../api/oauth-device.js'
 import { createClient } from '../../../http/client.js'
-import { ENV_CONFIG_DIR } from '../../../store/dir.js'
-import { tokenKey } from '../../../store/manager.js'
 import { bufferStreams } from '../../../sys/io/streams'
 import { runLogin } from './login.js'

@ -20,38 +18,38 @@ const noopClock: Clock = {

 const noopBrowser = async (): Promise<void> => { /* skip OS open */ }

-class MemStore implements Store {
-  readonly entries = new Map<string, unknown>()
-  get<T>(key: Key<T>): T {
-    return (this.entries.get(key.key) as T | undefined) ?? key.default
+class MemStore implements TokenStore {
+  readonly entries = new Map<string, string>()
+  async put(host: string, accountId: string, token: string): Promise<void> {
+    this.entries.set(`${host}::${accountId}`, token)
  }

-  set<T>(key: Key<T>, value: T): void {
-    this.entries.set(key.key, value)
+  async get(host: string, accountId: string): Promise<string | undefined> {
+    return this.entries.get(`${host}::${accountId}`)
  }

-  unset<T>(key: Key<T>): void {
-    this.entries.delete(key.key)
+  async delete(host: string, accountId: string): Promise<void> {
+    this.entries.delete(`${host}::${accountId}`)
+  }
+
+  async list(host: string): Promise<readonly string[]> {
+    const prefix = `${host}::`
+    return Array.from(this.entries.keys())
+      .filter(k => k.startsWith(prefix))
+      .map(k => k.slice(prefix.length))
  }
 }

 describe('runLogin', () => {
  let mock: DifyMock
  let configDir: string
-  let prevConfigDir: string | undefined

  beforeEach(async () => {
    mock = await startMock({ scenario: 'happy' })
    configDir = await mkdtemp(join(tmpdir(), 'difyctl-login-'))
-    prevConfigDir = process.env[ENV_CONFIG_DIR]
-    process.env[ENV_CONFIG_DIR] = configDir
  })

  afterEach(async () => {
-    if (prevConfigDir === undefined)
-      delete process.env[ENV_CONFIG_DIR]
-    else
-      process.env[ENV_CONFIG_DIR] = prevConfigDir
    await mock.stop()
    await rm(configDir, { recursive: true, force: true })
  })
@ -60,6 +58,7 @@ describe('runLogin', () => {
    const io = bufferStreams()
    const store = new MemStore()
    const bundle = await runLogin({
+      configDir,
      io,
      host: mock.url,
      noBrowser: true,
@ -74,7 +73,7 @@ describe('runLogin', () => {
    expect(bundle.account?.email).toBe('tester@dify.ai')
    expect(bundle.workspace?.id).toBe('ws-1')
    expect(bundle.available_workspaces).toHaveLength(2)
-    const stored = store.get(tokenKey(bundle.current_host, 'acct-1'))
+    const stored = await store.get(bundle.current_host, 'acct-1')
    expect(stored).toBe('dfoa_test')

    const hostsRaw = await readFile(join(configDir, 'hosts.yml'), 'utf8')
@ -92,6 +91,7 @@ describe('runLogin', () => {
    const io = bufferStreams()
    const store = new MemStore()
    const bundle = await runLogin({
+      configDir,
      io,
      host: mock.url,
      noBrowser: true,
@ -115,6 +115,7 @@ describe('runLogin', () => {
    const io = bufferStreams()
    const store = new MemStore()
    await expect(runLogin({
+      configDir,
      io,
      host: mock.url,
      noBrowser: true,
@ -134,6 +135,7 @@ describe('runLogin', () => {
    const io = bufferStreams()
    const store = new MemStore()
    await expect(runLogin({
+      configDir,
      io,
      host: mock.url,
      noBrowser: true,
@ -150,6 +152,7 @@ describe('runLogin', () => {
    const io = bufferStreams()
    const store = new MemStore()
    await expect(runLogin({
+      configDir,
      io,
      host: mock.url,
      noBrowser: true,
@ -166,6 +169,7 @@ describe('runLogin', () => {
    const io = bufferStreams()
    const store = new MemStore()
    await runLogin({
+      configDir,
      io,
      host: mock.url,
      noBrowser: true,
--- a/cli/src/commands/auth/login/login.ts
+++ b/cli/src/commands/auth/login/login.ts
@ -1,6 +1,6 @@
 import type { CodeResponse, PollSuccess } from '../../../api/oauth-device.js'
-import type { HostsBundle, Workspace } from '../../../auth/hosts.js'
-import type { StorageMode, Store } from '../../../store/store.js'
+import type { HostsBundle, StorageMode, Workspace } from '../../../auth/hosts.js'
+import type { TokenStore } from '../../../auth/store.js'
 import type { IOStreams } from '../../../sys/io/streams'
 import type { BrowserEnv, BrowserOpener } from '../../../util/browser.js'
 import type { Clock } from './device-flow.js'
@ -8,20 +8,21 @@ import * as os from 'node:os'
 import * as readline from 'node:readline'
 import { DeviceFlowApi } from '../../../api/oauth-device.js'
 import { saveHosts } from '../../../auth/hosts.js'
+import { selectStore } from '../../../auth/store.js'
 import { createClient } from '../../../http/client.js'
-import { getTokenStore, tokenKey } from '../../../store/manager.js'
 import { colorEnabled, colorScheme } from '../../../sys/io/color.js'
 import { decideOpen, OpenDecision, openUrl, realEnv } from '../../../util/browser.js'
 import { bareHost, DEFAULT_HOST, resolveHost, validateVerificationURI } from '../../../util/host.js'
 import { awaitAuthorization, realClock } from './device-flow.js'

 export type LoginOptions = {
+  readonly configDir: string
  readonly io: IOStreams
  readonly host?: string
  readonly noBrowser?: boolean
  readonly insecure?: boolean
  readonly deviceLabel?: string
-  readonly store?: { readonly store: Store, readonly mode: StorageMode }
+  readonly store?: { readonly store: TokenStore, readonly mode: StorageMode }
  readonly api?: DeviceFlowApi
  readonly browserEnv?: BrowserEnv
  readonly browserOpener?: BrowserOpener
@ -58,11 +59,11 @@ export async function runLogin(opts: LoginOptions): Promise<HostsBundle> {

  const success = await awaitAuthorization(api, code, { clock: opts.clock ?? realClock() })

-  const storeBundle = opts.store ?? getTokenStore()
+  const storeBundle = opts.store ?? await selectStore({ configDir: opts.configDir })
  const bundle = bundleFromSuccess(host, success, storeBundle.mode)

-  storeBundle.store.set(tokenKey(bundle.current_host, accountKey(bundle)), success.token)
-  saveHosts(bundle)
+  await storeBundle.store.put(bundle.current_host, accountKey(bundle), success.token)
+  await saveHosts(opts.configDir, bundle)

  renderLoggedIn(opts.io.out, cs, host, success)
  return bundle
--- a/cli/src/commands/auth/logout/index.ts
+++ b/cli/src/commands/auth/logout/index.ts
@ -1,6 +1,8 @@
 import type { KyInstance } from 'ky'
 import { loadHosts } from '../../../auth/hosts.js'
+import { selectStore } from '../../../auth/store.js'
 import { createClient } from '../../../http/client.js'
+import { resolveConfigDir } from '../../../store/dir.js'
 import { runWithSpinner } from '../../../sys/io/spinner.js'
 import { realStreams } from '../../../sys/io/streams'
 import { hostWithScheme } from '../../../util/host.js'
@ -16,7 +18,9 @@ export default class Logout extends DifyCommand {

  async run(argv: string[]): Promise<void> {
    this.parse(Logout, argv)
-    const bundle = loadHosts()
+    const configDir = resolveConfigDir()
+    const bundle = await loadHosts(configDir)
+    const { store } = await selectStore({ configDir })

    let http: KyInstance | undefined
    if (bundle !== undefined && bundle.current_host !== '' && bundle.tokens?.bearer !== undefined && bundle.tokens.bearer !== '') {
@ -30,7 +34,7 @@ export default class Logout extends DifyCommand {
    const io = realStreams()
    await runWithSpinner(
      { io, label: 'Signing out', enabled: true, style: 'dify-dim' },
-      () => runLogout({ io, bundle, http }),
+      () => runLogout({ configDir, io, bundle, http, store }),
    )
  }
 }
--- a/cli/src/commands/auth/logout/logout.test.ts
+++ b/cli/src/commands/auth/logout/logout.test.ts
@ -1,6 +1,6 @@
 import type { DifyMock } from '../../../../test/fixtures/dify-mock/server.js'
 import type { HostsBundle } from '../../../auth/hosts.js'
-import type { Key, Store } from '../../../store/store.js'
+import type { TokenStore } from '../../../auth/store.js'
 import { mkdtemp, readFile, rm, writeFile } from 'node:fs/promises'
 import { tmpdir } from 'node:os'
 import { join } from 'node:path'
@ -8,23 +8,28 @@ import { afterEach, beforeEach, describe, expect, it } from 'vitest'
 import { startMock } from '../../../../test/fixtures/dify-mock/server.js'
 import { saveHosts } from '../../../auth/hosts.js'
 import { createClient } from '../../../http/client.js'
-import { ENV_CONFIG_DIR } from '../../../store/dir.js'
-import { tokenKey } from '../../../store/manager.js'
 import { bufferStreams } from '../../../sys/io/streams'
 import { runLogout } from './logout.js'

-class MemStore implements Store {
-  readonly entries = new Map<string, unknown>()
-  get<T>(key: Key<T>): T {
-    return (this.entries.get(key.key) as T | undefined) ?? key.default
+class MemStore implements TokenStore {
+  readonly entries = new Map<string, string>()
+  async put(host: string, accountId: string, token: string): Promise<void> {
+    this.entries.set(`${host}::${accountId}`, token)
  }

-  set<T>(key: Key<T>, value: T): void {
-    this.entries.set(key.key, value)
+  async get(host: string, accountId: string): Promise<string | undefined> {
+    return this.entries.get(`${host}::${accountId}`)
  }

-  unset<T>(key: Key<T>): void {
-    this.entries.delete(key.key)
+  async delete(host: string, accountId: string): Promise<void> {
+    this.entries.delete(`${host}::${accountId}`)
+  }
+
+  async list(host: string): Promise<readonly string[]> {
+    const prefix = `${host}::`
+    return Array.from(this.entries.keys())
+      .filter(k => k.startsWith(prefix))
+      .map(k => k.slice(prefix.length))
  }
 }

@ -47,20 +52,13 @@ function fixtureBundle(host: string): HostsBundle {
 describe('runLogout', () => {
  let mock: DifyMock
  let configDir: string
-  let prevConfigDir: string | undefined

  beforeEach(async () => {
    mock = await startMock({ scenario: 'happy' })
    configDir = await mkdtemp(join(tmpdir(), 'difyctl-logout-'))
-    prevConfigDir = process.env[ENV_CONFIG_DIR]
-    process.env[ENV_CONFIG_DIR] = configDir
  })

  afterEach(async () => {
-    if (prevConfigDir === undefined)
-      delete process.env[ENV_CONFIG_DIR]
-    else
-      process.env[ENV_CONFIG_DIR] = prevConfigDir
    await mock.stop()
    await rm(configDir, { recursive: true, force: true })
  })
@ -69,11 +67,11 @@ describe('runLogout', () => {
    const io = bufferStreams()
    const store = new MemStore()
    const bundle = fixtureBundle(mock.url)
-    store.set(tokenKey(bundle.current_host, 'acct-1'), 'dfoa_test')
-    saveHosts(bundle)
+    await store.put(bundle.current_host, 'acct-1', 'dfoa_test')
+    await saveHosts(configDir, bundle)
    const http = createClient({ host: mock.url, bearer: 'dfoa_test' })

-    await runLogout({ io, bundle, http, store })
+    await runLogout({ configDir, io, bundle, http, store })

    expect(store.entries.size).toBe(0)
    await expect(readFile(join(configDir, 'hosts.yml'), 'utf8')).rejects.toThrow(/ENOENT/)
@ -84,7 +82,7 @@ describe('runLogout', () => {
  it('not-logged-in: throws BaseError', async () => {
    const io = bufferStreams()
    const store = new MemStore()
-    await expect(runLogout({ io, bundle: undefined, store })).rejects.toThrow(/not logged in/)
+    await expect(runLogout({ configDir, io, bundle: undefined, store })).rejects.toThrow(/not logged in/)
  })

  it('hosts.yml absent: still completes locally + emits success', async () => {
@ -93,7 +91,7 @@ describe('runLogout', () => {
    const bundle = fixtureBundle(mock.url)
    const http = createClient({ host: mock.url, bearer: 'dfoa_test' })

-    await runLogout({ io, bundle, http, store })
+    await runLogout({ configDir, io, bundle, http, store })

    expect(io.outBuf()).toContain('Logged out of')
  })
@ -102,12 +100,12 @@ describe('runLogout', () => {
    const io = bufferStreams()
    const store = new MemStore()
    const bundle = fixtureBundle(mock.url)
-    store.set(tokenKey(bundle.current_host, 'acct-1'), 'dfoa_test')
-    saveHosts(bundle)
+    await store.put(bundle.current_host, 'acct-1', 'dfoa_test')
+    await saveHosts(configDir, bundle)
    mock.setScenario('server-5xx')
    const http = createClient({ host: mock.url, bearer: 'dfoa_test', retryAttempts: 0 })

-    await runLogout({ io, bundle, http, store })
+    await runLogout({ configDir, io, bundle, http, store })

    expect(store.entries.size).toBe(0)
    expect(io.errBuf()).toContain('server revoke failed')
@ -119,11 +117,11 @@ describe('runLogout', () => {
    const store = new MemStore()
    const bundle = fixtureBundle(mock.url)
    bundle.tokens = { bearer: 'dfp_personal_token' }
-    store.set(tokenKey(bundle.current_host, 'acct-1'), 'dfp_personal_token')
-    saveHosts(bundle)
+    await store.put(bundle.current_host, 'acct-1', 'dfp_personal_token')
+    await saveHosts(configDir, bundle)
    const http = createClient({ host: mock.url, bearer: 'dfp_personal_token' })

-    await runLogout({ io, bundle, http, store })
+    await runLogout({ configDir, io, bundle, http, store })

    expect(io.errBuf()).toBe('')
    expect(store.entries.size).toBe(0)
@ -133,11 +131,11 @@ describe('runLogout', () => {
    const io = bufferStreams()
    const store = new MemStore()
    const bundle = fixtureBundle(mock.url)
-    saveHosts(bundle)
+    await saveHosts(configDir, bundle)
    await writeFile(join(configDir, 'config.yml'), 'foo: bar\n', 'utf8')
    const http = createClient({ host: mock.url, bearer: 'dfoa_test' })

-    await runLogout({ io, bundle, http, store })
+    await runLogout({ configDir, io, bundle, http, store })

    const cfg = await readFile(join(configDir, 'config.yml'), 'utf8')
    expect(cfg).toContain('foo: bar')
--- a/cli/src/commands/auth/logout/logout.ts
+++ b/cli/src/commands/auth/logout/logout.ts
@ -1,20 +1,21 @@
 import type { KyInstance } from 'ky'
 import type { HostsBundle } from '../../../auth/hosts.js'
-import type { Store } from '../../../store/store.js'
+import type { TokenStore } from '../../../auth/store.js'
 import type { IOStreams } from '../../../sys/io/streams'
+import { unlink } from 'node:fs/promises'
+import { join } from 'node:path'
 import { AccountSessionsClient } from '../../../api/account-sessions.js'
-import { clearLocal } from '../../../auth/hosts.js'
+import { HOSTS_FILE_NAME } from '../../../auth/hosts.js'
 import { BaseError } from '../../../errors/base.js'
 import { ErrorCode } from '../../../errors/codes.js'
-import { getTokenStore } from '../../../store/manager.js'
 import { colorEnabled, colorScheme } from '../../../sys/io/color.js'

 export type LogoutOptions = {
+  readonly configDir: string
  readonly io: IOStreams
  readonly bundle: HostsBundle | undefined
  readonly http?: KyInstance
-  /** Optional override for tests; production code resolves via `getTokenStore`. */
-  readonly store?: Store
+  readonly store: TokenStore
 }

 export async function runLogout(opts: LogoutOptions): Promise<void> {
@ -39,8 +40,7 @@ export async function runLogout(opts: LogoutOptions): Promise<void> {
    }
  }

-  const tokens = opts.store ?? getTokenStore().store
-  clearLocal(bundle, tokens)
+  await clearLocal(opts.configDir, bundle, opts.store)

  if (revokeWarning !== '')
    opts.io.err.write(revokeWarning)
@ -52,3 +52,19 @@ const REVOCABLE_PREFIXES = ['dfoa_', 'dfoe_'] as const
 function revokeAllowed(bearer: string): boolean {
  return REVOCABLE_PREFIXES.some(p => bearer.startsWith(p))
 }
+
+async function clearLocal(configDir: string, bundle: HostsBundle, store: TokenStore): Promise<void> {
+  const accountId = bundle.account?.id ?? bundle.external_subject?.email ?? 'default'
+  try {
+    await store.delete(bundle.current_host, accountId)
+  }
+  catch { /* best-effort */ }
+  const hostsPath = join(configDir, HOSTS_FILE_NAME)
+  try {
+    await unlink(hostsPath)
+  }
+  catch (err) {
+    if ((err as NodeJS.ErrnoException).code !== 'ENOENT')
+      throw err
+  }
+}
--- a/cli/src/commands/auth/status/index.ts
+++ b/cli/src/commands/auth/status/index.ts
@ -1,5 +1,6 @@
 import { loadHosts } from '../../../auth/hosts.js'
 import { Flags } from '../../../framework/flags.js'
+import { resolveConfigDir } from '../../../store/dir.js'
 import { realStreams } from '../../../sys/io/streams'
 import { DifyCommand } from '../../_shared/dify-command.js'
 import { runStatus } from './status.js'
@ -20,7 +21,8 @@ export default class Status extends DifyCommand {

  async run(argv: string[]): Promise<void> {
    const { flags } = this.parse(Status, argv)
-    const bundle = loadHosts()
+    const configDir = resolveConfigDir()
+    const bundle = await loadHosts(configDir)
    await runStatus({ io: realStreams(), bundle, verbose: flags.verbose, json: flags.json })
  }
 }
--- a/cli/src/commands/auth/whoami/index.ts
+++ b/cli/src/commands/auth/whoami/index.ts
@ -1,5 +1,6 @@
 import { loadHosts } from '../../../auth/hosts.js'
 import { Flags } from '../../../framework/flags.js'
+import { resolveConfigDir } from '../../../store/dir.js'
 import { realStreams } from '../../../sys/io/streams'
 import { DifyCommand } from '../../_shared/dify-command.js'
 import { runWhoami } from './whoami.js'
@ -18,7 +19,8 @@ export default class Whoami extends DifyCommand {

  async run(argv: string[]): Promise<void> {
    const { flags } = this.parse(Whoami, argv)
-    const bundle = loadHosts()
+    const configDir = resolveConfigDir()
+    const bundle = await loadHosts(configDir)
    await runWhoami({ io: realStreams(), bundle, json: flags.json })
  }
 }
--- a/cli/src/commands/config/get/run.test.ts
+++ b/cli/src/commands/config/get/run.test.ts
@ -1,49 +1,43 @@
-import { mkdtemp, rm } from 'node:fs/promises'
+import { mkdtemp, writeFile } from 'node:fs/promises'
 import { tmpdir } from 'node:os'
 import { join } from 'node:path'
-import { afterEach, beforeEach, describe, expect, it } from 'vitest'
+import { beforeEach, describe, expect, it } from 'vitest'
+import { FILE_NAME } from '../../../config/schema.js'
 import { isBaseError } from '../../../errors/base.js'
 import { ErrorCode } from '../../../errors/codes.js'
-import { ENV_CONFIG_DIR } from '../../../store/dir.js'
-import { getConfigurationStore } from '../../../store/manager.js'
+import { YamlStore } from '../../../store/store.js'
 import { runConfigGet } from './run.js'

+function makeStore(dir: string): YamlStore {
+  return new YamlStore(join(dir, FILE_NAME))
+}
+
 describe('runConfigGet', () => {
  let dir: string
-  let prevConfigDir: string | undefined

  beforeEach(async () => {
    dir = await mkdtemp(join(tmpdir(), 'difyctl-get-'))
-    prevConfigDir = process.env[ENV_CONFIG_DIR]
-    process.env[ENV_CONFIG_DIR] = dir
  })

-  afterEach(async () => {
-    if (prevConfigDir === undefined)
-      delete process.env[ENV_CONFIG_DIR]
-    else
-      process.env[ENV_CONFIG_DIR] = prevConfigDir
-    await rm(dir, { recursive: true, force: true })
-  })
-
-  it('returns set value with trailing newline', () => {
-    getConfigurationStore().setTyped({
-      schema_version: 1,
-      defaults: { format: 'yaml' },
-    })
-    const out = runConfigGet({ store: getConfigurationStore(), key: 'defaults.format' })
+  it('returns set value with trailing newline', async () => {
+    await writeFile(
+      join(dir, FILE_NAME),
+      'schema_version: 1\ndefaults:\n  format: yaml\n',
+      'utf8',
+    )
+    const out = runConfigGet({ store: makeStore(dir), key: 'defaults.format' })
    expect(out).toBe('yaml\n')
  })

  it('returns empty line when key is unset (matches Go fmt.Fprintln)', () => {
-    const out = runConfigGet({ store: getConfigurationStore(), key: 'defaults.format' })
+    const out = runConfigGet({ store: makeStore(dir), key: 'defaults.format' })
    expect(out).toBe('\n')
  })

  it('throws BaseError(config_invalid_key) on unknown key', () => {
    let caught: unknown
    try {
-      runConfigGet({ store: getConfigurationStore(), key: 'bogus.key' })
+      runConfigGet({ store: makeStore(dir), key: 'bogus.key' })
    }
    catch (err) { caught = err }
    expect(isBaseError(caught)).toBe(true)
@ -51,12 +45,13 @@ describe('runConfigGet', () => {
      expect(caught.code).toBe(ErrorCode.ConfigInvalidKey)
  })

-  it('returns numeric limit as string', () => {
-    getConfigurationStore().setTyped({
-      schema_version: 1,
-      defaults: { limit: 75 },
-    })
-    const out = runConfigGet({ store: getConfigurationStore(), key: 'defaults.limit' })
+  it('returns numeric limit as string', async () => {
+    await writeFile(
+      join(dir, FILE_NAME),
+      'schema_version: 1\ndefaults:\n  limit: 75\n',
+      'utf8',
+    )
+    const out = runConfigGet({ store: makeStore(dir), key: 'defaults.limit' })
    expect(out).toBe('75\n')
  })
 })
--- a/cli/src/commands/config/path/index.ts
+++ b/cli/src/commands/config/path/index.ts
@ -1,8 +1,7 @@
-import { join } from 'node:path'
 import { raw } from '../../../framework/output.js'
 import { resolveConfigDir } from '../../../store/dir.js'
-import { CONFIG_FILE_NAME } from '../../../store/manager.js'
 import { DifyCommand } from '../../_shared/dify-command.js'
+import { runConfigPath } from './run.js'

 export default class ConfigPath extends DifyCommand {
  static override description = 'Print the resolved config.yml path'
@ -13,8 +12,6 @@ export default class ConfigPath extends DifyCommand {

  async run(argv: string[]) {
    this.parse(ConfigPath, argv)
-    return raw(
-      join(resolveConfigDir(), CONFIG_FILE_NAME),
-    )
+    return raw(runConfigPath({ dir: resolveConfigDir() }))
  }
 }
--- a/cli/src/commands/config/path/run.test.ts
+++ b/cli/src/commands/config/path/run.test.ts
@ -0,0 +1,14 @@
+import { describe, expect, it } from 'vitest'
+import { runConfigPath } from './run.js'
+
+describe('runConfigPath', () => {
+  it('joins dir and config.yml with trailing newline', () => {
+    const out = runConfigPath({ dir: '/tmp/x' })
+    expect(out).toBe('/tmp/x/config.yml\n')
+  })
+
+  it('handles trailing slash on dir', () => {
+    const out = runConfigPath({ dir: '/tmp/x/' })
+    expect(out).toBe('/tmp/x/config.yml\n')
+  })
+})
--- a/cli/src/commands/config/path/run.ts
+++ b/cli/src/commands/config/path/run.ts
@ -0,0 +1,10 @@
+import { join } from 'node:path'
+import { FILE_NAME } from '../../../config/schema.js'
+
+export type RunConfigPathOptions = {
+  readonly dir: string
+}
+
+export function runConfigPath(opts: RunConfigPathOptions): string {
+  return `${join(opts.dir, FILE_NAME)}\n`
+}
--- a/cli/src/commands/config/set/run.test.ts
+++ b/cli/src/commands/config/set/run.test.ts
@ -1,46 +1,35 @@
-import { mkdtemp, rm } from 'node:fs/promises'
+import { mkdtemp, readFile } from 'node:fs/promises'
 import { tmpdir } from 'node:os'
 import { join } from 'node:path'
-import { afterEach, beforeEach, describe, expect, it } from 'vitest'
-import { loadConfig } from '../../../config/config-loader.js'
+import { beforeEach, describe, expect, it } from 'vitest'
+import { FILE_NAME } from '../../../config/schema.js'
 import { isBaseError } from '../../../errors/base.js'
 import { ErrorCode, ExitCode } from '../../../errors/codes.js'
-import { ENV_CONFIG_DIR } from '../../../store/dir.js'
-import { getConfigurationStore } from '../../../store/manager.js'
+import { YamlStore } from '../../../store/store.js'
 import { runConfigSet } from './run.js'

+function makeStore(dir: string): YamlStore {
+  return new YamlStore(join(dir, FILE_NAME))
+}
+
 describe('runConfigSet', () => {
  let dir: string
-  let prevConfigDir: string | undefined

  beforeEach(async () => {
    dir = await mkdtemp(join(tmpdir(), 'difyctl-set-'))
-    prevConfigDir = process.env[ENV_CONFIG_DIR]
-    process.env[ENV_CONFIG_DIR] = dir
  })

-  afterEach(async () => {
-    if (prevConfigDir === undefined)
-      delete process.env[ENV_CONFIG_DIR]
-    else
-      process.env[ENV_CONFIG_DIR] = prevConfigDir
-    await rm(dir, { recursive: true, force: true })
-  })
-
-  it('persists the value and returns "set k = v\\n"', () => {
-    const out = runConfigSet({ store: getConfigurationStore(), key: 'defaults.format', value: 'json' })
+  it('writes config.yml and returns "set k = v\\n"', async () => {
+    const out = runConfigSet({ store: makeStore(dir), key: 'defaults.format', value: 'json' })
    expect(out).toBe('set defaults.format = json\n')
-
-    const r = loadConfig(getConfigurationStore())
-    expect(r.found).toBe(true)
-    if (r.found)
-      expect(r.config.defaults.format).toBe('json')
+    const raw = await readFile(join(dir, FILE_NAME), 'utf8')
+    expect(raw).toContain('format: json')
  })

-  it('rejects invalid format value with config_invalid_value', () => {
+  it('rejects invalid format value with config_invalid_value', async () => {
    let caught: unknown
    try {
-      runConfigSet({ store: getConfigurationStore(), key: 'defaults.format', value: 'csv' })
+      runConfigSet({ store: makeStore(dir), key: 'defaults.format', value: 'csv' })
    }
    catch (err) { caught = err }
    expect(isBaseError(caught)).toBe(true)
@ -51,7 +40,7 @@ describe('runConfigSet', () => {
  it('rejects unknown key with config_invalid_key', () => {
    let caught: unknown
    try {
-      runConfigSet({ store: getConfigurationStore(), key: 'bogus', value: 'x' })
+      runConfigSet({ store: makeStore(dir), key: 'bogus', value: 'x' })
    }
    catch (err) { caught = err }
    expect(isBaseError(caught)).toBe(true)
@ -59,22 +48,18 @@ describe('runConfigSet', () => {
      expect(caught.code).toBe(ErrorCode.ConfigInvalidKey)
  })

-  it('preserves prior keys when setting a new one', () => {
-    runConfigSet({ store: getConfigurationStore(), key: 'defaults.format', value: 'yaml' })
-    runConfigSet({ store: getConfigurationStore(), key: 'defaults.limit', value: '40' })
-
-    const r = loadConfig(getConfigurationStore())
-    expect(r.found).toBe(true)
-    if (r.found) {
-      expect(r.config.defaults.format).toBe('yaml')
-      expect(r.config.defaults.limit).toBe(40)
-    }
+  it('preserves prior keys when setting a new one', async () => {
+    runConfigSet({ store: makeStore(dir), key: 'defaults.format', value: 'yaml' })
+    runConfigSet({ store: makeStore(dir), key: 'defaults.limit', value: '40' })
+    const raw = await readFile(join(dir, FILE_NAME), 'utf8')
+    expect(raw).toContain('format: yaml')
+    expect(raw).toContain('limit: 40')
  })

  it('exit code for invalid value is Usage (2)', () => {
    let caught: unknown
    try {
-      runConfigSet({ store: getConfigurationStore(), key: 'defaults.format', value: 'csv' })
+      runConfigSet({ store: makeStore(dir), key: 'defaults.format', value: 'csv' })
    }
    catch (err) { caught = err }
    expect(isBaseError(caught)).toBe(true)
@ -85,7 +70,7 @@ describe('runConfigSet', () => {
  it('exit code for unknown key is Usage (2)', () => {
    let caught: unknown
    try {
-      runConfigSet({ store: getConfigurationStore(), key: 'bogus', value: 'x' })
+      runConfigSet({ store: makeStore(dir), key: 'bogus', value: 'x' })
    }
    catch (err) { caught = err }
    expect(isBaseError(caught)).toBe(true)
@ -96,7 +81,7 @@ describe('runConfigSet', () => {
  it('typed wrap chain: invalid defaults.limit surfaces ConfigInvalidValue (not UsageInvalidFlag)', () => {
    let caught: unknown
    try {
-      runConfigSet({ store: getConfigurationStore(), key: 'defaults.limit', value: 'abc' })
+      runConfigSet({ store: makeStore(dir), key: 'defaults.limit', value: 'abc' })
    }
    catch (err) { caught = err }
    expect(isBaseError(caught)).toBe(true)
--- a/cli/src/commands/config/unset/run.test.ts
+++ b/cli/src/commands/config/unset/run.test.ts
@ -1,61 +1,48 @@
-import { mkdtemp, rm } from 'node:fs/promises'
+import { mkdtemp, readFile, writeFile } from 'node:fs/promises'
 import { tmpdir } from 'node:os'
 import { join } from 'node:path'
-import { afterEach, beforeEach, describe, expect, it } from 'vitest'
-import { loadConfig } from '../../../config/config-loader.js'
+import { beforeEach, describe, expect, it } from 'vitest'
+import { FILE_NAME } from '../../../config/schema.js'
 import { isBaseError } from '../../../errors/base.js'
 import { ErrorCode } from '../../../errors/codes.js'
-import { ENV_CONFIG_DIR } from '../../../store/dir.js'
-import { getConfigurationStore } from '../../../store/manager.js'
+import { YamlStore } from '../../../store/store.js'
 import { runConfigUnset } from './run.js'

+function makeStore(dir: string): YamlStore {
+  return new YamlStore(join(dir, FILE_NAME))
+}
+
 describe('runConfigUnset', () => {
  let dir: string
-  let prevConfigDir: string | undefined

  beforeEach(async () => {
    dir = await mkdtemp(join(tmpdir(), 'difyctl-unset-'))
-    prevConfigDir = process.env[ENV_CONFIG_DIR]
-    process.env[ENV_CONFIG_DIR] = dir
  })

-  afterEach(async () => {
-    if (prevConfigDir === undefined)
-      delete process.env[ENV_CONFIG_DIR]
-    else
-      process.env[ENV_CONFIG_DIR] = prevConfigDir
-    await rm(dir, { recursive: true, force: true })
-  })
-
-  it('clears the requested key, leaves others intact', () => {
-    getConfigurationStore().setTyped({
-      schema_version: 1,
-      defaults: { format: 'json', limit: 25 },
-    })
-    const out = runConfigUnset({ store: getConfigurationStore(), key: 'defaults.format' })
+  it('clears the requested key, leaves others intact', async () => {
+    await writeFile(
+      join(dir, FILE_NAME),
+      'schema_version: 1\ndefaults:\n  format: json\n  limit: 25\n',
+      'utf8',
+    )
+    const out = runConfigUnset({ store: makeStore(dir), key: 'defaults.format' })
    expect(out).toBe('unset defaults.format\n')
-
-    const r = loadConfig(getConfigurationStore())
-    expect(r.found).toBe(true)
-    if (r.found) {
-      expect(r.config.defaults.format).not.toBe('json')
-      expect(r.config.defaults.limit).toBe(25)
-    }
+    const raw = await readFile(join(dir, FILE_NAME), 'utf8')
+    expect(raw).not.toContain('format:')
+    expect(raw).toContain('limit: 25')
  })

-  it('is a no-op (writes empty config) when key was already unset', () => {
-    const out = runConfigUnset({ store: getConfigurationStore(), key: 'defaults.format' })
+  it('is a no-op (writes empty config) when key was already unset', async () => {
+    const out = runConfigUnset({ store: makeStore(dir), key: 'defaults.format' })
    expect(out).toBe('unset defaults.format\n')
-    const r = loadConfig(getConfigurationStore())
-    expect(r.found).toBe(true)
-    if (r.found)
-      expect(r.config.schema_version).toBe(1)
+    const raw = await readFile(join(dir, FILE_NAME), 'utf8')
+    expect(raw).toContain('schema_version: 1')
  })

  it('rejects unknown key', () => {
    let caught: unknown
    try {
-      runConfigUnset({ store: getConfigurationStore(), key: 'bogus' })
+      runConfigUnset({ store: makeStore(dir), key: 'bogus' })
    }
    catch (err) { caught = err }
    expect(isBaseError(caught)).toBe(true)
--- a/cli/src/commands/config/view/run.test.ts
+++ b/cli/src/commands/config/view/run.test.ts
@ -1,69 +1,67 @@
-import { mkdtemp, rm } from 'node:fs/promises'
+import { mkdtemp, writeFile } from 'node:fs/promises'
 import { tmpdir } from 'node:os'
 import { join } from 'node:path'
 import { afterEach, beforeEach, describe, expect, it } from 'vitest'
-import { ENV_CONFIG_DIR } from '../../../store/dir.js'
-import { getConfigurationStore } from '../../../store/manager.js'
+import { FILE_NAME } from '../../../config/schema.js'
+import { YamlStore } from '../../../store/store.js'
 import { runConfigView } from './run.js'

+function makeStore(dir: string): YamlStore {
+  return new YamlStore(join(dir, FILE_NAME))
+}
+
 describe('runConfigView', () => {
  let dir: string
-  let prevConfigDir: string | undefined

  beforeEach(async () => {
    dir = await mkdtemp(join(tmpdir(), 'difyctl-view-'))
-    prevConfigDir = process.env[ENV_CONFIG_DIR]
-    process.env[ENV_CONFIG_DIR] = dir
  })

  afterEach(async () => {
-    if (prevConfigDir === undefined)
-      delete process.env[ENV_CONFIG_DIR]
-    else
-      process.env[ENV_CONFIG_DIR] = prevConfigDir
-    await rm(dir, { recursive: true, force: true })
+    // tmpdir cleanup is best-effort
  })

  it('text format: empty config returns empty string', () => {
-    const out = runConfigView({ store: getConfigurationStore() })
+    const out = runConfigView({ store: makeStore(dir) })
    expect(out).toBe('')
  })

-  it('text format: emits "key = value" lines for set keys only', () => {
-    getConfigurationStore().setTyped({
-      schema_version: 1,
-      defaults: { format: 'json', limit: 50 },
-      state: { current_app: 'app-1' },
-    })
-    const out = runConfigView({ store: getConfigurationStore() })
+  it('text format: emits "key = value" lines for set keys only', async () => {
+    await writeFile(
+      join(dir, FILE_NAME),
+      'schema_version: 1\ndefaults:\n  format: json\n  limit: 50\nstate:\n  current_app: app-1\n',
+      'utf8',
+    )
+    const out = runConfigView({ store: makeStore(dir) })
    expect(out).toBe(
      'defaults.format = json\ndefaults.limit = 50\nstate.current_app = app-1\n',
    )
  })

-  it('text format: skips unset keys', () => {
-    getConfigurationStore().setTyped({
-      schema_version: 1,
-      defaults: { format: 'yaml' },
-    })
-    const out = runConfigView({ store: getConfigurationStore() })
+  it('text format: skips unset keys', async () => {
+    await writeFile(
+      join(dir, FILE_NAME),
+      'schema_version: 1\ndefaults:\n  format: yaml\n',
+      'utf8',
+    )
+    const out = runConfigView({ store: makeStore(dir) })
    expect(out).toBe('defaults.format = yaml\n')
    expect(out).not.toContain('defaults.limit')
    expect(out).not.toContain('state.current_app')
  })

  it('json format: empty config returns "{}\\n"', () => {
-    const out = runConfigView({ store: getConfigurationStore(), json: true })
+    const out = runConfigView({ store: makeStore(dir), json: true })
    expect(out).toBe('{}\n')
  })

-  it('json format: defaults.limit is numeric, others are strings', () => {
-    getConfigurationStore().setTyped({
-      schema_version: 1,
-      defaults: { format: 'table', limit: 100 },
-      state: { current_app: 'app-x' },
-    })
-    const out = runConfigView({ store: getConfigurationStore(), json: true })
+  it('json format: defaults.limit is numeric, others are strings', async () => {
+    await writeFile(
+      join(dir, FILE_NAME),
+      'schema_version: 1\ndefaults:\n  format: table\n  limit: 100\nstate:\n  current_app: app-x\n',
+      'utf8',
+    )
+    const out = runConfigView({ store: makeStore(dir), json: true })
    const parsed = JSON.parse(out) as Record<string, unknown>
    expect(parsed['defaults.format']).toBe('table')
    expect(parsed['defaults.limit']).toBe(100)
@ -71,7 +69,7 @@ describe('runConfigView', () => {
  })

  it('json format: trailing newline matches Go encoder.Encode', () => {
-    const out = runConfigView({ store: getConfigurationStore(), json: true })
+    const out = runConfigView({ store: makeStore(dir), json: true })
    expect(out.endsWith('\n')).toBe(true)
  })
 })
--- a/cli/src/commands/describe/app/run.test.ts
+++ b/cli/src/commands/describe/app/run.test.ts
@ -8,8 +8,8 @@ import { startMock } from '../../../../test/fixtures/dify-mock/server.js'
 import { loadAppInfoCache } from '../../../cache/app-info.js'
 import { formatted, stringifyOutput } from '../../../framework/output.js'
 import { createClient } from '../../../http/client.js'
-import { ENV_CACHE_DIR } from '../../../store/dir.js'
-import { CACHE_APP_INFO, getCache } from '../../../store/manager.js'
+import { CACHE_APP_INFO, cachePath } from '../../../store/manager.js'
+import { YamlStore } from '../../../store/store.js'
 import { runDescribeApp } from './run.js'

 function bundle(): HostsBundle {
@ -29,24 +29,17 @@ function bundle(): HostsBundle {
 describe('runDescribeApp', () => {
  let mock: DifyMock
  let dir: string
-  let prevCacheDir: string | undefined
  beforeEach(async () => {
    mock = await startMock({ scenario: 'happy' })
    dir = await mkdtemp(join(tmpdir(), 'difyctl-desc-'))
-    prevCacheDir = process.env[ENV_CACHE_DIR]
-    process.env[ENV_CACHE_DIR] = dir
  })
  afterEach(async () => {
-    if (prevCacheDir === undefined)
-      delete process.env[ENV_CACHE_DIR]
-    else
-      process.env[ENV_CACHE_DIR] = prevCacheDir
    await mock.stop()
    await rm(dir, { recursive: true, force: true })
  })

  async function render(opts: Parameters<typeof runDescribeApp>[0]): Promise<string> {
-    const cache = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const cache = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    const data = await runDescribeApp(
      opts,
      { bundle: bundle(), http: createClient({ host: mock.url, bearer: 'dfoa_test' }), host: mock.url, cache },
@ -89,7 +82,7 @@ describe('runDescribeApp', () => {
  })

  it('refresh: bypasses cache', async () => {
-    const cache = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const cache = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    await runDescribeApp(
      { appId: 'app-1' },
      { bundle: bundle(), http: createClient({ host: mock.url, bearer: 'dfoa_test' }), host: mock.url, cache },
--- a/cli/src/commands/run/app/run.test.ts
+++ b/cli/src/commands/run/app/run.test.ts
@ -7,8 +7,8 @@ import { afterEach, beforeEach, describe, expect, it } from 'vitest'
 import { startMock } from '../../../../test/fixtures/dify-mock/server.js'
 import { loadAppInfoCache } from '../../../cache/app-info.js'
 import { createClient } from '../../../http/client.js'
-import { ENV_CACHE_DIR } from '../../../store/dir.js'
-import { CACHE_APP_INFO, getCache } from '../../../store/manager.js'
+import { CACHE_APP_INFO, cachePath } from '../../../store/manager.js'
+import { YamlStore } from '../../../store/store.js'
 import { bufferStreams } from '../../../sys/io/streams'
 import { resumeApp } from '../../resume/app/run.js'
 import { runApp } from './run.js'
@ -30,25 +30,18 @@ function bundle(): HostsBundle {
 describe('runApp', () => {
  let mock: DifyMock
  let dir: string
-  let prevCacheDir: string | undefined
  beforeEach(async () => {
    mock = await startMock({ scenario: 'happy' })
    dir = await mkdtemp(join(tmpdir(), 'difyctl-runapp-'))
-    prevCacheDir = process.env[ENV_CACHE_DIR]
-    process.env[ENV_CACHE_DIR] = dir
  })
  afterEach(async () => {
-    if (prevCacheDir === undefined)
-      delete process.env[ENV_CACHE_DIR]
-    else
-      process.env[ENV_CACHE_DIR] = prevCacheDir
    await mock.stop()
    await rm(dir, { recursive: true, force: true })
  })

  it('chat: prints answer + conversation hint to stderr', async () => {
    const io = bufferStreams()
-    const cache = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const cache = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    await runApp(
      { appId: 'app-1', message: 'hi' },
      { bundle: bundle(), http: createClient({ host: mock.url, bearer: 'dfoa_test' }), host: mock.url, io, cache },
@ -59,7 +52,7 @@ describe('runApp', () => {

  it('workflow: rejects positional message with usage error', async () => {
    const io = bufferStreams()
-    const cache = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const cache = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    await expect(runApp(
      { appId: 'app-2', message: 'hi' },
      { bundle: bundle(), http: createClient({ host: mock.url, bearer: 'dfoa_test' }), host: mock.url, io, cache },
@ -68,7 +61,7 @@ describe('runApp', () => {

  it('workflow: prints single-string output as plain text', async () => {
    const io = bufferStreams()
-    const cache = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const cache = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    await runApp(
      { appId: 'app-2', inputs: { x: '1' } },
      { bundle: bundle(), http: createClient({ host: mock.url, bearer: 'dfoa_test' }), host: mock.url, io, cache },
@ -78,7 +71,7 @@ describe('runApp', () => {

  it('json: passes through full envelope', async () => {
    const io = bufferStreams()
-    const cache = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const cache = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    await runApp(
      { appId: 'app-1', message: 'hi', format: 'json' },
      { bundle: bundle(), http: createClient({ host: mock.url, bearer: 'dfoa_test' }), host: mock.url, io, cache },
@ -111,7 +104,7 @@ describe('runApp', () => {

  it('--stream chat: streams answer to stdout and hint to stderr', async () => {
    const io = bufferStreams()
-    const cache = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const cache = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    await runApp(
      { appId: 'app-1', message: 'hi', stream: true },
      { bundle: bundle(), http: createClient({ host: mock.url, bearer: 'dfoa_test' }), host: mock.url, io, cache },
@ -123,7 +116,7 @@ describe('runApp', () => {

  it('--stream -o json chat: aggregates into blocking-shape envelope', async () => {
    const io = bufferStreams()
-    const cache = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const cache = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    await runApp(
      { appId: 'app-1', message: 'hi', stream: true, format: 'json' },
      { bundle: bundle(), http: createClient({ host: mock.url, bearer: 'dfoa_test' }), host: mock.url, io, cache },
@ -136,7 +129,7 @@ describe('runApp', () => {

  it('agent-chat without --stream: collects and prints answer', async () => {
    const io = bufferStreams()
-    const cache = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const cache = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    await runApp(
      { appId: 'app-4', workspace: 'ws-2', message: 'do research' },
      { bundle: bundle(), http: createClient({ host: mock.url, bearer: 'dfoa_test' }), host: mock.url, io, cache },
@ -147,7 +140,7 @@ describe('runApp', () => {

  it('agent-chat with --stream: live-prints answer and thoughts to stderr', async () => {
    const io = bufferStreams()
-    const cache = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const cache = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    await runApp(
      { appId: 'app-4', workspace: 'ws-2', message: 'go', stream: true },
      { bundle: bundle(), http: createClient({ host: mock.url, bearer: 'dfoa_test' }), host: mock.url, io, cache },
@ -158,7 +151,7 @@ describe('runApp', () => {

  it('--stream workflow -o json: aggregates from workflow_finished', async () => {
    const io = bufferStreams()
-    const cache = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const cache = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    await runApp(
      { appId: 'app-2', inputs: { x: '1' }, stream: true, format: 'json' },
      { bundle: bundle(), http: createClient({ host: mock.url, bearer: 'dfoa_test' }), host: mock.url, io, cache },
@ -171,7 +164,7 @@ describe('runApp', () => {
  it('stream-error scenario: error event surfaces typed BaseError', async () => {
    mock.setScenario('stream-error')
    const io = bufferStreams()
-    const cache = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const cache = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    await expect(runApp(
      { appId: 'app-1', message: 'hi', stream: true },
      { bundle: bundle(), http: createClient({ host: mock.url, bearer: 'dfoa_test', retryAttempts: 0 }), host: mock.url, io, cache },
@ -180,7 +173,7 @@ describe('runApp', () => {

  it('--inputs-file: reads inputs from file', async () => {
    const io = bufferStreams()
-    const cache = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const cache = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    const inputsFile = join(dir, 'inputs.json')
    const { writeFile } = await import('node:fs/promises')
    await writeFile(inputsFile, JSON.stringify({ x: 'from-file' }))
@ -204,7 +197,7 @@ describe('runApp', () => {

  it('--inputs: accepts JSON object string', async () => {
    const io = bufferStreams()
-    const cache = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const cache = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    await runApp(
      { appId: 'app-2', inputsJson: '{"x":"hello"}' },
      { bundle: bundle(), http: createClient({ host: mock.url, bearer: 'dfoa_test' }), host: mock.url, io, cache },
@ -226,7 +219,7 @@ describe('runApp', () => {
  it('hitl pause (text): writes readable block to stdout, hint to stderr, exits 0', async () => {
    mock.setScenario('hitl-pause')
    const io = bufferStreams()
-    const cache = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const cache = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    let exitCode = -1
    await expect(runApp(
      { appId: 'app-2', inputs: {} },
@ -255,7 +248,7 @@ describe('runApp', () => {
  it('hitl pause (json): writes JSON envelope to stdout, exits 0', async () => {
    mock.setScenario('hitl-pause')
    const io = bufferStreams()
-    const cache = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const cache = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    let exitCode = -1
    await expect(runApp(
      { appId: 'app-2', inputs: {}, format: 'json' },
@ -281,7 +274,7 @@ describe('runApp', () => {
  it('resume: withHistory: false completes successfully', async () => {
    mock.setScenario('hitl-resume')
    const io = bufferStreams()
-    const cache = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const cache = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    await resumeApp(
      { appId: 'app-2', formToken: 'ft-hitl-1', workflowRunId: 'wf-run-hitl-1', action: 'submit', inputs: {}, withHistory: false },
      { bundle: bundle(), http: createClient({ host: mock.url, bearer: 'dfoa_test' }), host: mock.url, io, cache },
@ -292,7 +285,7 @@ describe('runApp', () => {
  it('resume: submits form and streams workflow to completion', async () => {
    mock.setScenario('hitl-resume')
    const io = bufferStreams()
-    const cache = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const cache = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    await resumeApp(
      { appId: 'app-2', formToken: 'ft-hitl-1', workflowRunId: 'wf-run-hitl-1', action: 'submit', inputs: {} },
      { bundle: bundle(), http: createClient({ host: mock.url, bearer: 'dfoa_test' }), host: mock.url, io, cache },
@ -303,7 +296,7 @@ describe('runApp', () => {
  it('resume --stream: live-prints workflow node progress to stderr', async () => {
    mock.setScenario('hitl-resume')
    const io = bufferStreams()
-    const cache = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const cache = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    await resumeApp(
      { appId: 'app-2', formToken: 'ft-hitl-1', workflowRunId: 'wf-run-hitl-1', action: 'submit', inputs: {}, stream: true },
      { bundle: bundle(), http: createClient({ host: mock.url, bearer: 'dfoa_test' }), host: mock.url, io, cache },
@ -314,7 +307,7 @@ describe('runApp', () => {

  it('workflow: --file remote URL is passed as remote_url input variable', async () => {
    const io = bufferStreams()
-    const cache = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const cache = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    await runApp(
      { appId: 'app-2', files: ['doc=https://example.com/report.pdf'] },
      { bundle: bundle(), http: createClient({ host: mock.url, bearer: 'dfoa_test' }), host: mock.url, io, cache },
@ -333,7 +326,7 @@ describe('runApp', () => {
  it('workflow: --file @path uploads file and passes local_file input variable', async () => {
    const { writeFile } = await import('node:fs/promises')
    const io = bufferStreams()
-    const cache = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const cache = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    const filePath = join(dir, 'test.pdf')
    await writeFile(filePath, 'fake pdf content')
    await runApp(
@ -352,7 +345,7 @@ describe('runApp', () => {

  it('workflow: --file overrides same-named key from --inputs (file wins)', async () => {
    const io = bufferStreams()
-    const cache = await loadAppInfoCache({ store: getCache(CACHE_APP_INFO) })
+    const cache = await loadAppInfoCache({ store: new YamlStore(cachePath(dir, CACHE_APP_INFO)) })
    await runApp(
      { appId: 'app-2', inputs: { doc: 'old-value' }, files: ['doc=https://example.com/override.pdf'] },
      { bundle: bundle(), http: createClient({ host: mock.url, bearer: 'dfoa_test' }), host: mock.url, io, cache },
--- a/cli/src/commands/use/workspace/index.ts
+++ b/cli/src/commands/use/workspace/index.ts
@ -22,6 +22,7 @@ export default class UseWorkspace extends DifyCommand {
    const { args, flags } = this.parse(UseWorkspace, argv)
    const ctx = await this.authedCtx({ retryFlag: flags['http-retry'] })
    await runUseWorkspace({ workspaceId: args.workspaceId }, {
+      configDir: ctx.configDir,
      bundle: ctx.bundle,
      http: ctx.http,
      io: ctx.io,
--- a/cli/src/commands/use/workspace/use.test.ts
+++ b/cli/src/commands/use/workspace/use.test.ts
@ -9,7 +9,6 @@ import { tmpdir } from 'node:os'
 import { join } from 'node:path'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 import { loadHosts, saveHosts } from '../../../auth/hosts.js'
-import { ENV_CONFIG_DIR } from '../../../store/dir.js'
 import { bufferStreams } from '../../../sys/io/streams.js'
 import { runUseWorkspace } from './use.js'

@ -52,29 +51,23 @@ function fakeClient(opts: {
 describe('runUseWorkspace', () => {
  let configDir: string

-  let prevConfigDir: string | undefined
  beforeEach(async () => {
    configDir = await mkdtemp(join(tmpdir(), 'difyctl-use-workspace-'))
-    prevConfigDir = process.env[ENV_CONFIG_DIR]
-    process.env[ENV_CONFIG_DIR] = configDir
  })
  afterEach(async () => {
-    if (prevConfigDir === undefined)
-      delete process.env[ENV_CONFIG_DIR]
-    else
-      process.env[ENV_CONFIG_DIR] = prevConfigDir
    await rm(configDir, { recursive: true, force: true })
  })

  it('happy path: POST /switch → GET /workspaces → write hosts.yml', async () => {
    const io = bufferStreams()
    const b = bundle()
-    saveHosts(b)
+    await saveHosts(configDir, b)
    const client = fakeClient({})

    const next = await runUseWorkspace(
      { workspaceId: 'ws-2' },
      {
+        configDir,
        bundle: b,
        http: {} as KyInstance,
        io,
@ -89,7 +82,7 @@ describe('runUseWorkspace', () => {
      { id: 'ws-1', name: 'Default', role: 'owner' },
      { id: 'ws-2', name: 'Switched', role: 'normal' },
    ])
-    const reloaded = loadHosts()
+    const reloaded = await loadHosts(configDir)
    expect(reloaded?.workspace?.id).toBe('ws-2')
    expect(reloaded?.workspace?.name).toBe('Switched')
    expect(io.outBuf()).toMatch(/Switched to Switched \(ws-2\)/)
@ -100,15 +93,15 @@ describe('runUseWorkspace', () => {
    // We expect saveHosts to record the fresh name from the server.
    const io = bufferStreams()
    const b = bundle()
-    saveHosts(b)
+    await saveHosts(configDir, b)
    const client = fakeClient({})

    await runUseWorkspace(
      { workspaceId: 'ws-2' },
-      { bundle: b, http: {} as KyInstance, io, workspacesFactory: () => client as never },
+      { configDir, bundle: b, http: {} as KyInstance, io, workspacesFactory: () => client as never },
    )

-    const reloaded = loadHosts()
+    const reloaded = await loadHosts(configDir)
    expect(reloaded?.workspace?.name).toBe('Switched')
    expect(reloaded?.available_workspaces?.find(w => w.id === 'ws-2')?.name).toBe('Switched')
  })
@ -116,8 +109,8 @@ describe('runUseWorkspace', () => {
  it('does NOT mutate hosts.yml when POST /switch fails', async () => {
    const io = bufferStreams()
    const b = bundle()
-    saveHosts(b)
-    const before = loadHosts()
+    await saveHosts(configDir, b)
+    const before = await loadHosts(configDir)

    const client = fakeClient({
      switch: () => Promise.reject(new Error('forbidden')),
@ -127,6 +120,7 @@ describe('runUseWorkspace', () => {
      runUseWorkspace(
        { workspaceId: 'ws-2' },
        {
+          configDir,
          bundle: b,
          http: {} as KyInstance,
          io,
@ -136,7 +130,7 @@ describe('runUseWorkspace', () => {
    ).rejects.toThrow(/forbidden/)

    expect(client.list).not.toHaveBeenCalled()
-    const after = loadHosts()
+    const after = await loadHosts(configDir)
    expect(after).toEqual(before)
    expect(after?.workspace?.id).toBe('ws-1')
  })
@ -144,8 +138,8 @@ describe('runUseWorkspace', () => {
  it('does NOT mutate hosts.yml when GET /workspaces fails after switch', async () => {
    const io = bufferStreams()
    const b = bundle()
-    saveHosts(b)
-    const before = loadHosts()
+    await saveHosts(configDir, b)
+    const before = await loadHosts(configDir)

    const client = fakeClient({
      list: () => Promise.reject(new Error('transient list failure')),
@ -155,6 +149,7 @@ describe('runUseWorkspace', () => {
      runUseWorkspace(
        { workspaceId: 'ws-2' },
        {
+          configDir,
          bundle: b,
          http: {} as KyInstance,
          io,
@ -163,14 +158,14 @@ describe('runUseWorkspace', () => {
      ),
    ).rejects.toThrow(/transient list failure/)

-    const after = loadHosts()
+    const after = await loadHosts(configDir)
    expect(after).toEqual(before)
  })

  it('throws when server returns switch=<id> but id is missing from /workspaces list', async () => {
    const io = bufferStreams()
    const b = bundle()
-    saveHosts(b)
+    await saveHosts(configDir, b)

    const client = fakeClient({
      switch: () => Promise.resolve({
@ -192,6 +187,7 @@ describe('runUseWorkspace', () => {
      runUseWorkspace(
        { workspaceId: 'ws-7' },
        {
+          configDir,
          bundle: b,
          http: {} as KyInstance,
          io,
--- a/cli/src/commands/use/workspace/use.ts
+++ b/cli/src/commands/use/workspace/use.ts
@ -13,6 +13,7 @@ export type UseWorkspaceOptions = {
 }

 export type UseWorkspaceDeps = {
+  readonly configDir: string
  readonly bundle: HostsBundle
  readonly http: KyInstance
  readonly io: IOStreams
@ -69,7 +70,7 @@ export async function runUseWorkspace(
      role: w.role,
    })),
  }
-  saveHosts(next)
+  await saveHosts(deps.configDir, next)
  deps.io.out.write(`${cs.successIcon()} Switched to ${matched.name} (${matched.id})\n`)
  return next
 }
--- a/cli/src/config/config-loader.test.ts
+++ b/cli/src/config/config-loader.test.ts
@ -1,52 +1,48 @@
-import type { YamlStore } from '../store/store'
-import { mkdtemp, rm } from 'node:fs/promises'
+import { mkdir, mkdtemp, writeFile } from 'node:fs/promises'
 import { tmpdir } from 'node:os'
 import { join } from 'node:path'
 import { afterEach, beforeEach, describe, expect, it } from 'vitest'
 import { isBaseError } from '../errors/base'
 import { ErrorCode } from '../errors/codes'
-import { ENV_CONFIG_DIR } from '../store/dir'
-import { getConfigurationStore } from '../store/manager'
+import { YamlStore } from '../store/store'
 import { loadConfig } from './config-loader'
+import { FILE_NAME } from './schema'
+
+function makeStore(dir: string): YamlStore {
+  return new YamlStore(join(dir, FILE_NAME))
+}

 describe('loadConfig', () => {
  let dir: string
-  let prevConfigDir: string | undefined

  beforeEach(async () => {
    dir = await mkdtemp(join(tmpdir(), 'difyctl-cfg-'))
-    prevConfigDir = process.env[ENV_CONFIG_DIR]
-    process.env[ENV_CONFIG_DIR] = dir
  })

  afterEach(async () => {
-    if (prevConfigDir === undefined)
-      delete process.env[ENV_CONFIG_DIR]
-    else
-      process.env[ENV_CONFIG_DIR] = prevConfigDir
-    await rm(dir, { recursive: true, force: true })
+    await mkdir(dir, { recursive: true }).catch(() => {})
  })

-  it('returns found:false when config is missing', () => {
-    const r = loadConfig(getConfigurationStore())
+  it('returns found:false when config.yml is missing', () => {
+    const r = loadConfig(makeStore(dir))
    expect(r.found).toBe(false)
  })

-  it('parses a minimal valid config', () => {
-    getConfigurationStore().setTyped({ schema_version: 1 })
-    const r = loadConfig(getConfigurationStore())
+  it('parses a minimal valid config.yml', async () => {
+    await writeFile(join(dir, FILE_NAME), 'schema_version: 1\n', 'utf8')
+    const r = loadConfig(makeStore(dir))
    expect(r.found).toBe(true)
    if (r.found)
      expect(r.config.schema_version).toBe(1)
  })

-  it('parses defaults + state', () => {
-    getConfigurationStore().setTyped({
-      schema_version: 1,
-      defaults: { format: 'json', limit: 100 },
-      state: { current_app: 'app-1' },
-    })
-    const r = loadConfig(getConfigurationStore())
+  it('parses defaults + state', async () => {
+    await writeFile(
+      join(dir, FILE_NAME),
+      'schema_version: 1\ndefaults:\n  format: json\n  limit: 100\nstate:\n  current_app: app-1\n',
+      'utf8',
+    )
+    const r = loadConfig(makeStore(dir))
    expect(r.found).toBe(true)
    if (r.found) {
      expect(r.config.defaults.format).toBe('json')
@ -55,29 +51,11 @@ describe('loadConfig', () => {
    }
  })

-  it('throws BaseError(config_schema_unsupported) when the store fails to parse the file', () => {
-    // Simulate a corrupt on-disk file via a fake store; loadConfig must wrap
-    // the underlying error as ConfigSchemaUnsupported.
-    const throwingStore = {
-      getTyped: () => { throw new Error('YAML parse failure') },
-    } as unknown as YamlStore
+  it('throws BaseError(config_schema_unsupported) when YAML is malformed', async () => {
+    await writeFile(join(dir, FILE_NAME), '::not yaml::: {{[', 'utf8')
    let caught: unknown
    try {
-      loadConfig(throwingStore)
-    }
-    catch (err) { caught = err }
-    expect(isBaseError(caught)).toBe(true)
-    if (isBaseError(caught)) {
-      expect(caught.code).toBe(ErrorCode.ConfigSchemaUnsupported)
-      expect(caught.hint).toMatch(/not valid YAML/)
-    }
-  })
-
-  it('throws BaseError(config_schema_unsupported) when zod validation fails', () => {
-    getConfigurationStore().setTyped({ defaults: { limit: 9999 } })
-    let caught: unknown
-    try {
-      loadConfig(getConfigurationStore())
+      loadConfig(makeStore(dir))
    }
    catch (err) { caught = err }
    expect(isBaseError(caught)).toBe(true)
@ -85,11 +63,23 @@ describe('loadConfig', () => {
      expect(caught.code).toBe(ErrorCode.ConfigSchemaUnsupported)
  })

-  it('throws BaseError(config_schema_unsupported) when schema_version > 1 (forward-refuse)', () => {
-    getConfigurationStore().setTyped({ schema_version: 2 })
+  it('throws BaseError(config_schema_unsupported) when zod validation fails', async () => {
+    await writeFile(join(dir, FILE_NAME), 'defaults:\n  limit: 9999\n', 'utf8')
    let caught: unknown
    try {
-      loadConfig(getConfigurationStore())
+      loadConfig(makeStore(dir))
+    }
+    catch (err) { caught = err }
+    expect(isBaseError(caught)).toBe(true)
+    if (isBaseError(caught))
+      expect(caught.code).toBe(ErrorCode.ConfigSchemaUnsupported)
+  })
+
+  it('throws BaseError(config_schema_unsupported) when schema_version > 1 (forward-refuse)', async () => {
+    await writeFile(join(dir, FILE_NAME), 'schema_version: 2\n', 'utf8')
+    let caught: unknown
+    try {
+      loadConfig(makeStore(dir))
    }
    catch (err) { caught = err }
    expect(isBaseError(caught)).toBe(true)
--- a/cli/src/config/schema.test.ts
+++ b/cli/src/config/schema.test.ts
@ -1,10 +1,10 @@
 import { describe, expect, it } from 'vitest'
-import { CONFIG_FILE_NAME } from '../store/manager.js'
 import {
  ALLOWED_FORMATS,
  ConfigFileSchema,
  CURRENT_SCHEMA_VERSION,
  emptyConfig,
+  FILE_NAME,
 } from './schema.js'

 describe('config schema', () => {
@ -12,8 +12,8 @@ describe('config schema', () => {
    expect(CURRENT_SCHEMA_VERSION).toBe(1)
  })

-  it('CONFIG_FILE_NAME is config.yml', () => {
-    expect(CONFIG_FILE_NAME).toBe('config.yml')
+  it('FILE_NAME is config.yml', () => {
+    expect(FILE_NAME).toBe('config.yml')
  })

  it('ALLOWED_FORMATS matches Go set (json/yaml/table/wide/name/text)', () => {
--- a/cli/src/config/schema.ts
+++ b/cli/src/config/schema.ts
@ -1,6 +1,7 @@
 import { z } from 'zod'

 export const CURRENT_SCHEMA_VERSION = 1
+export const FILE_NAME = 'config.yml'

 export const ALLOWED_FORMATS = ['json', 'yaml', 'table', 'wide', 'name', 'text'] as const
 export type AllowedFormat = (typeof ALLOWED_FORMATS)[number]
--- a/cli/src/errors/codes.test.ts
+++ b/cli/src/errors/codes.test.ts
@ -8,8 +8,8 @@ import {
 } from './codes.js'

 describe('error codes', () => {
-  it('has 18 codes (parity with internal/api/errors)', () => {
-    expect(ALL_ERROR_CODES).toHaveLength(18)
+  it('has 17 codes (parity with internal/api/errors)', () => {
+    expect(ALL_ERROR_CODES).toHaveLength(17)
  })

  it('has the expected ExitCode buckets', () => {
@ -46,7 +46,6 @@ describe('error codes', () => {
    [ErrorCode.NetworkDns, ExitCode.Generic],
    [ErrorCode.Server5xx, ExitCode.Generic],
    [ErrorCode.Server4xxOther, ExitCode.Generic],
-    [ErrorCode.ClientError, ExitCode.Generic],
    [ErrorCode.Unknown, ExitCode.Generic],
  ])('exitFor(%s) -> %d', (code, want) => {
    expect(exitFor(code)).toBe(want)
--- a/cli/src/errors/codes.ts
+++ b/cli/src/errors/codes.ts
@ -15,7 +15,6 @@ export const ErrorCode = {
  NetworkDns: 'network_dns',
  Server5xx: 'server_5xx',
  Server4xxOther: 'server_4xx_other',
-  ClientError: 'client_error',
  Unknown: 'unknown',
 } as const

@ -48,7 +47,6 @@ const CODE_TO_EXIT: Readonly<Record<ErrorCodeValue, ExitCodeValue>> = {
  network_dns: ExitCode.Generic,
  server_5xx: ExitCode.Generic,
  server_4xx_other: ExitCode.Generic,
-  client_error: ExitCode.Generic,
  unknown: ExitCode.Generic,
 }

--- a/cli/src/store/config-writer.test.ts
+++ b/cli/src/store/config-writer.test.ts
@ -1,57 +1,45 @@
-import { mkdtemp, rm } from 'node:fs/promises'
+import { mkdtemp, readdir, readFile, stat } from 'node:fs/promises'
 import { tmpdir } from 'node:os'
 import { join } from 'node:path'
-import { afterEach, beforeEach, describe, expect, it } from 'vitest'
+import { beforeEach, describe, expect, it } from 'vitest'
 import { loadConfig } from '../config/config-loader'
-import { emptyConfig } from '../config/schema'
+import { emptyConfig, FILE_NAME } from '../config/schema'
+import { platform } from '../sys'
 import { saveConfig } from './config-writer'
-import { ENV_CONFIG_DIR } from './dir'
-import { getConfigurationStore } from './manager'
+import { YamlStore } from './store'
+
+function makeStore(dir: string): YamlStore {
+  return new YamlStore(join(dir, FILE_NAME))
+}

 describe('saveConfig', () => {
  let dir: string
-  let prevConfigDir: string | undefined

  beforeEach(async () => {
    dir = await mkdtemp(join(tmpdir(), 'difyctl-w-'))
-    prevConfigDir = process.env[ENV_CONFIG_DIR]
-    process.env[ENV_CONFIG_DIR] = dir
  })

-  afterEach(async () => {
-    if (prevConfigDir === undefined)
-      delete process.env[ENV_CONFIG_DIR]
-    else
-      process.env[ENV_CONFIG_DIR] = prevConfigDir
-    await rm(dir, { recursive: true, force: true })
+  it('writes config.yml in the target dir', async () => {
+    saveConfig(makeStore(dir), { ...emptyConfig(), schema_version: 1 })
+    const stats = await stat(join(dir, FILE_NAME))
+    expect(stats.isFile()).toBe(true)
  })

  it('stamps schema_version=1 even if caller passed 0', () => {
-    saveConfig(getConfigurationStore(), { ...emptyConfig() })
-    const r = loadConfig(getConfigurationStore())
+    saveConfig(makeStore(dir), { ...emptyConfig() })
+    const r = loadConfig(makeStore(dir))
    expect(r.found).toBe(true)
    if (r.found)
      expect(r.config.schema_version).toBe(1)
  })

-  it('overrides a stale schema_version on save', () => {
-    saveConfig(getConfigurationStore(), {
-      ...emptyConfig(),
-      schema_version: 999 as never,
-    })
-    const r = loadConfig(getConfigurationStore())
-    expect(r.found).toBe(true)
-    if (r.found)
-      expect(r.config.schema_version).toBe(1)
-  })
-
-  it('round-trips defaults + state', () => {
-    saveConfig(getConfigurationStore(), {
+  it('round-trips defaults + state through YAML', () => {
+    saveConfig(makeStore(dir), {
      schema_version: 1,
      defaults: { format: 'wide', limit: 75 },
      state: { current_app: 'app-xyz' },
    })
-    const r = loadConfig(getConfigurationStore())
+    const r = loadConfig(makeStore(dir))
    expect(r.found).toBe(true)
    if (r.found) {
      expect(r.config.defaults.format).toBe('wide')
@ -60,22 +48,39 @@ describe('saveConfig', () => {
    }
  })

-  it('overwrites the previous config on resave', () => {
-    saveConfig(getConfigurationStore(), {
+  it('writes file with mode 0o600 (POSIX)', async () => {
+    if (platform() === 'win32')
+      return
+    saveConfig(makeStore(dir), emptyConfig())
+    const s = await stat(join(dir, FILE_NAME))
+    expect(s.mode & 0o777).toBe(0o600)
+  })
+
+  it('does not leave a tmp file on success', async () => {
+    saveConfig(makeStore(dir), emptyConfig())
+    const entries = await readdir(dir)
+    expect(entries.filter(f => f.endsWith('.tmp'))).toHaveLength(0)
+    expect(entries.filter(f => f.includes('.tmp.'))).toHaveLength(0)
+  })
+
+  it('creates parent dir at 0o700 if absent', async () => {
+    if (platform() === 'win32')
+      return
+    const nested = join(dir, 'nested', 'sub')
+    saveConfig(makeStore(nested), emptyConfig())
+    const s = await stat(nested)
+    expect(s.isDirectory()).toBe(true)
+    expect(s.mode & 0o777).toBe(0o700)
+  })
+
+  it('emits parseable YAML (round-trip via fs.readFile + js-yaml)', async () => {
+    saveConfig(makeStore(dir), {
      schema_version: 1,
      defaults: { format: 'json' },
      state: {},
    })
-    saveConfig(getConfigurationStore(), {
-      schema_version: 1,
-      defaults: { format: 'table' },
-      state: { current_app: 'app-2' },
-    })
-    const r = loadConfig(getConfigurationStore())
-    expect(r.found).toBe(true)
-    if (r.found) {
-      expect(r.config.defaults.format).toBe('table')
-      expect(r.config.state.current_app).toBe('app-2')
-    }
+    const raw = await readFile(join(dir, FILE_NAME), 'utf8')
+    expect(raw).toMatch(/^schema_version:/m)
+    expect(raw).toMatch(/format: json/)
  })
 })
--- a/cli/src/store/errors.ts
+++ b/cli/src/store/errors.ts
@ -1,64 +0,0 @@
-import { BaseError } from '../errors/base'
-import { ErrorCode } from '../errors/codes'
-
-export class ConcurrentAccessError extends BaseError {
-  constructor(filePath: string) {
-    const msg = `Another process is modifying the file ${filePath}. remove ${filePath}.lock to reset lock.`
-
-    super({
-      code: ErrorCode.ClientError,
-      message: msg,
-      hint: `remove ${filePath}.lock to reset lock.`,
-    })
-  }
-}
-
-type YamlMark = {
-  line: number
-  column: number
-  snippet?: string
-}
-
-type YamlParseError = {
-  reason?: string
-  mark?: YamlMark
-  message?: string
-}
-
-export class BadYamlFormatError extends BaseError {
-  constructor(path: string, raw: string, cause: YamlParseError) {
-    const reason = cause.reason ?? cause.message ?? 'invalid YAML'
-    const mark = cause.mark
-    const where = mark ? ` at line ${mark.line + 1}, column ${mark.column + 1}` : ''
-    const snippet = mark?.snippet ?? excerpt(raw, mark)
-    const header = `Failed to parse YAML file ${path}: ${reason}${where}.`
-    const body = snippet ? `\n\n${snippet}` : ''
-
-    super({
-      code: ErrorCode.ClientError,
-      message: `${header}${body}`,
-      hint: `Fix the YAML syntax in ${path} or remove the file to reset it.`,
-    })
-  }
-}
-
-function excerpt(raw: string, mark: YamlMark | undefined): string {
-  if (mark === undefined)
-    return ''
-  const lines = raw.split('\n')
-  const target = mark.line
-  if (target < 0 || target >= lines.length)
-    return ''
-  const start = Math.max(0, target - 2)
-  const end = Math.min(lines.length, target + 3)
-  const width = String(end).length
-  const out: string[] = []
-  for (let i = start; i < end; i++) {
-    const marker = i === target ? '>' : ' '
-    const num = String(i + 1).padStart(width, ' ')
-    out.push(`${marker} ${num} | ${lines[i]}`)
-    if (i === target)
-      out.push(`${' '.repeat(width + 4)}${' '.repeat(mark.column)}^`)
-  }
-  return out.join('\n')
-}
--- a/cli/src/store/keyring-based-store.test.ts
+++ b/cli/src/store/keyring-based-store.test.ts
@ -1,109 +0,0 @@
-import { beforeEach, describe, expect, it, vi } from 'vitest'
-
-const passwords = new Map<string, string>()
-const setPassword = vi.fn()
-const getPassword = vi.fn()
-const deletePassword = vi.fn()
-
-class FakeEntry {
-  private readonly key: string
-  constructor(service: string, username: string) {
-    this.key = `${service}::${username}`
-  }
-
-  setPassword(value: string): void {
-    setPassword(this.key, value)
-    passwords.set(this.key, value)
-  }
-
-  getPassword(): string | null {
-    getPassword(this.key)
-    return passwords.get(this.key) ?? null
-  }
-
-  deletePassword(): boolean {
-    deletePassword(this.key)
-    if (!passwords.has(this.key))
-      return false
-    passwords.delete(this.key)
-    return true
-  }
-}
-
-vi.mock('@napi-rs/keyring', () => ({
-  Entry: FakeEntry,
-}))
-
-const { KeyringBasedStore } = await import('./store.js')
-
-const SERVICE = 'difyctl-test'
-
-beforeEach(() => {
-  passwords.clear()
-  setPassword.mockClear()
-  getPassword.mockClear()
-  deletePassword.mockClear()
-})
-
-describe('KeyringBasedStore', () => {
-  it('returns default when entry missing', () => {
-    const s = new KeyringBasedStore(SERVICE)
-    expect(s.get({ key: 'k', default: 'fallback' })).toBe('fallback')
-  })
-
-  it('round-trips strings via JSON encoding', () => {
-    const s = new KeyringBasedStore(SERVICE)
-    s.set({ key: 'k', default: '' }, 'tok-abc')
-    expect(s.get({ key: 'k', default: '' })).toBe('tok-abc')
-  })
-
-  it('isolates entries by key', () => {
-    const s = new KeyringBasedStore(SERVICE)
-    s.set({ key: 'a', default: '' }, 'A')
-    s.set({ key: 'b', default: '' }, 'B')
-    expect(s.get({ key: 'a', default: '' })).toBe('A')
-    expect(s.get({ key: 'b', default: '' })).toBe('B')
-  })
-
-  it('unset removes the entry', () => {
-    const s = new KeyringBasedStore(SERVICE)
-    s.set({ key: 'k', default: '' }, 'v')
-    s.unset({ key: 'k', default: '' })
-    expect(s.get({ key: 'k', default: '' })).toBe('')
-  })
-
-  it('unset is a no-op when entry missing', () => {
-    const s = new KeyringBasedStore(SERVICE)
-    expect(() => s.unset({ key: 'gone', default: '' })).not.toThrow()
-  })
-
-  it('swallows getPassword exceptions and returns default', () => {
-    const s = new KeyringBasedStore(SERVICE)
-    getPassword.mockImplementationOnce(
-      () => {
-        throw new Error('NoEntry')
-      },
-    )
-    expect(s.get({ key: 'k', default: 'd' })).toBe('d')
-  })
-
-  it('swallows unset exceptions', () => {
-    const s = new KeyringBasedStore(SERVICE)
-    deletePassword.mockImplementationOnce(
-      () => {
-        throw new Error('NoEntry')
-      },
-    )
-    expect(() => s.unset({ key: 'k', default: '' })).not.toThrow()
-  })
-
-  it('lets set propagate exceptions (caller decides fallback)', () => {
-    const s = new KeyringBasedStore(SERVICE)
-    setPassword.mockImplementationOnce(
-      () => {
-        throw new Error('keyring locked')
-      },
-    )
-    expect(() => s.set({ key: 'k', default: '' }, 'v')).toThrow(/keyring locked/)
-  })
-})
--- a/cli/src/store/manager.test.ts
+++ b/cli/src/store/manager.test.ts
@ -1,78 +0,0 @@
-import type { Key, Store } from './store.js'
-import { describe, expect, it, vi } from 'vitest'
-import { getTokenStore } from './manager.js'
-
-function memStore(label: string): Store & { _label: string } {
-  const map = new Map<string, unknown>()
-  return {
-    _label: label,
-    get<T>(key: Key<T>): T {
-      return (map.get(key.key) as T | undefined) ?? key.default
-    },
-    set<T>(key: Key<T>, value: T): void {
-      map.set(key.key, value)
-    },
-    unset<T>(key: Key<T>): void {
-      map.delete(key.key)
-    },
-  }
-}
-
-describe('getTokenStore', () => {
-  it('returns keychain store when probe succeeds', () => {
-    const k = memStore('keyring')
-    const f = memStore('file')
-    const result = getTokenStore({
-      factory: { keyring: () => k, file: () => f },
-    })
-    expect(result.mode).toBe('keychain')
-    expect(result.store).toBe(k)
-  })
-
-  it('falls back to file when keyring set throws', () => {
-    const k = memStore('keyring')
-    const f = memStore('file')
-    k.set = vi.fn(
-      () => {
-        throw new Error('locked')
-      },
-    )
-    const result = getTokenStore({
-      factory: { keyring: () => k, file: () => f },
-    })
-    expect(result.mode).toBe('file')
-    expect(result.store).toBe(f)
-  })
-
-  it('falls back to file when probe round-trip mismatches', () => {
-    const k = memStore('keyring')
-    const f = memStore('file')
-    k.get = vi.fn(() => 'something-else')
-    const result = getTokenStore({
-      factory: { keyring: () => k, file: () => f },
-    })
-    expect(result.mode).toBe('file')
-    expect(result.store).toBe(f)
-  })
-
-  it('falls back to file when keyring constructor throws', () => {
-    const f = memStore('file')
-    const result = getTokenStore({
-      factory: {
-        keyring: () => { throw new Error('no backend') },
-        file: () => f,
-      },
-    })
-    expect(result.mode).toBe('file')
-    expect(result.store).toBe(f)
-  })
-
-  it('cleans up probe entry after successful probe', () => {
-    const k = memStore('keyring')
-    const f = memStore('file')
-    getTokenStore({
-      factory: { keyring: () => k, file: () => f },
-    })
-    expect(k.get({ key: '__difyctl_probe__', default: '' })).toBe('')
-  })
-})
--- a/cli/src/store/manager.ts
+++ b/cli/src/store/manager.ts
@ -1,77 +1,28 @@
-import type { Key, StorageMode, Store } from './store'
+import type { Store } from './store'
 import { join } from 'node:path'
+import { FILE_NAME } from '../config/schema'
 import { resolveCacheDir, resolveConfigDir } from './dir'
-import { KeyringBasedStore, YamlStore } from './store'
+import { YamlStore } from './store'

 export const CACHE_APP_INFO = 'app-info'
 export const CACHE_NUDGE = 'nudge'
-const HOSTS_FILE = 'hosts.yml'
-const TOKENS_FILE = 'tokens.yml'
-export const CONFIG_FILE_NAME = 'config.yml'
-
-const KEYRING_SERVICE = 'difyctl'

 function getStore(filePath: string): YamlStore {
  return new YamlStore(filePath)
 }

+function resolveConfigurationPath(): string {
+  return join(resolveConfigDir(), FILE_NAME)
+}
+
 export function cachePath(cacheDir: string, name: string): string {
  return join(cacheDir, `${name}.yml`)
 }

 export function getConfigurationStore(): YamlStore {
-  return getStore(join(resolveConfigDir(), CONFIG_FILE_NAME))
+  return getStore(resolveConfigurationPath())
 }

 export function getCache(cacheName: string): Store {
  return getStore(cachePath(resolveCacheDir(), cacheName))
 }
-
-export function getHostStore(): YamlStore {
-  return getStore(join(resolveConfigDir(), HOSTS_FILE))
-}
-
-const PROBE_KEY: Key<string> = { key: '__difyctl_probe__', default: '' }
-const PROBE_VALUE = 'probe-v1'
-
-export type GetTokenStoreOptions = {
-  readonly factory?: {
-    readonly keyring?: () => Store
-    readonly file?: () => Store
-  }
-}
-
-/**
- * Single entry point for the credential store. Probes the OS keyring; if it
- * round-trips a value, returns the keychain-backed store. Otherwise falls
- * back to the YAML file at `<configDir>/tokens.yml`. Both implementations
- * satisfy the `Store` interface, so callers interact uniformly.
- *
- * Business logic should always obtain the token store through this factory
- * rather than constructing one directly.
- */
-export function getTokenStore(opts: GetTokenStoreOptions = {}): { store: Store, mode: StorageMode } {
-  const fileFactory = opts.factory?.file ?? (() => getStore(join(resolveConfigDir(), TOKENS_FILE)))
-  const keyringFactory = opts.factory?.keyring ?? (() => new KeyringBasedStore(KEYRING_SERVICE))
-  try {
-    const k = keyringFactory()
-    k.set(PROBE_KEY, PROBE_VALUE)
-    const got = k.get(PROBE_KEY)
-    k.unset(PROBE_KEY)
-    if (got !== PROBE_VALUE)
-      throw new Error('keyring round-trip mismatch')
-    return { store: k, mode: 'keychain' }
-  }
-  catch {
-    return { store: fileFactory(), mode: 'file' }
-  }
-}
-
-/**
- * Maps an auth identity (host + accountId) to a `Store` key. All token store
- * reads/writes in business logic go through this helper so the on-disk /
- * keyring layout stays consistent.
- */
-export function tokenKey(host: string, accountId: string): Key<string> {
-  return { key: `tokens.${host}.${accountId}`, default: '' }
-}
--- a/cli/src/store/store.test.ts
+++ b/cli/src/store/store.test.ts
@ -1,10 +1,9 @@
-import { existsSync, readFileSync, statSync, writeFileSync } from 'node:fs'
+import { readFileSync, writeFileSync } from 'node:fs'
 import { mkdtemp, rm, writeFile } from 'node:fs/promises'
 import { tmpdir } from 'node:os'
 import { join } from 'node:path'
 import { afterEach, beforeEach, describe, expect, it } from 'vitest'
-import { BadYamlFormatError, ConcurrentAccessError } from './errors'
-import { YamlStore } from './store'
+import { ConcurrentAccessError, YamlStore } from './store'

 describe('YamlStore.doGet', () => {
  it('returns default when content is undefined', () => {
@ -14,51 +13,33 @@ describe('YamlStore.doGet', () => {

  it('reads a flat key', () => {
    const store = new YamlStore('/irrelevant')
-    store.setRawContent('name: alice\n')
+    store.raw_content = 'name: alice\n'
    expect(store.doGet({ key: 'name', default: '' })).toBe('alice')
  })

  it('reads a nested key via dot notation', () => {
    const store = new YamlStore('/irrelevant')
-    store.setRawContent('user:\n  id: 42\n')
+    store.raw_content = 'user:\n  id: 42\n'
    expect(store.doGet({ key: 'user.id', default: 0 })).toBe(42)
  })

  it('returns default for a missing flat key', () => {
    const store = new YamlStore('/irrelevant')
-    store.setRawContent('name: alice\n')
+    store.raw_content = 'name: alice\n'
    expect(store.doGet({ key: 'age', default: -1 })).toBe(-1)
  })

  it('returns default when an intermediate path segment is absent', () => {
    const store = new YamlStore('/irrelevant')
-    store.setRawContent('user:\n  name: bob\n')
+    store.raw_content = 'user:\n  name: bob\n'
    expect(store.doGet({ key: 'user.address.city', default: 'unknown' })).toBe('unknown')
  })

  it('returns default when an intermediate path segment is a scalar', () => {
    const store = new YamlStore('/irrelevant')
-    store.setRawContent('user: scalar\n')
+    store.raw_content = 'user: scalar\n'
    expect(store.doGet({ key: 'user.id', default: 0 })).toBe(0)
  })
-
-  it('throws BadYamlFormatError with file path, location, and snippet for malformed YAML', () => {
-    const path = '/irrelevant'
-    const store = new YamlStore(path)
-    store.setRawContent('name: alice\nuser:\n  id: 42\n   bad: indent\n')
-    let caught: unknown
-    try {
-      store.doGet({ key: 'name', default: '' })
-    }
-    catch (err) {
-      caught = err
-    }
-    expect(caught).toBeInstanceOf(BadYamlFormatError)
-    const msg = (caught as BadYamlFormatError).message
-    expect(msg).toContain(path)
-    expect(msg).toMatch(/line \d+, column \d+/)
-    expect(msg).toContain('bad: indent')
-  })
 })

 describe('YamlStore.doSet', () => {
@ -76,7 +57,7 @@ describe('YamlStore.doSet', () => {

  it('overwrites an existing key without disturbing siblings', () => {
    const store = new YamlStore('/irrelevant')
-    store.setRawContent('name: alice\nage: 30\n')
+    store.raw_content = 'name: alice\nage: 30\n'
    store.doSet({ key: 'name', default: '' }, 'bob')
    expect(store.doGet({ key: 'name', default: '' })).toBe('bob')
    expect(store.doGet({ key: 'age', default: 0 })).toBe(30)
@ -84,7 +65,7 @@ describe('YamlStore.doSet', () => {

  it('replaces a scalar intermediate with an object when path deepens', () => {
    const store = new YamlStore('/irrelevant')
-    store.setRawContent('user: scalar\n')
+    store.raw_content = 'user: scalar\n'
    store.doSet({ key: 'user.id', default: 0 }, 99)
    expect(store.doGet({ key: 'user.id', default: 0 })).toBe(99)
  })
@ -151,12 +132,12 @@ describe('YamlStore persistence', () => {
    await writeFile(path, '')

    const s1 = new YamlStore(path)
-    s1.setRawContent('')
+    s1.raw_content = ''
    s1.doSet({ key: 'workspace', default: '' }, 'ws-123')
-    writeFileSync(path, s1.getRawContent() ?? '')
+    writeFileSync(path, s1.raw_content ?? '')

    const s2 = new YamlStore(path)
-    s2.setRawContent(readFileSync(path, 'utf8'))
+    s2.raw_content = readFileSync(path, 'utf8')
    expect(s2.doGet({ key: 'workspace', default: '' })).toBe('ws-123')
  })

@ -165,12 +146,12 @@ describe('YamlStore persistence', () => {
    await writeFile(path, '')

    const s1 = new YamlStore(path)
-    s1.setRawContent('')
+    s1.raw_content = ''
    s1.doSet({ key: 'a.b.c', default: '' }, 'deep')
-    writeFileSync(path, s1.getRawContent() ?? '')
+    writeFileSync(path, s1.raw_content ?? '')

    const s2 = new YamlStore(path)
-    s2.setRawContent(readFileSync(path, 'utf8'))
+    s2.raw_content = readFileSync(path, 'utf8')
    expect(s2.doGet({ key: 'a.b.c', default: '' })).toBe('deep')
  })

@ -179,17 +160,17 @@ describe('YamlStore persistence', () => {
    await writeFile(path, '')

    const s1 = new YamlStore(path)
-    s1.setRawContent('')
+    s1.raw_content = ''
    s1.doSet({ key: 'x', default: '' }, 'first')
-    writeFileSync(path, s1.getRawContent() ?? '')
+    writeFileSync(path, s1.raw_content ?? '')

    const s2 = new YamlStore(path)
-    s2.setRawContent(readFileSync(path, 'utf8'))
+    s2.raw_content = readFileSync(path, 'utf8')
    s2.doSet({ key: 'y', default: '' }, 'second')
-    writeFileSync(path, s2.getRawContent() ?? '')
+    writeFileSync(path, s2.raw_content ?? '')

    const s3 = new YamlStore(path)
-    s3.setRawContent(readFileSync(path, 'utf8'))
+    s3.raw_content = readFileSync(path, 'utf8')
    expect(s3.doGet({ key: 'x', default: '' })).toBe('first')
    expect(s3.doGet({ key: 'y', default: '' })).toBe('second')
  })
@ -205,28 +186,8 @@ describe('YamlStore persistence', () => {

    const raw = readFileSync(path, 'utf8')
    const store2 = new YamlStore(path)
-    store2.setRawContent(raw)
+    store2.raw_content = raw
    expect(store2.doGet({ key: 'token', default: '' })).toBe('abc-123')
    expect(store2.doGet({ key: 'existing', default: '' })).toBe('value')
  })
-
-  it('flush writes file when dirty (content changed from undefined)', () => {
-    const path = join(dir, 'config.yml')
-    const store = new YamlStore(path)
-    store.setRawContent('key: value\n')
-    store.flush()
-    expect(existsSync(path)).toBe(true)
-    expect(readFileSync(path, 'utf8')).toBe('key: value\n')
-  })
-
-  it('flush is a no-op when loaded content is set back unchanged', async () => {
-    const path = join(dir, 'config.yml')
-    await writeFile(path, 'key: value\n')
-    const store = new YamlStore(path)
-    store.load()
-    const mtime = statSync(path).mtimeMs
-    store.setRawContent('key: value\n')
-    store.flush()
-    expect(statSync(path).mtimeMs).toBe(mtime)
-  })
 })
--- a/cli/src/store/store.ts
+++ b/cli/src/store/store.ts
@ -1,16 +1,14 @@
 import type { Platform } from '../sys'
 import fs from 'node:fs'
 import { dirname } from 'node:path'
-import { Entry } from '@napi-rs/keyring'
 import yaml from 'js-yaml'
 import lockfile from 'lockfile'
 import { pid, resolvePlatform } from '../sys'
-import { BadYamlFormatError, ConcurrentAccessError } from './errors'

 const FILE_PERM = 0o600
 const DIR_PERM = 0o700

-export type Key<T> = {
+type Key<T> = {
  default: T
  key: string
 }
@ -18,43 +16,38 @@ export type Key<T> = {
 export type Store = {
  get: <T>(key: Key<T>) => T
  set: <T>(key: Key<T>, value: T) => void
-  unset: <T>(key: Key<T>) => void
 }

-export type StorageMode = 'keychain' | 'file'
+export class ConcurrentAccessError extends Error {
+  constructor(filePath: string) {
+    super(`Another process is modifying the file ${filePath}. remove ${filePath}.lock to reset lock.`)
+  }
+}

 abstract class FileBasedStore implements Store {
-  filePath: string
-  private rawContent: string | undefined
+  file_path: string
+  raw_content: string | undefined
  private readonly platform: Platform
-  private dirty: boolean = false

-  constructor(filePath: string) {
-    this.filePath = filePath
+  constructor(file_path: string) {
+    this.file_path = file_path
    this.platform = resolvePlatform()
+    fs.mkdirSync(dirname(this.file_path), { recursive: true, mode: DIR_PERM })
  }

  unlock(): void {
-    lockfile.unlockSync(`${this.filePath}.lock`)
+    lockfile.unlockSync(`${this.file_path}.lock`)
  }

  /**
   * atomically write raw_content (if any)
   */
  flush(): void {
-    fs.mkdirSync(dirname(this.filePath), { recursive: true, mode: DIR_PERM })
-
-    // we don't handle A-B-A scenario, 
-    // which is not likely to happen in cli
-    if (!this.dirty) {
-      return
-    }
-
-    if (this.rawContent !== undefined) {
-      const tmp = `${this.filePath}.tmp.${pid()}.${Date.now()}`
+    if (this.raw_content !== undefined) {
+      const tmp = `${this.file_path}.tmp.${pid()}.${Date.now()}`
      try {
-        fs.writeFileSync(tmp, this.rawContent, { mode: FILE_PERM })
-        this.platform.atomicReplace(tmp, this.filePath)
+        fs.writeFileSync(tmp, this.raw_content, { mode: FILE_PERM })
+        this.platform.atomicReplace(tmp, this.file_path)
      }
      catch (err) {
        try {
@ -64,20 +57,16 @@ abstract class FileBasedStore implements Store {
        throw err
      }
    }
-
-    this.dirty = false
  }

  lock(): void {
    try {
-      lockfile.lockSync(`${this.filePath}.lock`, {
-        stale: 30_000,
-      })
+      lockfile.lockSync(`${this.file_path}.lock`)
    }
    catch (err) {
      const code = (err as NodeJS.ErrnoException).code
      if (code === 'EEXIST') {
-        throw new ConcurrentAccessError(this.filePath)
+        throw new ConcurrentAccessError(this.file_path)
      }
      throw err
    }
@ -85,8 +74,7 @@ abstract class FileBasedStore implements Store {

  load(): void {
    try {
-      this.rawContent = fs.readFileSync(this.filePath, 'utf8')
-      this.dirty = false
+      this.raw_content = fs.readFileSync(this.file_path, 'utf8')
    }
    catch (err) {
      const code = (err as NodeJS.ErrnoException).code
@ -96,18 +84,10 @@ abstract class FileBasedStore implements Store {
    }
  }

-  public setRawContent(content: string): void {
-    this.dirty = (content !== this.getRawContent())
-    this.rawContent = content
-  }
-
-  public getRawContent(): string | undefined {
-    return this.rawContent
-  }
-
  protected withLock<R>(body: () => R): R {
    this.lock()
    try {
+      this.load()
      return body()
    }
    finally {
@ -116,44 +96,18 @@ abstract class FileBasedStore implements Store {
  }

  get<T>(key: Key<T>): T {
-    return this.withLock(() => {
-      this.load()
-      return this.doGet(key)
-    })
+    return this.withLock(() => this.doGet(key))
  }

  set<T>(key: Key<T>, value: T) {
    this.withLock(() => {
-      this.load()
      this.doSet(key, value)
      this.flush()
    })
  }

-  unset<T>(key: Key<T>): void {
-    this.withLock(() => {
-      this.load()
-      this.doUnset(key)
-      this.flush()
-    })
-  }
-
-  /**
-   * Remove the underlying file of the store. No-op if file doesn't exist.
-   */
-  rm(): void {
-    try {
-      fs.unlinkSync(this.filePath)
-    }
-    catch (err) {
-      if ((err as NodeJS.ErrnoException).code !== 'ENOENT')
-        throw err
-    }
-  }
-
  abstract doGet<T>(key: Key<T>): T
  abstract doSet<T>(key: Key<T>, value: T): void
-  abstract doUnset<T>(key: Key<T>): void
 }

 export class YamlStore extends FileBasedStore {
@ -162,7 +116,7 @@ export class YamlStore extends FileBasedStore {
  }

  doGet<T>(key: Key<T>): T {
-    const data = loadYaml(this.getRawContent(), this.filePath)
+    const data = loadYaml(this.raw_content)
    const parts = key.key.split('.')
    let current: unknown = data
    for (const part of parts) {
@ -176,20 +130,19 @@ export class YamlStore extends FileBasedStore {
  getTyped<T>(): T | null {
    return this.withLock(() => {
      this.load()
-      return loadYaml(this.getRawContent(), this.filePath) as T
+      return loadYaml(this.raw_content) as T
    })
  }

  setTyped<T>(data: T): void {
    this.withLock(() => {
-      this.load()
-      this.setRawContent(yaml.dump(data, { lineWidth: -1, noRefs: true }))
+      this.raw_content = yaml.dump(data, { lineWidth: -1, noRefs: true })
      this.flush()
    })
  }

  doSet<T>(key: Key<T>, value: T): void {
-    const data = loadYaml(this.getRawContent(), this.filePath) || {}
+    const data = loadYaml(this.raw_content) || {}
    const parts = key.key.split('.')
    const lastKey = parts.pop()
    if (lastKey === undefined)
@ -201,74 +154,12 @@ export class YamlStore extends FileBasedStore {
      current = current[part] as Record<string, unknown>
    }
    current[lastKey] = value
-    this.setRawContent(yaml.dump(data, { lineWidth: -1, noRefs: true }))
-  }
-
-  doUnset<T>(key: Key<T>): void {
-    const data = loadYaml(this.getRawContent(), this.filePath) || {}
-    const parts = key.key.split('.')
-    const lastKey = parts.pop()
-    if (lastKey === undefined)
-      return
-    let current: Record<string, unknown> = data
-    for (const part of parts) {
-      const next = current[part]
-      if (next === null || next === undefined || typeof next !== 'object')
-        return
-      current = next as Record<string, unknown>
-    }
-    if (!(lastKey in current))
-      return
-    delete current[lastKey]
-    this.setRawContent(yaml.dump(data, { lineWidth: -1, noRefs: true }))
+    this.raw_content = yaml.dump(data, { lineWidth: -1, noRefs: true })
  }
 }

-function loadYaml(raw: string | undefined, file_path: string): Record<string, unknown> | null {
+function loadYaml(raw: string | undefined): Record<string, unknown> | null {
  if (raw === undefined)
    return null
-  try {
-    return (yaml.load(raw) ?? {}) as Record<string, unknown>
-  }
-  catch (err) {
-    if (err instanceof yaml.YAMLException)
-      throw new BadYamlFormatError(file_path, raw, err)
-    throw err
-  }
-}
-
-/**
- * OS-keyring-based storage primitive. Sits at the same layer as
- * `FileBasedStore`: implements `Store` with each `Key<T>` corresponding to a
- * single keyring entry under the configured service. Values are JSON-encoded.
- */
-export class KeyringBasedStore implements Store {
-  private readonly service: string
-
-  constructor(service: string) {
-    this.service = service
-  }
-
-  get<T>(key: Key<T>): T {
-    try {
-      const v = new Entry(this.service, key.key).getPassword()
-      if (v === null || v === undefined || v === '')
-        return key.default
-      return JSON.parse(v) as T
-    }
-    catch {
-      return key.default
-    }
-  }
-
-  set<T>(key: Key<T>, value: T): void {
-    new Entry(this.service, key.key).setPassword(JSON.stringify(value))
-  }
-
-  unset<T>(key: Key<T>): void {
-    try {
-      new Entry(this.service, key.key).deletePassword()
-    }
-    catch { /* missing entry is fine */ }
-  }
+  return (yaml.load(raw) ?? {}) as Record<string, unknown>
 }
--- a/cli/src/version/nudge.test.ts
+++ b/cli/src/version/nudge.test.ts
@ -5,8 +5,8 @@ import { tmpdir } from 'node:os'
 import { join } from 'node:path'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 import { loadNudgeStore } from '../cache/nudge-store.js'
-import { ENV_CACHE_DIR } from '../store/dir.js'
-import { CACHE_NUDGE, getCache } from '../store/manager.js'
+import { CACHE_NUDGE, cachePath } from '../store/manager.js'
+import { YamlStore } from '../store/store.js'
 import { maybeNudgeCompat } from './nudge.js'

 const HOST = 'https://cloud.dify.ai'
@ -44,18 +44,11 @@ describe('maybeNudgeCompat', () => {
  let dir: string
  let store: NudgeStore

-  let prevCacheDir: string | undefined
  beforeEach(async () => {
    dir = await mkdtemp(join(tmpdir(), 'difyctl-nudge-'))
-    prevCacheDir = process.env[ENV_CACHE_DIR]
-    process.env[ENV_CACHE_DIR] = dir
-    store = await loadNudgeStore({ store: getCache(CACHE_NUDGE), now: fixedNow })
+    store = await loadNudgeStore({ store: new YamlStore(cachePath(dir, CACHE_NUDGE)), now: fixedNow })
  })
  afterEach(async () => {
-    if (prevCacheDir === undefined)
-      delete process.env[ENV_CACHE_DIR]
-    else
-      process.env[ENV_CACHE_DIR] = prevCacheDir
    await rm(dir, { recursive: true, force: true })
  })

@ -85,12 +78,12 @@ describe('maybeNudgeCompat', () => {

  it('warns again after the silence window has elapsed', async () => {
    const yesterday = new Date(NOW.getTime() - 25 * 60 * 60 * 1000)
-    const tStore = await loadNudgeStore({ store: getCache(CACHE_NUDGE), now: () => yesterday })
+    const tStore = await loadNudgeStore({ store: new YamlStore(cachePath(dir, CACHE_NUDGE)), now: () => yesterday })
    await tStore.markWarned(HOST)
    const probe = vi.fn(async () => UNSUPPORTED)
    const { emit, lines } = emitterSpy()

-    const freshStore = await loadNudgeStore({ store: getCache(CACHE_NUDGE), now: fixedNow })
+    const freshStore = await loadNudgeStore({ store: new YamlStore(cachePath(dir, CACHE_NUDGE)), now: fixedNow })
    await maybeNudgeCompat(HOST, baseDeps({ store: freshStore, probe, emit }))

    expect(probe).toHaveBeenCalledOnce()
--- a/cli/src/version/probe.test.ts
+++ b/cli/src/version/probe.test.ts
@ -160,8 +160,7 @@ describe('runVersionProbe', () => {
    const url = new URL(mock.url)
    const prevConfig = process.env[ENV_CONFIG_DIR]
    try {
-      process.env[ENV_CONFIG_DIR] = configDir
-      saveHosts({
+      await saveHosts(configDir, {
        current_host: url.host,
        scheme: url.protocol.replace(':', ''),
        token_storage: 'file',
--- a/cli/src/version/probe.ts
+++ b/cli/src/version/probe.ts
@ -5,6 +5,7 @@ import type { Channel } from './info.js'
 import { META_PROBE_TIMEOUT_MS, MetaClient } from '../api/meta.js'
 import { loadHosts } from '../auth/hosts.js'
 import { createClient } from '../http/client.js'
+import { resolveConfigDir } from '../store/dir.js'
 import { arch, platform } from '../sys/index.js'
 import { hostWithScheme } from '../util/host.js'
 import { difyCompat, evaluateCompat } from './compat.js'
@ -47,7 +48,7 @@ export type RunVersionProbeOptions = {
  readonly probe?: MetaProbe
 }

-const defaultLoadBundle = async (): Promise<HostsBundle | undefined> => loadHosts()
+const defaultLoadBundle = async (): Promise<HostsBundle | undefined> => loadHosts(resolveConfigDir())

 const defaultProbe: MetaProbe = async (endpoint) => {
  const http = createClient({ host: endpoint, timeoutMs: META_PROBE_TIMEOUT_MS, retryAttempts: 0 })
--- a/docker/envs/core-services/shared.env.example
+++ b/docker/envs/core-services/shared.env.example
@ -222,10 +222,6 @@ QUEUE_MONITOR_INTERVAL=30
 SWAGGER_UI_ENABLED=false
 SWAGGER_UI_PATH=/swagger-ui.html
 OPENAPI_ENABLED=false
-OPENAPI_CORS_ALLOW_ORIGINS=
-OPENAPI_KNOWN_CLIENT_IDS=difyctl
-OPENAPI_RATE_LIMIT_PER_TOKEN=60
-ENABLE_OAUTH_BEARER=false
 DSL_EXPORT_ENCRYPT_DATASET_ID=true
 DATASET_MAX_SEGMENTS_PER_REQUEST=0
 ENABLE_CLEAN_EMBEDDING_CACHE_TASK=false
--- a/docs/integrations-folder-structure-follow-ups.md
+++ b/docs/integrations-folder-structure-follow-ups.md
@ -1,143 +0,0 @@
-# Integrations Folder Structure Follow-ups
-
-Context: the onboarding UI rewrite moved Integrations into a first-class `/integrations/...` route family, but the implementation still intentionally reuses several legacy Account Settings, Tools, and Plugins components. This document records the recommended cleanup order after this branch is merged into `main`.
-
-## Current Structure
-
-| Area | Current location | Status |
-| --- | --- | --- |
-| MainNav shell | `web/app/components/main-nav` | Healthy. Keep the shallow `components/` layout. |
-| Integrations route adapter | `web/app/(commonLayout)/integrations/[[...slug]]/page.tsx` | Canonical route entry. |
-| Integrations route contract | `web/app/components/tools/integration-routes.ts` | Works, but ownership belongs to Integrations long-term. |
-| Integrations shell and sidebar | `web/app/components/tools/integrations-page.tsx` | Works, but ownership belongs to Integrations long-term. |
-| Integrations section renderer | `web/app/components/tools/integration-section-renderer.tsx` | Reuse-first adapter for existing pages. |
-| Model Provider page | `web/app/components/header/account-setting/model-provider-page` | Still active and widely imported. Do not move first. |
-| Data Source page | `web/app/components/header/account-setting/data-source-page-new` | Still active and reused by Integrations. Do not move first. |
-| API Extension page | `web/app/components/header/account-setting/api-based-extension-page` | Still active and reused by Integrations. Do not move first. |
-| Plugin management primitives | `web/app/components/plugins/plugin-page` | Still active for `/plugins` and reused by Integrations. Do not delete. |
-
-## Recommended Timing
-
-Do not do a broad folder move in the current onboarding UI branch. This branch already carries UI, route, i18n, and permission behavior changes; adding large path churn would increase merge conflict risk with `main` and make review harder.
-
-After this branch is merged into `main`, do the structure cleanup in small PRs.
-
-## Step 1: Establish Integrations Ownership
-
-When: first cleanup PR after the onboarding UI branch lands on `main`.
-
-Goal: make the new feature ownership visible without moving legacy implementation internals.
-
-Recommended target:
-
-```text
-web/app/components/integrations/
-  routes.ts
-  integrations-page.tsx
-  integration-section-renderer.tsx
-  sidebar/
-  sections/
-  hooks/
-```
-
-Move or wrap only Integrations-owned shell files first:
-
-| Current file | Target |
-| --- | --- |
-| `web/app/components/tools/integration-routes.ts` | `web/app/components/integrations/routes.ts` |
-| `web/app/components/tools/integrations-page.tsx` | `web/app/components/integrations/integrations-page.tsx` |
-| `web/app/components/tools/integration-section-renderer.tsx` | `web/app/components/integrations/integration-section-renderer.tsx` |
-| `web/app/components/tools/integration-page-header.tsx` | `web/app/components/integrations/integration-page-header.tsx` |
-| `web/app/components/tools/integration-sidebar-nav-item.tsx` | `web/app/components/integrations/sidebar/nav-item.tsx` |
-| `web/app/components/tools/integration-sidebar-nav-item-styles.ts` | `web/app/components/integrations/sidebar/nav-item-styles.ts` |
-| `web/app/components/tools/permission-quick-panel.tsx` | `web/app/components/integrations/sidebar/permission-quick-panel.tsx` |
-| `web/app/components/tools/hooks/use-integration-*` | `web/app/components/integrations/hooks/*` |
-
-Keep compatibility re-exports from the old `components/tools` paths during this PR if the import churn becomes large.
-
-## Step 2: Add Section Adapters
-
-When: same PR as Step 1 if the diff stays small, otherwise a second cleanup PR.
-
-Goal: avoid importing legacy Account Settings components directly from the shared renderer.
-
-Add thin adapters:
-
-```text
-web/app/components/integrations/sections/model-provider-section.tsx
-web/app/components/integrations/sections/data-source-section.tsx
-web/app/components/integrations/sections/api-extension-section.tsx
-web/app/components/integrations/sections/tools-section.tsx
-web/app/components/integrations/sections/plugin-category-section.tsx
-```
-
-These adapters should keep importing the existing implementation from its current location. For example, `model-provider-section.tsx` can wrap `header/account-setting/model-provider-page` and pass Integrations-specific props such as `stickyToolbar`, `fixedWarningAlignment`, and `hideSystemModelSelectorProviderSettingsFooter`.
-
-Do not duplicate page logic in the adapters.
-
-## Step 3: Remove Confirmed Dead Account Settings Pages
-
-When: after Step 1 and Step 2 are merged and the app still passes route/modal smoke tests.
-
-Likely removal candidates:
-
-| Candidate | Reason |
-| --- | --- |
-| `web/app/components/header/account-setting/Integrations-page` | Superseded by the new Integrations shell. No production reference should remain. |
-| `web/app/components/header/account-setting/plugin-page` | Superseded by `web/app/components/plugins/plugin-page`. No production reference should remain. |
-
-Before deleting, run a fresh reference check:
-
-```bash
-rg "Integrations-page|header/account-setting/plugin-page" web/app web/context web/service
-```
-
-Delete only if the remaining hits are tests for the files being removed.
-
-## Step 4: Consider Deeper Page Moves Later
-
-When: only after the Integrations shell ownership is stable and `main` has absorbed the onboarding rewrite.
-
-Do not start by moving these directories:
-
-| Directory | Why |
-| --- | --- |
-| `header/account-setting/model-provider-page` | Its types, hooks, model selector, model auth, and modals are imported by workflows, datasets, app debug, services, and global modal context. |
-| `header/account-setting/data-source-page-new` | Its types and credential flows are used by dataset creation, Notion selectors, and Integrations. |
-| `header/account-setting/api-based-extension-page` | It is still reused by feature settings and Integrations. |
-| `plugins/plugin-page` | `/plugins`, Integrations install controls, plugin category pages, plugin task status, and plugin detail flows still depend on it. |
-
-If these are moved later, split the work by domain:
-
-1. Extract shared types/hooks into stable shared modules.
-2. Move only one page family per PR.
-3. Keep temporary re-export files at old paths if external imports are still broad.
-4. Remove re-exports only after the branch has settled on `main`.
-
-## Merge Conflict Strategy
-
-Prefer additive changes first:
-
- New adapter files under `components/integrations`.
- Small import updates in the route adapter and renderer.
- Temporary re-exports from old paths when needed.
-
-Avoid early broad changes:
-
- Large `git mv` batches.
- Renaming model-provider/data-source imports across workflow and dataset code.
- Deleting reused plugin primitives.
- Combining structure cleanup with visual changes.
-
-## Validation Checklist
-
-Run at least:
-
-```bash
-pnpm test app/components/tools/__tests__/integrations-page.spec.tsx
-pnpm test app/components/tools/__tests__/integration-routes.spec.ts
-pnpm test app/components/main-nav/__tests__/index.spec.tsx
-pnpm eslint --cache --quiet app/components/tools app/components/main-nav
-```
-
-For deeper moves, also run targeted tests for the moved page family, such as model-provider, data-source, API extension, plugin-page, and plugin detail panel tests.
--- a/docs/integrations-route-contract.md
+++ b/docs/integrations-route-contract.md
@ -1,140 +0,0 @@
-# Integrations Route Contract
-
-This document records the current canonical routes for the Integrations navigation, the legacy routes that redirect to them, and the remaining migration gaps. The first migration only moves existing pages onto the new routes; UI redesign work is out of scope.
-
-## Current Status
-
-Completed:
-
-| Area | Status |
-| --- | --- |
-| Canonical `/integrations/...` route adapter | Implemented in `web/app/(commonLayout)/integrations/[[...slug]]/page.tsx`. |
-| Route contract utility | Implemented in `web/app/components/tools/integration-routes.ts`. |
-| Existing page reuse | Implemented through `IntegrationSectionRenderer`; no duplicated UI copy. |
-| Legacy `/tools?...` redirects | Implemented through `web/app/(commonLayout)/tools/page.tsx`. |
-| Legacy `/plugins` installed redirects | Implemented through `web/app/(commonLayout)/plugins/page.tsx`. |
-| Tools tab navigation under new URLs | Implemented; scoped tool tabs push canonical `/integrations/tools/...` URLs. |
-| Singular-only canonical URLs | Implemented; plural and misplaced aliases are intentionally unsupported. |
-
-Not completed:
-
-| Area | Remaining work |
-| --- | --- |
-| Integrations overview page | Not introduced; `/integrations` currently redirects to `/integrations/model-provider`. |
-| Tools overview page | Not introduced; `/integrations/tools` currently redirects to `/integrations/tools/built-in`. |
-| Plugin route migration | `/plugins` still owns the old plugin management and marketplace surface; no `/integrations/plugin` route will be introduced. Non-marketplace plugin URLs should redirect to `/integrations`. |
-| Marketplace route migration | `/marketplace/...` routes below are future recommendations only; they are not implemented here. |
-| New onboarding UI redesign | Not started in this route migration; current pages intentionally reuse existing UI. |
-| Marketplace plugin redirects | Not implemented; marketplace plugin URLs intentionally keep rendering the legacy plugin marketplace surface for now. |
-
-## Navigation Labels
-
-| Navigation item | Canonical label |
-| --- | --- |
-| Model Provider | Model Provider |
-| Built-in tools | Built-in |
-| Custom Tool | Swagger API as Tool |
-| Workflow | Workflow as Tool |
-| MCP | MCP |
-| Data Source | Data Source |
-| API Extension | API Extension |
-| Plugins | Plugins |
-| Marketplace | Marketplace |
-
-## Canonical Integrations Routes
-
-| Route | Destination |
-| --- | --- |
-| `/integrations` | Redirect to `/integrations/model-provider` unless an overview page is introduced. |
-| `/integrations/model-provider` | Existing model provider management page. |
-| `/integrations/tools` | Redirect to `/integrations/tools/built-in` unless a tools overview page is introduced. |
-| `/integrations/tools/built-in` | Existing built-in tools list. |
-| `/integrations/tool/api` | Existing custom API tool list, relabeled as Swagger API as Tool. |
-| `/integrations/tools/workflow` | Existing Workflow as Tool management page. |
-| `/integrations/tools/mcp` | Existing MCP tools management page. |
-| `/integrations/trigger` | Existing plugin trigger list filtered from plugin management. |
-| `/integrations/agent-strategy` | Existing agent strategy plugin list filtered from plugin management. |
-| `/integrations/extension` | Existing extension plugin list filtered from plugin management. |
-| `/integrations/data-source` | Existing data source page. |
-| `/integrations/tools/api-extension` | Existing API extension page under the Tools group. |
-
-## Integration Plugin Category Routes
-
-These navigation items use plugin categories from the existing plugin management surface:
-
-| Navigation item | Plugin category | Route |
-| --- | --- | --- |
-| Trigger | `trigger` | `/integrations/trigger` |
-| Agent Strategy | `agent-strategy` | `/integrations/agent-strategy` |
-| Extension | `extension` | `/integrations/extension` |
-
-The install and filter controls in the Integrations sidebar are disabled actions, not route destinations.
-
-These routes reuse the installed plugin management list with an initial category filter. They are not marketplace category pages.
-
-Do not treat every plugin category as an Integrations navigation item automatically. `trigger`, `agent-strategy`, and `extension` are currently exposed under Integrations because they are explicit navigation items. Other plugin categories have different product meanings:
-
-| Plugin category | Integrations relationship |
-| --- | --- |
-| `tool` | Not equal to `/integrations/tools/...`; tool plugins can expose tool providers that appear in Tools, but the Tools page is provider-based. |
-| `model` | Not equal to `/integrations/model-provider`; model providers are managed through the model provider page. |
-| `datasource` | Not equal to the full Data Source page; data source integrations have their own existing page. |
-| `trigger` | Reused as `/integrations/trigger`, installed plugins filtered by category. |
-| `agent-strategy` | Reused as `/integrations/agent-strategy`, installed plugins filtered by category. |
-| `extension` | Reused as `/integrations/extension`, installed plugins filtered by category. |
-
-## Legacy Tools Redirects
-
-| Legacy route | New route |
-| --- | --- |
-| `/tools` | `/integrations/tools/built-in` |
-| `/tools?section=provider` | `/integrations/model-provider` |
-| `/tools?section=builtin` | `/integrations/tools/built-in` |
-| `/tools?section=builtin&category=builtin` | `/integrations/tools/built-in` |
-| `/tools?category=builtin` | `/integrations/tools/built-in` |
-| `/tools?section=custom-tool` | `/integrations/tool/api` |
-| `/tools?section=custom-tool&category=api` | `/integrations/tool/api` |
-| `/tools?category=api` | `/integrations/tool/api` |
-| `/tools?section=workflow-tool` | `/integrations/tools/workflow` |
-| `/tools?section=workflow-tool&category=workflow` | `/integrations/tools/workflow` |
-| `/tools?category=workflow` | `/integrations/tools/workflow` |
-| `/tools?section=mcp` | `/integrations/tools/mcp` |
-| `/tools?section=mcp&category=mcp` | `/integrations/tools/mcp` |
-| `/tools?category=mcp` | `/integrations/tools/mcp` |
-| `/tools?section=data-source` | `/integrations/data-source` |
-| `/tools?section=api-based-extension` | `/integrations/tools/api-extension` |
-| `/tools?section=trigger` | `/integrations/trigger` |
-| `/tools?section=agent-strategy` | `/integrations/agent-strategy` |
-| `/tools?section=extension` | `/integrations/extension` |
-
-Preserve non-routing query parameters such as `q`, `tags`, and `sort`, but drop legacy routing parameters such as `section` and `category` during redirects.
-
-## Non-Canonical Integrations Routes
-
-Do not add plural or misplaced alias redirects for new Integrations URLs. Only the singular canonical routes above should resolve. For example, `/integrations/model-providers`, `/integrations/data-sources`, `/integrations/api-extensions`, `/integrations/tools/trigger`, `/integrations/tools/agent-strategy`, and `/integrations/tools/extension` should not be treated as supported URLs unless they are later confirmed to have shipped externally.
-
-## Legacy Plugin Redirects
-
-Plugins have two different product meanings today: installed plugin management and marketplace discovery. Only the non-marketplace plugin URLs should redirect into Integrations. There is no `/integrations/plugin` route.
-
-| Old Plugin URL | Recommended redirect | Reason |
-| --- | --- | --- |
-| `/plugins` | `/integrations` | Installed plugin management entry should move into the Integrations main entry. |
-| `/plugins?tab=plugins` | `/integrations` | Explicit installed plugins tab; non-marketplace semantics. |
-| `/plugins?tab=discover` | Do not redirect to Integrations | Marketplace discovery. |
-| `/plugins?tab=all` | Do not redirect to Integrations | Marketplace category: all. |
-| `/plugins?tab=tool` | Do not redirect to Integrations | Marketplace tool category, not installed tools management. |
-| `/plugins?tab=model` | Do not redirect to Integrations | Marketplace model category. |
-| `/plugins?tab=trigger` | Do not redirect to Integrations | Marketplace trigger category. |
-| `/plugins?tab=agent-strategy` | Do not redirect to Integrations | Marketplace agent strategy category. |
-| `/plugins?tab=extension` | Do not redirect to Integrations | Marketplace extension category. |
-| `/plugins?tab=datasource` | Do not redirect to Integrations | Marketplace datasource category. |
-| `/plugins?tab=bundle` | Do not redirect to Integrations | Marketplace bundle category. |
-
-## Migration Order
-
-1. Add the canonical route map and route tests.
-2. Mount the existing pages under the new Integrations routes without UI redesign.
-3. Update internal links to generate canonical URLs.
-4. Add legacy redirects for `/tools` and `/plugins`.
-5. Keep compatibility tests for each legacy route until old links can be removed.
--- a/docs/main-nav-gating-follow-ups.md
+++ b/docs/main-nav-gating-follow-ups.md
@ -1,97 +0,0 @@
-# Main Nav Gating Follow-ups
-
-Context: the desktop MainNav rewrite moved several workspace, account, tools, and marketplace entry points out of the old header/account-setting layout. These notes track product-contract questions that should be resolved before treating the rewrite as behavior-complete.
-
-Current status:
-
- Open: account-setting modal navigation API naming, Marketplace/Integrations install task status parity, account language/timezone access parity.
- Partially resolved: Apps/Datasets quick-switch/create parity.
-
-## 1. Account-setting modal naming and moved destinations
-
-Status: Open.
-
-Current branch behavior:
-
- `setShowAccountSettingModal(PROVIDER)` routes to `/integrations/model-provider`.
- `setShowAccountSettingModal(DATA_SOURCE)` routes to `/integrations/data-source`.
- `setShowAccountSettingModal(API_BASED_EXTENSION)` routes to `/integrations/tools/api-extension`.
- Document Settings no longer directly renders the old Account Settings modal for Provider; it uses the Integrations destination helper.
-
-Old behavior: these calls opened the account-setting modal and switched to the matching tab.
-
-Question:
-
- Since Provider, Data Source, and API-based Extension are no longer inside Account Settings in the new design, should this API still be named `setShowAccountSettingModal` for those destinations?
-
-Follow-up decision needed:
-
- Either keep the compatibility shim but document that these payloads are now route destinations, or introduce a clearer navigation API for integration destinations and update call sites intentionally.
- Re-check call sites launched from workflows, datasets, and app configuration when new entry points are added. The known Document Settings provider entry has been migrated.
-
-## 2. Plugin and marketplace status parity
-
-Status: Open.
-
-Old header behavior:
-
- `PluginsNav` showed plugin install progress and error state through the installing icon and red indicator.
- Installing tasks showed the downloading icon.
- Failed or erroring install tasks showed the red status indicator.
-
-Current MainNav behavior:
-
- MainNav has a Marketplace link, but it does not surface plugin installing/error state.
- Integrations has install entry points, but it does not surface the old `PluginTasks` install-task status entry near the Integrations install action.
- Marketplace is the product discovery surface for uninstalled integrations; `PluginTasks` is only the transient install-task status inbox for running/succeeded/failed installs.
-
-Follow-up decision needed:
-
- Decide whether MainNav Marketplace should preserve the old plugin task status indicator.
- Decide whether Integrations should expose `PluginTasks` near the install action so users can inspect failed/running install tasks without returning to the old `/plugins` shell.
- If yes, reuse the existing `usePluginTaskStatus` behavior instead of creating a parallel status source.
-
-## 3. Account language and timezone access
-
-Status: Open.
-
-Current branch behavior:
-
- Desktop MainNav account menu includes Language and Timezone submenus.
- The main app layout now uses MainNav across breakpoints.
- The default account dropdown does not expose a direct Language/Timezone settings entry.
- The default account dropdown still exists in non-MainNav account/header surfaces such as the account layout.
- Language and Timezone still belong to Account Settings, not Integrations.
- `UpdateSettingPopover` still links the timezone hint to `ACCOUNT_SETTING_TAB.LANGUAGE`.
- The legacy `ReferenceSettingModal` auto-update timezone hint also still links to `ACCOUNT_SETTING_TAB.LANGUAGE`.
-
-Decision:
-
- Preserve the old language-access contract across breakpoints.
- The desktop MainNav path is acceptable; the remaining question is default account-dropdown parity wherever that path remains active, plus whether hidden Account Settings Language entry points should remain acceptable.
-
-Follow-up decision needed:
-
- Add an equivalent language/timezone entry to the default account path, or otherwise ensure users in those surfaces can still reach language settings.
- Decide whether the Update Setting timezone hint should keep opening the hidden Account Settings Language page, or whether Account Settings should surface Language in its visible menu.
- Keep this as gate-contract parity, not a visual requirement to recreate the old Account Settings sidebar.
-
-## 4. Apps and Datasets quick-switch/create parity
-
-Status: Partially resolved.
-
-Old header behavior:
-
- `AppNav` could show the current app, list more apps, load more results, and launch create-app flows from the header nav.
- `DatasetNav` could show the current dataset, list more datasets, load more results, and launch dataset creation from the header nav.
-
-Current MainNav behavior:
-
- Apps is no longer only a static navigation link: MainNav includes a Web Apps section with installed web app search, pin, delete, and navigation behavior.
- Apps still does not preserve the old `AppNav` current-app switcher, load-more behavior, or create-app flows.
- Datasets is still a navigation link and does not preserve the old `DatasetNav` current-dataset switcher, load-more behavior, or dataset creation entry.
-
-Follow-up decision needed:
-
- Decide whether the new design intentionally removes these quick-switch/create affordances.
- If not, add equivalent behavior in the MainNav flow without copying the old header UI directly.
--- a/eslint-suppressions.json
+++ b/eslint-suppressions.json
@ -108,6 +108,14 @@
      "count": 1
    }
  },
+  "web/app/(commonLayout)/app/(appDetailLayout)/[appId]/layout-main.tsx": {
+    "react/set-state-in-effect": {
+      "count": 2
+    },
+    "ts/no-explicit-any": {
+      "count": 1
+    }
+  },
  "web/app/(commonLayout)/app/(appDetailLayout)/[appId]/overview/tracing/__tests__/svg-attribute-error-reproduction.spec.tsx": {
    "no-console": {
      "count": 19
@ -134,6 +142,11 @@
      "count": 1
    }
  },
+  "web/app/(commonLayout)/datasets/(datasetDetailLayout)/[datasetId]/layout-main.tsx": {
+    "ts/no-explicit-any": {
+      "count": 1
+    }
+  },
  "web/app/(humanInputLayout)/form/[token]/form.tsx": {
    "react/set-state-in-effect": {
      "count": 1
@ -628,6 +641,22 @@
      "count": 1
    }
  },
+  "web/app/components/apps/list.tsx": {
+    "no-restricted-imports": {
+      "count": 1
+    }
+  },
+  "web/app/components/apps/new-app-card.tsx": {
+    "react-hooks-extra/no-direct-set-state-in-use-effect": {
+      "count": 1
+    },
+    "react/set-state-in-effect": {
+      "count": 1
+    },
+    "ts/no-explicit-any": {
+      "count": 1
+    }
+  },
  "web/app/components/base/action-button/index.tsx": {
    "erasable-syntax-only/enums": {
      "count": 1
@ -2253,6 +2282,11 @@
      "count": 1
    }
  },
+  "web/app/components/datasets/list/index.tsx": {
+    "no-restricted-imports": {
+      "count": 1
+    }
+  },
  "web/app/components/datasets/metadata/edit-metadata-batch/input-combined.tsx": {
    "ts/no-explicit-any": {
      "count": 2
@ -2329,6 +2363,14 @@
      "count": 1
    }
  },
+  "web/app/components/explore/banner/banner-item.tsx": {
+    "react-hooks-extra/no-direct-set-state-in-use-effect": {
+      "count": 1
+    },
+    "react/set-state-in-effect": {
+      "count": 1
+    }
+  },
  "web/app/components/explore/banner/indicator-button.tsx": {
    "react-hooks-extra/no-direct-set-state-in-use-effect": {
      "count": 1
@ -2848,6 +2890,11 @@
      "count": 1
    }
  },
+  "web/app/components/plugins/plugin-page/empty/index.tsx": {
+    "react/set-state-in-effect": {
+      "count": 2
+    }
+  },
  "web/app/components/plugins/plugin-page/filter-management/category-filter.tsx": {
    "no-restricted-imports": {
      "count": 1
@ -3151,16 +3198,49 @@
      "count": 1
    }
  },
+  "web/app/components/tools/mcp/headers-input.tsx": {
+    "no-restricted-imports": {
+      "count": 1
+    }
+  },
  "web/app/components/tools/mcp/mcp-server-param-item.tsx": {
    "ts/no-explicit-any": {
      "count": 1
    }
  },
+  "web/app/components/tools/mcp/modal.tsx": {
+    "no-restricted-imports": {
+      "count": 1
+    }
+  },
  "web/app/components/tools/mcp/provider-card.tsx": {
    "ts/no-explicit-any": {
      "count": 3
    }
  },
+  "web/app/components/tools/mcp/sections/authentication-section.tsx": {
+    "no-restricted-imports": {
+      "count": 1
+    }
+  },
+  "web/app/components/tools/mcp/sections/configurations-section.tsx": {
+    "no-restricted-imports": {
+      "count": 1
+    }
+  },
+  "web/app/components/tools/provider-list.tsx": {
+    "no-restricted-imports": {
+      "count": 1
+    },
+    "ts/no-explicit-any": {
+      "count": 1
+    }
+  },
+  "web/app/components/tools/provider/empty.tsx": {
+    "ts/no-explicit-any": {
+      "count": 1
+    }
+  },
  "web/app/components/tools/setting/build-in/config-credentials.tsx": {
    "ts/no-explicit-any": {
      "count": 3
@ -5135,11 +5215,6 @@
      "count": 1
    }
  },
-  "web/service/__tests__/use-plugins.spec.tsx": {
-    "no-restricted-imports": {
-      "count": 1
-    }
-  },
  "web/service/access-control.ts": {
    "@tanstack/query/exhaustive-deps": {
      "count": 1
@ -5394,6 +5469,15 @@
  "web/service/use-plugins.ts": {
    "no-restricted-imports": {
      "count": 1
+    },
+    "react/set-state-in-effect": {
+      "count": 1
+    },
+    "regexp/no-unused-capturing-group": {
+      "count": 1
+    },
+    "ts/no-explicit-any": {
+      "count": 3
    }
  },
  "web/service/use-tools.ts": {
--- a/packages/contracts/generated/api/console/explore/orpc.gen.ts
+++ b/packages/contracts/generated/api/console/explore/orpc.gen.ts
@ -6,34 +6,17 @@ import * as z from 'zod'
 import {
  zGetExploreAppsByAppIdPath,
  zGetExploreAppsByAppIdResponse,
-  zGetExploreAppsLearnDifyQuery,
-  zGetExploreAppsLearnDifyResponse,
  zGetExploreAppsQuery,
  zGetExploreAppsResponse,
  zGetExploreBannersResponse,
 } from './zod.gen'

-export const get = oc
-  .route({
-    inputStructure: 'detailed',
-    method: 'GET',
-    operationId: 'getExploreAppsLearnDify',
-    path: '/explore/apps/learn-dify',
-    tags: ['console'],
-  })
-  .input(z.object({ query: zGetExploreAppsLearnDifyQuery.optional() }))
-  .output(zGetExploreAppsLearnDifyResponse)
-
-export const learnDify = {
-  get,
-}
-
 /**
 * Generated contract types may be inaccurate because backend OpenAPI annotations are incomplete. Do not migrate callers until the generated contract is accurate.
 *
 * @deprecated
 */
-export const get2 = oc
+export const get = oc
  .route({
    deprecated: true,
    description:
@ -48,10 +31,10 @@ export const get2 = oc
  .output(zGetExploreAppsByAppIdResponse)

 export const byAppId = {
-  get: get2,
+  get,
 }

-export const get3 = oc
+export const get2 = oc
  .route({
    inputStructure: 'detailed',
    method: 'GET',
@ -63,8 +46,7 @@ export const get3 = oc
  .output(zGetExploreAppsResponse)

 export const apps = {
-  get: get3,
-  learnDify,
+  get: get2,
  byAppId,
 }

@ -75,7 +57,7 @@ export const apps = {
 *
 * @deprecated
 */
-export const get4 = oc
+export const get3 = oc
  .route({
    deprecated: true,
    description:
@ -90,7 +72,7 @@ export const get4 = oc
  .output(zGetExploreBannersResponse)

 export const banners = {
-  get: get4,
+  get: get3,
 }

 export const explore = {
--- a/packages/contracts/generated/api/console/explore/types.gen.ts
+++ b/packages/contracts/generated/api/console/explore/types.gen.ts
@ -9,10 +9,6 @@ export type RecommendedAppListResponse = {
  recommended_apps: Array<RecommendedAppResponse>
 }

-export type LearnDifyAppListResponse = {
-  recommended_apps: Array<RecommendedAppResponse>
-}
-
 export type RecommendedAppResponse = {
  app?: RecommendedAppInfoResponse
  app_id: string
@ -50,22 +46,6 @@ export type GetExploreAppsResponses = {

 export type GetExploreAppsResponse = GetExploreAppsResponses[keyof GetExploreAppsResponses]

-export type GetExploreAppsLearnDifyData = {
-  body?: never
-  path?: never
-  query?: {
-    language?: string
-  }
-  url: '/explore/apps/learn-dify'
-}
-
-export type GetExploreAppsLearnDifyResponses = {
-  200: LearnDifyAppListResponse
-}
-
-export type GetExploreAppsLearnDifyResponse
-  = GetExploreAppsLearnDifyResponses[keyof GetExploreAppsLearnDifyResponses]
-
 export type GetExploreAppsByAppIdData = {
  body?: never
  path: {
--- a/packages/contracts/generated/api/console/explore/zod.gen.ts
+++ b/packages/contracts/generated/api/console/explore/zod.gen.ts
@ -38,13 +38,6 @@ export const zRecommendedAppListResponse = z.object({
  recommended_apps: z.array(zRecommendedAppResponse),
 })

-/**
- * LearnDifyAppListResponse
- */
-export const zLearnDifyAppListResponse = z.object({
-  recommended_apps: z.array(zRecommendedAppResponse),
-})
-
 export const zGetExploreAppsQuery = z.object({
  language: z.string().optional(),
 })
@ -54,15 +47,6 @@ export const zGetExploreAppsQuery = z.object({
 */
 export const zGetExploreAppsResponse = zRecommendedAppListResponse

-export const zGetExploreAppsLearnDifyQuery = z.object({
-  language: z.string().optional(),
-})
-
-/**
- * Success
- */
-export const zGetExploreAppsLearnDifyResponse = zLearnDifyAppListResponse
-
 export const zGetExploreAppsByAppIdPath = z.object({
  app_id: z.string(),
 })
--- a/packages/contracts/generated/api/console/workspaces/orpc.gen.ts
+++ b/packages/contracts/generated/api/console/workspaces/orpc.gen.ts
@ -56,8 +56,6 @@ import {
  zGetWorkspacesCurrentPermissionResponse,
  zGetWorkspacesCurrentPluginAssetQuery,
  zGetWorkspacesCurrentPluginAssetResponse,
-  zGetWorkspacesCurrentPluginAutoUpgradeFetchQuery,
-  zGetWorkspacesCurrentPluginAutoUpgradeFetchResponse,
  zGetWorkspacesCurrentPluginDebuggingKeyResponse,
  zGetWorkspacesCurrentPluginFetchManifestQuery,
  zGetWorkspacesCurrentPluginFetchManifestResponse,
@ -70,6 +68,7 @@ import {
  zGetWorkspacesCurrentPluginParametersDynamicOptionsQuery,
  zGetWorkspacesCurrentPluginParametersDynamicOptionsResponse,
  zGetWorkspacesCurrentPluginPermissionFetchResponse,
+  zGetWorkspacesCurrentPluginPreferencesFetchResponse,
  zGetWorkspacesCurrentPluginReadmeQuery,
  zGetWorkspacesCurrentPluginReadmeResponse,
  zGetWorkspacesCurrentPluginTasksByTaskIdPath,
@ -185,10 +184,6 @@ import {
  zPostWorkspacesCurrentModelProvidersByProviderPreferredProviderTypeBody,
  zPostWorkspacesCurrentModelProvidersByProviderPreferredProviderTypePath,
  zPostWorkspacesCurrentModelProvidersByProviderPreferredProviderTypeResponse,
-  zPostWorkspacesCurrentPluginAutoUpgradeChangeBody,
-  zPostWorkspacesCurrentPluginAutoUpgradeChangeResponse,
-  zPostWorkspacesCurrentPluginAutoUpgradeExcludeBody,
-  zPostWorkspacesCurrentPluginAutoUpgradeExcludeResponse,
  zPostWorkspacesCurrentPluginInstallGithubBody,
  zPostWorkspacesCurrentPluginInstallGithubResponse,
  zPostWorkspacesCurrentPluginInstallMarketplaceBody,
@ -203,6 +198,10 @@ import {
  zPostWorkspacesCurrentPluginParametersDynamicOptionsWithCredentialsResponse,
  zPostWorkspacesCurrentPluginPermissionChangeBody,
  zPostWorkspacesCurrentPluginPermissionChangeResponse,
+  zPostWorkspacesCurrentPluginPreferencesAutoupgradeExcludeBody,
+  zPostWorkspacesCurrentPluginPreferencesAutoupgradeExcludeResponse,
+  zPostWorkspacesCurrentPluginPreferencesChangeBody,
+  zPostWorkspacesCurrentPluginPreferencesChangeResponse,
  zPostWorkspacesCurrentPluginTasksByTaskIdDeleteByIdentifierPath,
  zPostWorkspacesCurrentPluginTasksByTaskIdDeleteByIdentifierResponse,
  zPostWorkspacesCurrentPluginTasksByTaskIdDeletePath,
@ -1445,58 +1444,7 @@ export const asset = {
  get: get16,
 }

-export const post22 = oc
-  .route({
-    inputStructure: 'detailed',
-    method: 'POST',
-    operationId: 'postWorkspacesCurrentPluginAutoUpgradeChange',
-    path: '/workspaces/current/plugin/auto-upgrade/change',
-    tags: ['console'],
-  })
-  .input(z.object({ body: zPostWorkspacesCurrentPluginAutoUpgradeChangeBody }))
-  .output(zPostWorkspacesCurrentPluginAutoUpgradeChangeResponse)
-
-export const change = {
-  post: post22,
-}
-
-export const post23 = oc
-  .route({
-    inputStructure: 'detailed',
-    method: 'POST',
-    operationId: 'postWorkspacesCurrentPluginAutoUpgradeExclude',
-    path: '/workspaces/current/plugin/auto-upgrade/exclude',
-    tags: ['console'],
-  })
-  .input(z.object({ body: zPostWorkspacesCurrentPluginAutoUpgradeExcludeBody }))
-  .output(zPostWorkspacesCurrentPluginAutoUpgradeExcludeResponse)
-
-export const exclude = {
-  post: post23,
-}
-
 export const get17 = oc
-  .route({
-    inputStructure: 'detailed',
-    method: 'GET',
-    operationId: 'getWorkspacesCurrentPluginAutoUpgradeFetch',
-    path: '/workspaces/current/plugin/auto-upgrade/fetch',
-    tags: ['console'],
-  })
-  .input(z.object({ query: zGetWorkspacesCurrentPluginAutoUpgradeFetchQuery }))
-  .output(zGetWorkspacesCurrentPluginAutoUpgradeFetchResponse)
-
-export const fetch_ = {
-  get: get17,
-}
-
-export const autoUpgrade = {
-  change,
-  exclude,
-  fetch: fetch_,
-}
-
-export const get18 = oc
  .route({
    inputStructure: 'detailed',
    method: 'GET',
@ -1507,6 +1455,29 @@ export const get18 = oc
  .output(zGetWorkspacesCurrentPluginDebuggingKeyResponse)

 export const debuggingKey = {
+  get: get17,
+}
+
+/**
+ * Generated contract types may be inaccurate because backend OpenAPI annotations are incomplete. Do not migrate callers until the generated contract is accurate.
+ *
+ * @deprecated
+ */
+export const get18 = oc
+  .route({
+    deprecated: true,
+    description:
+      'Generated contract types may be inaccurate because backend OpenAPI annotations are incomplete. Do not migrate callers until the generated contract is accurate.',
+    inputStructure: 'detailed',
+    method: 'GET',
+    operationId: 'getWorkspacesCurrentPluginFetchManifest',
+    path: '/workspaces/current/plugin/fetch-manifest',
+    tags: ['console'],
+  })
+  .input(z.object({ query: zGetWorkspacesCurrentPluginFetchManifestQuery }))
+  .output(zGetWorkspacesCurrentPluginFetchManifestResponse)
+
+export const fetchManifest = {
  get: get18,
 }

@ -1516,29 +1487,6 @@ export const debuggingKey = {
 * @deprecated
 */
 export const get19 = oc
-  .route({
-    deprecated: true,
-    description:
-      'Generated contract types may be inaccurate because backend OpenAPI annotations are incomplete. Do not migrate callers until the generated contract is accurate.',
-    inputStructure: 'detailed',
-    method: 'GET',
-    operationId: 'getWorkspacesCurrentPluginFetchManifest',
-    path: '/workspaces/current/plugin/fetch-manifest',
-    tags: ['console'],
-  })
-  .input(z.object({ query: zGetWorkspacesCurrentPluginFetchManifestQuery }))
-  .output(zGetWorkspacesCurrentPluginFetchManifestResponse)
-
-export const fetchManifest = {
-  get: get19,
-}
-
-/**
- * Generated contract types may be inaccurate because backend OpenAPI annotations are incomplete. Do not migrate callers until the generated contract is accurate.
- *
- * @deprecated
- */
-export const get20 = oc
  .route({
    deprecated: true,
    description:
@ -1553,7 +1501,7 @@ export const get20 = oc
  .output(zGetWorkspacesCurrentPluginIconResponse)

 export const icon = {
-  get: get20,
+  get: get19,
 }

 /**
@ -1561,7 +1509,7 @@ export const icon = {
 *
 * @deprecated
 */
-export const post24 = oc
+export const post22 = oc
  .route({
    deprecated: true,
    description:
@ -1576,7 +1524,7 @@ export const post24 = oc
  .output(zPostWorkspacesCurrentPluginInstallGithubResponse)

 export const github = {
-  post: post24,
+  post: post22,
 }

 /**
@ -1584,7 +1532,7 @@ export const github = {
 *
 * @deprecated
 */
-export const post25 = oc
+export const post23 = oc
  .route({
    deprecated: true,
    description:
@ -1599,7 +1547,7 @@ export const post25 = oc
  .output(zPostWorkspacesCurrentPluginInstallMarketplaceResponse)

 export const marketplace = {
-  post: post25,
+  post: post23,
 }

 /**
@ -1607,7 +1555,7 @@ export const marketplace = {
 *
 * @deprecated
 */
-export const post26 = oc
+export const post24 = oc
  .route({
    deprecated: true,
    description:
@ -1622,7 +1570,7 @@ export const post26 = oc
  .output(zPostWorkspacesCurrentPluginInstallPkgResponse)

 export const pkg = {
-  post: post26,
+  post: post24,
 }

 export const install = {
@ -1636,7 +1584,7 @@ export const install = {
 *
 * @deprecated
 */
-export const post27 = oc
+export const post25 = oc
  .route({
    deprecated: true,
    description:
@ -1651,7 +1599,7 @@ export const post27 = oc
  .output(zPostWorkspacesCurrentPluginListInstallationsIdsResponse)

 export const ids = {
-  post: post27,
+  post: post25,
 }

 export const installations = {
@ -1663,7 +1611,7 @@ export const installations = {
 *
 * @deprecated
 */
-export const post28 = oc
+export const post26 = oc
  .route({
    deprecated: true,
    description:
@ -1678,7 +1626,7 @@ export const post28 = oc
  .output(zPostWorkspacesCurrentPluginListLatestVersionsResponse)

 export const latestVersions = {
-  post: post28,
+  post: post26,
 }

 /**
@ -1686,7 +1634,7 @@ export const latestVersions = {
 *
 * @deprecated
 */
-export const get21 = oc
+export const get20 = oc
  .route({
    deprecated: true,
    description:
@ -1701,7 +1649,7 @@ export const get21 = oc
  .output(zGetWorkspacesCurrentPluginListResponse)

 export const list2 = {
-  get: get21,
+  get: get20,
  installations,
  latestVersions,
 }
@ -1711,7 +1659,7 @@ export const list2 = {
 *
 * @deprecated
 */
-export const get22 = oc
+export const get21 = oc
  .route({
    deprecated: true,
    description:
@ -1726,7 +1674,7 @@ export const get22 = oc
  .output(zGetWorkspacesCurrentPluginMarketplacePkgResponse)

 export const pkg2 = {
-  get: get22,
+  get: get21,
 }

 export const marketplace2 = {
@ -1738,7 +1686,7 @@ export const marketplace2 = {
 *
 * @deprecated
 */
-export const get23 = oc
+export const get22 = oc
  .route({
    deprecated: true,
    description:
@ -1753,7 +1701,7 @@ export const get23 = oc
  .output(zGetWorkspacesCurrentPluginParametersDynamicOptionsResponse)

 export const dynamicOptions = {
-  get: get23,
+  get: get22,
 }

 /**
@ -1763,7 +1711,7 @@ export const dynamicOptions = {
 *
 * @deprecated
 */
-export const post29 = oc
+export const post27 = oc
  .route({
    deprecated: true,
    description:
@ -1781,7 +1729,7 @@ export const post29 = oc
  .output(zPostWorkspacesCurrentPluginParametersDynamicOptionsWithCredentialsResponse)

 export const dynamicOptionsWithCredentials = {
-  post: post29,
+  post: post27,
 }

 export const parameters = {
@ -1789,7 +1737,7 @@ export const parameters = {
  dynamicOptionsWithCredentials,
 }

-export const post30 = oc
+export const post28 = oc
  .route({
    inputStructure: 'detailed',
    method: 'POST',
@ -1800,6 +1748,83 @@ export const post30 = oc
  .input(z.object({ body: zPostWorkspacesCurrentPluginPermissionChangeBody }))
  .output(zPostWorkspacesCurrentPluginPermissionChangeResponse)

+export const change = {
+  post: post28,
+}
+
+/**
+ * Generated contract types may be inaccurate because backend OpenAPI annotations are incomplete. Do not migrate callers until the generated contract is accurate.
+ *
+ * @deprecated
+ */
+export const get23 = oc
+  .route({
+    deprecated: true,
+    description:
+      'Generated contract types may be inaccurate because backend OpenAPI annotations are incomplete. Do not migrate callers until the generated contract is accurate.',
+    inputStructure: 'detailed',
+    method: 'GET',
+    operationId: 'getWorkspacesCurrentPluginPermissionFetch',
+    path: '/workspaces/current/plugin/permission/fetch',
+    tags: ['console'],
+  })
+  .output(zGetWorkspacesCurrentPluginPermissionFetchResponse)
+
+export const fetch_ = {
+  get: get23,
+}
+
+export const permission2 = {
+  change,
+  fetch: fetch_,
+}
+
+/**
+ * Generated contract types may be inaccurate because backend OpenAPI annotations are incomplete. Do not migrate callers until the generated contract is accurate.
+ *
+ * @deprecated
+ */
+export const post29 = oc
+  .route({
+    deprecated: true,
+    description:
+      'Generated contract types may be inaccurate because backend OpenAPI annotations are incomplete. Do not migrate callers until the generated contract is accurate.',
+    inputStructure: 'detailed',
+    method: 'POST',
+    operationId: 'postWorkspacesCurrentPluginPreferencesAutoupgradeExclude',
+    path: '/workspaces/current/plugin/preferences/autoupgrade/exclude',
+    tags: ['console'],
+  })
+  .input(z.object({ body: zPostWorkspacesCurrentPluginPreferencesAutoupgradeExcludeBody }))
+  .output(zPostWorkspacesCurrentPluginPreferencesAutoupgradeExcludeResponse)
+
+export const exclude = {
+  post: post29,
+}
+
+export const autoupgrade = {
+  exclude,
+}
+
+/**
+ * Generated contract types may be inaccurate because backend OpenAPI annotations are incomplete. Do not migrate callers until the generated contract is accurate.
+ *
+ * @deprecated
+ */
+export const post30 = oc
+  .route({
+    deprecated: true,
+    description:
+      'Generated contract types may be inaccurate because backend OpenAPI annotations are incomplete. Do not migrate callers until the generated contract is accurate.',
+    inputStructure: 'detailed',
+    method: 'POST',
+    operationId: 'postWorkspacesCurrentPluginPreferencesChange',
+    path: '/workspaces/current/plugin/preferences/change',
+    tags: ['console'],
+  })
+  .input(z.object({ body: zPostWorkspacesCurrentPluginPreferencesChangeBody }))
+  .output(zPostWorkspacesCurrentPluginPreferencesChangeResponse)
+
 export const change2 = {
  post: post30,
 }
@ -1816,17 +1841,18 @@ export const get24 = oc
      'Generated contract types may be inaccurate because backend OpenAPI annotations are incomplete. Do not migrate callers until the generated contract is accurate.',
    inputStructure: 'detailed',
    method: 'GET',
-    operationId: 'getWorkspacesCurrentPluginPermissionFetch',
-    path: '/workspaces/current/plugin/permission/fetch',
+    operationId: 'getWorkspacesCurrentPluginPreferencesFetch',
+    path: '/workspaces/current/plugin/preferences/fetch',
    tags: ['console'],
  })
-  .output(zGetWorkspacesCurrentPluginPermissionFetchResponse)
+  .output(zGetWorkspacesCurrentPluginPreferencesFetchResponse)

 export const fetch2 = {
  get: get24,
 }

-export const permission2 = {
+export const preferences = {
+  autoupgrade,
  change: change2,
  fetch: fetch2,
 }
@ -2089,7 +2115,6 @@ export const upload = {

 export const plugin2 = {
  asset,
-  autoUpgrade,
  debuggingKey,
  fetchManifest,
  icon,
@ -2098,6 +2123,7 @@ export const plugin2 = {
  marketplace: marketplace2,
  parameters,
  permission: permission2,
+  preferences,
  readme,
  tasks,
  uninstall,
--- a/packages/contracts/generated/api/console/workspaces/types.gen.ts
+++ b/packages/contracts/generated/api/console/workspaces/types.gen.ts
@ -225,30 +225,6 @@ export type WorkspacePermissionResponse = {
  workspace_id: string
 }

-export type ParserAutoUpgradeChange = {
-  auto_upgrade: PluginAutoUpgradeSettingsPayload
-  category: PluginCategory
-}
-
-export type PluginAutoUpgradeChangeResponse = {
-  message?: string | null
-  success: boolean
-}
-
-export type ParserExcludePlugin = {
-  category: PluginCategory
-  plugin_id: string
-}
-
-export type SuccessResponse = {
-  success: boolean
-}
-
-export type PluginAutoUpgradeFetchResponse = {
-  auto_upgrade: PluginAutoUpgradeSettingsResponseModel
-  category: PluginCategory
-}
-
 export type PluginDebuggingKeyResponse = {
  host: string
  key: string
@ -282,8 +258,21 @@ export type ParserDynamicOptionsWithCredentials = {
 }

 export type ParserPermissionChange = {
-  debug_permission?: DebugPermission
-  install_permission?: InstallPermission
+  debug_permission: DebugPermission
+  install_permission: InstallPermission
+}
+
+export type SuccessResponse = {
+  success: boolean
+}
+
+export type ParserExcludePlugin = {
+  plugin_id: string
+}
+
+export type ParserPreferencesChange = {
+  auto_upgrade: PluginAutoUpgradeSettingsPayload
+  permission: PluginPermissionSettingsPayload
 }

 export type ParserUninstall = {
@ -540,6 +529,10 @@ export type LoadBalancingPayload = {
  enabled?: boolean | null
 }

+export type DebugPermission = 'admins' | 'everyone' | 'noone'
+
+export type InstallPermission = 'admins' | 'everyone' | 'noone'
+
 export type PluginAutoUpgradeSettingsPayload = {
  exclude_plugins?: Array<string>
  include_plugins?: Array<string>
@ -548,26 +541,11 @@ export type PluginAutoUpgradeSettingsPayload = {
  upgrade_time_of_day?: number
 }

-export type PluginCategory
-  = | 'agent-strategy'
-    | 'datasource'
-    | 'extension'
-    | 'model'
-    | 'tool'
-    | 'trigger'
-
-export type PluginAutoUpgradeSettingsResponseModel = {
-  exclude_plugins: Array<string>
-  include_plugins: Array<string>
-  strategy_setting: StrategySetting
-  upgrade_mode: UpgradeMode
-  upgrade_time_of_day: number
+export type PluginPermissionSettingsPayload = {
+  debug_permission?: DebugPermission
+  install_permission?: InstallPermission
 }

-export type DebugPermission = 'admins' | 'everyone' | 'noone'
-
-export type InstallPermission = 'admins' | 'everyone' | 'noone'
-
 export type ApiProviderSchemaType = 'openai_actions' | 'openai_plugin' | 'openapi' | 'swagger'

 export type CredentialType = 'api-key' | 'oauth2' | 'unauthorized'
@ -1497,50 +1475,6 @@ export type GetWorkspacesCurrentPluginAssetResponses = {
 export type GetWorkspacesCurrentPluginAssetResponse
  = GetWorkspacesCurrentPluginAssetResponses[keyof GetWorkspacesCurrentPluginAssetResponses]

-export type PostWorkspacesCurrentPluginAutoUpgradeChangeData = {
-  body: ParserAutoUpgradeChange
-  path?: never
-  query?: never
-  url: '/workspaces/current/plugin/auto-upgrade/change'
-}
-
-export type PostWorkspacesCurrentPluginAutoUpgradeChangeResponses = {
-  200: PluginAutoUpgradeChangeResponse
-}
-
-export type PostWorkspacesCurrentPluginAutoUpgradeChangeResponse
-  = PostWorkspacesCurrentPluginAutoUpgradeChangeResponses[keyof PostWorkspacesCurrentPluginAutoUpgradeChangeResponses]
-
-export type PostWorkspacesCurrentPluginAutoUpgradeExcludeData = {
-  body: ParserExcludePlugin
-  path?: never
-  query?: never
-  url: '/workspaces/current/plugin/auto-upgrade/exclude'
-}
-
-export type PostWorkspacesCurrentPluginAutoUpgradeExcludeResponses = {
-  200: SuccessResponse
-}
-
-export type PostWorkspacesCurrentPluginAutoUpgradeExcludeResponse
-  = PostWorkspacesCurrentPluginAutoUpgradeExcludeResponses[keyof PostWorkspacesCurrentPluginAutoUpgradeExcludeResponses]
-
-export type GetWorkspacesCurrentPluginAutoUpgradeFetchData = {
-  body?: never
-  path?: never
-  query: {
-    category: string
-  }
-  url: '/workspaces/current/plugin/auto-upgrade/fetch'
-}
-
-export type GetWorkspacesCurrentPluginAutoUpgradeFetchResponses = {
-  200: PluginAutoUpgradeFetchResponse
-}
-
-export type GetWorkspacesCurrentPluginAutoUpgradeFetchResponse
-  = GetWorkspacesCurrentPluginAutoUpgradeFetchResponses[keyof GetWorkspacesCurrentPluginAutoUpgradeFetchResponses]
-
 export type GetWorkspacesCurrentPluginDebuggingKeyData = {
  body?: never
  path?: never
@ -1778,6 +1712,54 @@ export type GetWorkspacesCurrentPluginPermissionFetchResponses = {
 export type GetWorkspacesCurrentPluginPermissionFetchResponse
  = GetWorkspacesCurrentPluginPermissionFetchResponses[keyof GetWorkspacesCurrentPluginPermissionFetchResponses]

+export type PostWorkspacesCurrentPluginPreferencesAutoupgradeExcludeData = {
+  body: ParserExcludePlugin
+  path?: never
+  query?: never
+  url: '/workspaces/current/plugin/preferences/autoupgrade/exclude'
+}
+
+export type PostWorkspacesCurrentPluginPreferencesAutoupgradeExcludeResponses = {
+  200: {
+    [key: string]: unknown
+  }
+}
+
+export type PostWorkspacesCurrentPluginPreferencesAutoupgradeExcludeResponse
+  = PostWorkspacesCurrentPluginPreferencesAutoupgradeExcludeResponses[keyof PostWorkspacesCurrentPluginPreferencesAutoupgradeExcludeResponses]
+
+export type PostWorkspacesCurrentPluginPreferencesChangeData = {
+  body: ParserPreferencesChange
+  path?: never
+  query?: never
+  url: '/workspaces/current/plugin/preferences/change'
+}
+
+export type PostWorkspacesCurrentPluginPreferencesChangeResponses = {
+  200: {
+    [key: string]: unknown
+  }
+}
+
+export type PostWorkspacesCurrentPluginPreferencesChangeResponse
+  = PostWorkspacesCurrentPluginPreferencesChangeResponses[keyof PostWorkspacesCurrentPluginPreferencesChangeResponses]
+
+export type GetWorkspacesCurrentPluginPreferencesFetchData = {
+  body?: never
+  path?: never
+  query?: never
+  url: '/workspaces/current/plugin/preferences/fetch'
+}
+
+export type GetWorkspacesCurrentPluginPreferencesFetchResponses = {
+  200: {
+    [key: string]: unknown
+  }
+}
+
+export type GetWorkspacesCurrentPluginPreferencesFetchResponse
+  = GetWorkspacesCurrentPluginPreferencesFetchResponses[keyof GetWorkspacesCurrentPluginPreferencesFetchResponses]
+
 export type GetWorkspacesCurrentPluginReadmeData = {
  body?: never
  path?: never
--- a/packages/contracts/generated/api/console/workspaces/zod.gen.ts
+++ b/packages/contracts/generated/api/console/workspaces/zod.gen.ts
@ -209,21 +209,6 @@ export const zWorkspacePermissionResponse = z.object({
  workspace_id: z.string(),
 })

-/**
- * PluginAutoUpgradeChangeResponse
- */
-export const zPluginAutoUpgradeChangeResponse = z.object({
-  message: z.string().nullish(),
-  success: z.boolean(),
-})
-
-/**
- * SuccessResponse
- */
-export const zSuccessResponse = z.object({
-  success: z.boolean(),
-})
-
 /**
 * PluginDebuggingKeyResponse
 */
@ -269,6 +254,20 @@ export const zParserDynamicOptionsWithCredentials = z.object({
  provider: z.string(),
 })

+/**
+ * SuccessResponse
+ */
+export const zSuccessResponse = z.object({
+  success: z.boolean(),
+})
+
+/**
+ * ParserExcludePlugin
+ */
+export const zParserExcludePlugin = z.object({
+  plugin_id: z.string(),
+})
+
 /**
 * ParserUninstall
 */
@ -606,26 +605,6 @@ export const zParserPostModels = z.object({
  model_type: zModelType,
 })

-/**
- * PluginCategory
- */
-export const zPluginCategory = z.enum([
-  'agent-strategy',
-  'datasource',
-  'extension',
-  'model',
-  'tool',
-  'trigger',
-])
-
-/**
- * ParserExcludePlugin
- */
-export const zParserExcludePlugin = z.object({
-  category: zPluginCategory,
-  plugin_id: z.string(),
-})
-
 /**
 * DebugPermission
 */
@ -640,6 +619,14 @@ export const zInstallPermission = z.enum(['admins', 'everyone', 'noone'])
 * ParserPermissionChange
 */
 export const zParserPermissionChange = z.object({
+  debug_permission: zDebugPermission,
+  install_permission: zInstallPermission,
+})
+
+/**
+ * PluginPermissionSettingsPayload
+ */
+export const zPluginPermissionSettingsPayload = z.object({
  debug_permission: zDebugPermission.optional(),
  install_permission: zInstallPermission.optional(),
 })
@ -733,30 +720,11 @@ export const zPluginAutoUpgradeSettingsPayload = z.object({
 })

 /**
- * ParserAutoUpgradeChange
+ * ParserPreferencesChange
 */
-export const zParserAutoUpgradeChange = z.object({
+export const zParserPreferencesChange = z.object({
  auto_upgrade: zPluginAutoUpgradeSettingsPayload,
-  category: zPluginCategory,
-})
-
-/**
- * PluginAutoUpgradeSettingsResponseModel
- */
-export const zPluginAutoUpgradeSettingsResponseModel = z.object({
-  exclude_plugins: z.array(z.string()),
-  include_plugins: z.array(z.string()),
-  strategy_setting: zStrategySetting,
-  upgrade_mode: zUpgradeMode,
-  upgrade_time_of_day: z.int(),
-})
-
-/**
- * PluginAutoUpgradeFetchResponse
- */
-export const zPluginAutoUpgradeFetchResponse = z.object({
-  auto_upgrade: zPluginAutoUpgradeSettingsResponseModel,
-  category: zPluginCategory,
+  permission: zPluginPermissionSettingsPayload,
 })

 /**
@ -1350,30 +1318,6 @@ export const zGetWorkspacesCurrentPluginAssetQuery = z.object({
 */
 export const zGetWorkspacesCurrentPluginAssetResponse = z.record(z.string(), z.unknown())

-export const zPostWorkspacesCurrentPluginAutoUpgradeChangeBody = zParserAutoUpgradeChange
-
-/**
- * Success
- */
-export const zPostWorkspacesCurrentPluginAutoUpgradeChangeResponse
-  = zPluginAutoUpgradeChangeResponse
-
-export const zPostWorkspacesCurrentPluginAutoUpgradeExcludeBody = zParserExcludePlugin
-
-/**
- * Success
- */
-export const zPostWorkspacesCurrentPluginAutoUpgradeExcludeResponse = zSuccessResponse
-
-export const zGetWorkspacesCurrentPluginAutoUpgradeFetchQuery = z.object({
-  category: z.string(),
-})
-
-/**
- * Success
- */
-export const zGetWorkspacesCurrentPluginAutoUpgradeFetchResponse = zPluginAutoUpgradeFetchResponse
-
 /**
 * Success
 */
@ -1501,6 +1445,31 @@ export const zPostWorkspacesCurrentPluginPermissionChangeResponse = zSuccessResp
 */
 export const zGetWorkspacesCurrentPluginPermissionFetchResponse = z.record(z.string(), z.unknown())

+export const zPostWorkspacesCurrentPluginPreferencesAutoupgradeExcludeBody = zParserExcludePlugin
+
+/**
+ * Success
+ */
+export const zPostWorkspacesCurrentPluginPreferencesAutoupgradeExcludeResponse = z.record(
+  z.string(),
+  z.unknown(),
+)
+
+export const zPostWorkspacesCurrentPluginPreferencesChangeBody = zParserPreferencesChange
+
+/**
+ * Success
+ */
+export const zPostWorkspacesCurrentPluginPreferencesChangeResponse = z.record(
+  z.string(),
+  z.unknown(),
+)
+
+/**
+ * Success
+ */
+export const zGetWorkspacesCurrentPluginPreferencesFetchResponse = z.record(z.string(), z.unknown())
+
 export const zGetWorkspacesCurrentPluginReadmeQuery = z.object({
  language: z.string().optional().default('en-US'),
  plugin_unique_identifier: z.string(),
--- a/packages/dify-ui/src/styles/utilities.css
+++ b/packages/dify-ui/src/styles/utilities.css
@ -265,12 +265,6 @@
  line-height: 1.2;
 }

-@utility title-5xl-semi-bold {
-  font-size: 30px;
-  font-weight: 600;
-  line-height: 1.2;
-}
-
@utility title-5xl-bold {
  font-size: 30px;
  font-weight: 700;
--- a/packages/iconify-collections/README.md
+++ b/packages/iconify-collections/README.md
@ -1,43 +0,0 @@
-# @dify/iconify-collections
-
-Pre-generated Iconify collections for Dify custom SVG icons. The web app imports these collections from this package so Tailwind does not need to scan and build custom SVG icon data from the old `web/app/components/base/icons/src` tree during dev startup.
-
-## Adding Custom SVG Icons
-
-Add new SVG source files under one of these directories:
-
- `assets/public/...` for multi-color or public brand-like icons.
- `assets/vender/...` for UI vendor icons that should render with `currentColor`.
-
-After adding or changing SVG files, regenerate the packaged collections:
-
-```bash
-pnpm --filter @dify/iconify-collections generate
-```
-
-Then run the dimension guard:
-
-```bash
-pnpm --filter @dify/iconify-collections check:dimensions
-```
-
-This protects existing icon groups with layout-sensitive intrinsic sizes, such as the `main-nav-*` icons that must remain `20x20` after collection flattening.
-
-Commit both the SVG source files and the generated package files under `custom-public/` or `custom-vender/`.
-Restart the web dev server after regenerating icons. Tailwind loads this plugin collection at startup, so an already-running dev server may not render newly-added `i-custom-*` classes until it restarts.
-
-Use the generated icons through Tailwind icon classes in frontend code. For example:
-
-```text
-assets/vender/integrations/mcp.svg
-```
-
-becomes:
-
-```tsx
-<span aria-hidden className="i-custom-vender-integrations-mcp size-4" />
-```
-
-Do not add new generated React icon components or JSON files under `web/app/components/base/icons/src/...` for new custom SVG icons. That path is legacy; new custom icons should flow through this package and be consumed as `i-custom-*` classes.
-
-When reviewing generated `icons.json` diffs, check that unrelated existing icon groups did not lose or change their intrinsic `width` and `height`. If a group is layout-sensitive, add it to `scripts/check-icon-dimensions.ts`.
--- a/packages/iconify-collections/assets/vender/integrations/agent-strategy-active.svg
+++ b/packages/iconify-collections/assets/vender/integrations/agent-strategy-active.svg
@ -1,3 +0,0 @@
-<svg preserveAspectRatio="none" width="100%" height="100%" overflow="visible" style="display: block;" viewBox="0 0 15.3333 14.6667" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path id="Vector" d="M13.1423 4.75207L12.9779 5.12919C12.8576 5.40528 12.4757 5.40528 12.3554 5.12919L12.1911 4.75207C11.8981 4.07965 11.3703 3.54427 10.7118 3.25139L10.2053 3.02615C9.93153 2.90435 9.93153 2.50587 10.2053 2.38408L10.6835 2.17143C11.3589 1.87101 11.8961 1.31582 12.1841 0.620552L12.3529 0.213023C12.4705 -0.0710075 12.8628 -0.0710075 12.9804 0.213023L13.1492 0.620552C13.4372 1.31582 13.9744 1.87101 14.6499 2.17143L15.1279 2.38408C15.4018 2.50587 15.4018 2.90435 15.1279 3.02615L14.6215 3.25139C13.963 3.54427 13.4353 4.07965 13.1423 4.75207ZM5.33333 1.33333C8.045 1.33333 10.284 3.35708 10.6225 5.97663L12.1228 8.3358C12.2216 8.49113 12.2017 8.72313 11.9729 8.82113L10.6667 9.38067V11.3333C10.6667 12.0697 10.0697 12.6667 9.33333 12.6667H8.00067L8 14.6667H2L2.00017 12.2041C2.00022 11.4168 1.70901 10.6725 1.17033 10.0007C0.438047 9.08753 0 7.92827 0 6.66667C0 3.72115 2.38781 1.33333 5.33333 1.33333ZM13.4357 12.0683L12.3262 11.3286C12.9624 10.3761 13.3333 9.2314 13.3333 8.00007C13.3333 7.65933 13.3049 7.3252 13.2504 7L14.5457 6.66667C14.6252 7.09907 14.6667 7.54467 14.6667 8.00007C14.6667 9.50507 14.2133 10.9041 13.4357 12.0683Z" fill="var(--fill-0, #18222F)"/>
-</svg>
--- a/packages/iconify-collections/assets/vender/integrations/agent-strategy.svg
+++ b/packages/iconify-collections/assets/vender/integrations/agent-strategy.svg
@ -1,3 +0,0 @@
-<svg preserveAspectRatio="none" width="100%" height="100%" overflow="visible" style="display: block;" viewBox="0 0 15.3333 14.6667" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path id="Vector" d="M13.1423 4.75207L12.9779 5.12919C12.8576 5.40528 12.4757 5.40528 12.3554 5.12919L12.1911 4.75207C11.8981 4.07965 11.3703 3.54427 10.7118 3.25139L10.2053 3.02615C9.93153 2.90435 9.93153 2.50587 10.2053 2.38408L10.6835 2.17143C11.3589 1.87101 11.8961 1.31582 12.1841 0.620552L12.3529 0.213023C12.4705 -0.0710075 12.8628 -0.0710075 12.9804 0.213023L13.1492 0.620552C13.4372 1.31582 13.9744 1.87101 14.6499 2.17143L15.1279 2.38408C15.4018 2.50587 15.4018 2.90435 15.1279 3.02615L14.6215 3.25139C13.963 3.54427 13.4353 4.07965 13.1423 4.75207ZM5.33333 1.33333C8.045 1.33333 10.284 3.35708 10.6225 5.97663L12.1228 8.3358C12.2216 8.49113 12.2017 8.72313 11.9729 8.82113L10.6667 9.38067V11.3333C10.6667 12.0697 10.0697 12.6667 9.33333 12.6667H8.00067L8 14.6667H2L2.00017 12.2041C2.00022 11.4168 1.70901 10.6725 1.17033 10.0007C0.438047 9.08753 0 7.92827 0 6.66667C0 3.72115 2.38781 1.33333 5.33333 1.33333ZM5.33333 2.66667C3.12419 2.66667 1.33333 4.45753 1.33333 6.66667C1.33333 7.58993 1.64545 8.46193 2.21052 9.1666C2.93977 10.076 3.33357 11.1115 3.3335 12.2042L3.33342 13.3333H6.66713L6.6678 11.3333H9.33333V8.50127L10.3665 8.05873L9.33813 6.44175L9.30007 6.14745C9.04433 4.16761 7.34953 2.66667 5.33333 2.66667ZM12.3262 11.3286L13.4357 12.0683C14.2133 10.9041 14.6667 9.50507 14.6667 8.00007C14.6667 7.54467 14.6252 7.09907 14.5457 6.66667L13.2504 7C13.3049 7.3252 13.3333 7.65933 13.3333 8.00007C13.3333 9.2314 12.9624 10.3761 12.3262 11.3286Z" fill="var(--fill-0, #495464)"/>
-</svg>
--- a/packages/iconify-collections/assets/vender/integrations/api-extension-active.svg
+++ b/packages/iconify-collections/assets/vender/integrations/api-extension-active.svg
@ -1,10 +0,0 @@
-<svg preserveAspectRatio="none" width="100%" height="100%" overflow="visible" style="display: block;" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
-<g id="Icon">
-<g id="Vector">
-<path d="M5.92578 11.0095C5.92578 10.0175 5.12163 9.21267 4.12956 9.21267C3.13752 9.21271 2.33333 10.0175 2.33333 11.0095C2.33349 12.0015 3.13762 12.8057 4.12956 12.8058C5.12153 12.8058 5.92562 12.0015 5.92578 11.0095ZM13.6667 11.0095C13.6667 10.0175 12.8625 9.21271 11.8704 9.21267C10.8784 9.21267 10.0742 10.0175 10.0742 11.0095C10.0744 12.0015 10.8785 12.8058 11.8704 12.8058C12.8624 12.8057 13.6665 12.0015 13.6667 11.0095ZM9.79622 4.324C9.79619 3.33197 8.99205 2.52778 8 2.52778C7.00795 2.52778 6.20382 3.33197 6.20378 4.324C6.20378 5.31607 7.00793 6.12023 8 6.12023C8.99207 6.12023 9.79622 5.31607 9.79622 4.324ZM11.1296 4.324C11.1296 5.82362 10.0748 7.07639 8.66667 7.38194V7.9197L9.74284 8.71398C10.3012 8.19618 11.0489 7.87934 11.8704 7.87934C13.5989 7.87938 15 9.28112 15 11.0095C14.9998 12.7378 13.5988 14.1391 11.8704 14.1391C10.1421 14.1391 8.74104 12.7379 8.74089 11.0095C8.74089 10.5838 8.82585 10.1777 8.97982 9.80772L8 9.08377L7.01953 9.80772C7.17356 10.1778 7.25911 10.5837 7.25911 11.0095C7.25896 12.7379 5.85791 14.1391 4.12956 14.1391C2.40124 14.1391 1.00016 12.7378 1 11.0095C1 9.28112 2.40114 7.87938 4.12956 7.87934C4.95094 7.87934 5.69819 8.19637 6.25651 8.71398L7.33333 7.9197V7.38194C5.92523 7.07639 4.87044 5.82362 4.87044 4.324C4.87048 2.59559 6.27158 1.19444 8 1.19444C9.72842 1.19444 11.1295 2.59559 11.1296 4.324Z" fill="var(--fill-0, #18222F)"/>
-<path d="M9.79622 4.324C9.79619 3.33197 8.99205 2.52778 8 2.52778C7.00795 2.52778 6.20382 3.33197 6.20378 4.324C6.20378 5.31607 7.00793 6.12023 8 6.12023C8.99207 6.12023 9.79622 5.31607 9.79622 4.324Z" fill="var(--fill-0, #18222F)"/>
-<path d="M5.92578 11.0095C5.92578 10.0175 5.12163 9.21267 4.12956 9.21267C3.13752 9.21271 2.33333 10.0175 2.33333 11.0095C2.33349 12.0015 3.13762 12.8057 4.12956 12.8058C5.12153 12.8058 5.92562 12.0015 5.92578 11.0095Z" fill="var(--fill-0, #18222F)"/>
-<path d="M13.6667 11.0095C13.6667 10.0175 12.8625 9.21271 11.8704 9.21267C10.8784 9.21267 10.0742 10.0175 10.0742 11.0095C10.0744 12.0015 10.8785 12.8058 11.8704 12.8058C12.8624 12.8057 13.6665 12.0015 13.6667 11.0095Z" fill="var(--fill-0, #18222F)"/>
-</g>
-</g>
-</svg>
--- a/Show More
+++ b/Show More