test: add comprehensive tests for TemplateCard and Details components in CreateFromPipeline feature

test: add comprehensive tests for List component in CreateFromPipeline feature
Merge remote-tracking branch 'origin/main' into feat/document-test
2026-02-09 01:33:59 +00:00 · 2025-12-16 15:14:48 +08:00 · 2025-12-16 14:43:05 +08:00 · 2025-12-16 14:38:17 +08:00 · 2025-12-16 14:21:05 +08:00 · 2025-12-16 14:19:33 +08:00
958 changed files with 62299 additions and 20200 deletions
--- a/.claude/skills/frontend-testing/CHECKLIST.md
+++ b/.claude/skills/frontend-testing/CHECKLIST.md
@@ -0,0 +1,205 @@
 # Test Generation Checklist
 Use this checklist when generating or reviewing tests for Dify frontend components.
 ## Pre-Generation
 - [ ] Read the component source code completely
 - [ ] Identify component type (component, hook, utility, page)
 - [ ] Run `pnpm analyze-component <path>` if available
 - [ ] Note complexity score and features detected
 - [ ] Check for existing tests in the same directory
 - [ ] **Identify ALL files in the directory** that need testing (not just index)
 ## Testing Strategy
 ### ⚠️ Incremental Workflow (CRITICAL for Multi-File)
 - [ ] **NEVER generate all tests at once** - process one file at a time
 - [ ] Order files by complexity: utilities → hooks → simple → complex → integration
 - [ ] Create a todo list to track progress before starting
 - [ ] For EACH file: write → run test → verify pass → then next
 - [ ] **DO NOT proceed** to next file until current one passes
 ### Path-Level Coverage
 - [ ] **Test ALL files** in the assigned directory/path
 - [ ] List all components, hooks, utilities that need coverage
 - [ ] Decide: single spec file (integration) or multiple spec files (unit)
 ### Complexity Assessment
 - [ ] Run `pnpm analyze-component <path>` for complexity score
 - [ ] **Complexity > 50**: Consider refactoring before testing
 - [ ] **500+ lines**: Consider splitting before testing
 - [ ] **30-50 complexity**: Use multiple describe blocks, organized structure
 ### Integration vs Mocking
 - [ ] **DO NOT mock base components** (`Loading`, `Button`, `Tooltip`, etc.)
 - [ ] Import real project components instead of mocking
 - [ ] Only mock: API calls, complex context providers, third-party libs with side effects
 - [ ] Prefer integration testing when using single spec file
 ## Required Test Sections
 ### All Components MUST Have
 - [ ] **Rendering tests** - Component renders without crashing
 - [ ] **Props tests** - Required props, optional props, default values
 - [ ] **Edge cases** - null, undefined, empty values, boundaries
 ### Conditional Sections (Add When Feature Present)
 | Feature | Add Tests For |
 |---------|---------------|
 | `useState` | Initial state, transitions, cleanup |
 | `useEffect` | Execution, dependencies, cleanup |
 | Event handlers | onClick, onChange, onSubmit, keyboard |
 | API calls | Loading, success, error states |
 | Routing | Navigation, params, query strings |
 | `useCallback`/`useMemo` | Referential equality |
 | Context | Provider values, consumer behavior |
 | Forms | Validation, submission, error display |
 ## Code Quality Checklist
 ### Structure
 - [ ] Uses `describe` blocks to group related tests
 - [ ] Test names follow `should <behavior> when <condition>` pattern
 - [ ] AAA pattern (Arrange-Act-Assert) is clear
 - [ ] Comments explain complex test scenarios
 ### Mocks
 - [ ] **DO NOT mock base components** (`@/app/components/base/*`)
 - [ ] `jest.clearAllMocks()` in `beforeEach` (not `afterEach`)
 - [ ] Shared mock state reset in `beforeEach`
 - [ ] i18n uses shared mock (auto-loaded); only override locally for custom translations
 - [ ] Router mocks match actual Next.js API
 - [ ] Mocks reflect actual component conditional behavior
 - [ ] Only mock: API services, complex context providers, third-party libs
 ### Queries
 - [ ] Prefer semantic queries (`getByRole`, `getByLabelText`)
 - [ ] Use `queryBy*` for absence assertions
 - [ ] Use `findBy*` for async elements
 - [ ] `getByTestId` only as last resort
 ### Async
 - [ ] All async tests use `async/await`
 - [ ] `waitFor` wraps async assertions
 - [ ] Fake timers properly setup/teardown
 - [ ] No floating promises
 ### TypeScript
 - [ ] No `any` types without justification
 - [ ] Mock data uses actual types from source
 - [ ] Factory functions have proper return types
 ## Coverage Goals (Per File)
 For the current file being tested:
 - [ ] 100% function coverage
 - [ ] 100% statement coverage
 - [ ] >95% branch coverage
 - [ ] >95% line coverage
 ## Post-Generation (Per File)
 **Run these checks after EACH test file, not just at the end:**
 - [ ] Run `pnpm test -- path/to/file.spec.tsx` - **MUST PASS before next file**
 - [ ] Fix any failures immediately
 - [ ] Mark file as complete in todo list
 - [ ] Only then proceed to next file
 ### After All Files Complete
 - [ ] Run full directory test: `pnpm test -- path/to/directory/`
 - [ ] Check coverage report: `pnpm test -- --coverage`
 - [ ] Run `pnpm lint:fix` on all test files
 - [ ] Run `pnpm type-check:tsgo`
 ## Common Issues to Watch
 ### False Positives
 ```typescript
 // ❌ Mock doesn't match actual behavior
 jest.mock('./Component', () => () => <div>Mocked</div>)
 // ✅ Mock matches actual conditional logic
 jest.mock('./Component', () => ({ isOpen }: any) =>
  isOpen ? <div>Content</div> : null
 )
 ```
 ### State Leakage
 ```typescript
 // ❌ Shared state not reset
 let mockState = false
 jest.mock('./useHook', () => () => mockState)
 // ✅ Reset in beforeEach
 beforeEach(() => {
  mockState = false
 })
 ```
 ### Async Race Conditions
 ```typescript
 // ❌ Not awaited
 it('loads data', () => {
  render(<Component />)
  expect(screen.getByText('Data')).toBeInTheDocument()
 })
 // ✅ Properly awaited
 it('loads data', async () => {
  render(<Component />)
  await waitFor(() => {
    expect(screen.getByText('Data')).toBeInTheDocument()
  })
 })
 ```
 ### Missing Edge Cases
 Always test these scenarios:
 - `null` / `undefined` inputs
 - Empty strings / arrays / objects
 - Boundary values (0, -1, MAX_INT)
 - Error states
 - Loading states
 - Disabled states
 ## Quick Commands
 ```bash
 # Run specific test
 pnpm test -- path/to/file.spec.tsx
 # Run with coverage
 pnpm test -- --coverage path/to/file.spec.tsx
 # Watch mode
 pnpm test -- --watch path/to/file.spec.tsx
 # Update snapshots (use sparingly)
 pnpm test -- -u path/to/file.spec.tsx
 # Analyze component
 pnpm analyze-component path/to/component.tsx
 # Review existing test
 pnpm analyze-component path/to/component.tsx --review
 ```
--- a/.claude/skills/frontend-testing/SKILL.md
+++ b/.claude/skills/frontend-testing/SKILL.md
@@ -0,0 +1,321 @@
 ---
 name: Dify Frontend Testing
 description: Generate Jest + React Testing Library tests for Dify frontend components, hooks, and utilities. Triggers on testing, spec files, coverage, Jest, RTL, unit tests, integration tests, or write/review test requests.
 ---
 # Dify Frontend Testing Skill
 This skill enables Claude to generate high-quality, comprehensive frontend tests for the Dify project following established conventions and best practices.
 > **⚠️ Authoritative Source**: This skill is derived from `web/testing/testing.md`. When in doubt, always refer to that document as the canonical specification.
 ## When to Apply This Skill
 Apply this skill when the user:
 - Asks to **write tests** for a component, hook, or utility
 - Asks to **review existing tests** for completeness
 - Mentions **Jest**, **React Testing Library**, **RTL**, or **spec files**
 - Requests **test coverage** improvement
 - Uses `pnpm analyze-component` output as context
 - Mentions **testing**, **unit tests**, or **integration tests** for frontend code
 - Wants to understand **testing patterns** in the Dify codebase
 **Do NOT apply** when:
 - User is asking about backend/API tests (Python/pytest)
 - User is asking about E2E tests (Playwright/Cypress)
 - User is only asking conceptual questions without code context
 ## Quick Reference
 ### Tech Stack
 | Tool | Version | Purpose |
 |------|---------|---------|
 | Jest | 29.7 | Test runner |
 | React Testing Library | 16.0 | Component testing |
 | happy-dom | - | Test environment |
 | nock | 14.0 | HTTP mocking |
 | TypeScript | 5.x | Type safety |
 ### Key Commands
 ```bash
 # Run all tests
 pnpm test
 # Watch mode
 pnpm test -- --watch
 # Run specific file
 pnpm test -- path/to/file.spec.tsx
 # Generate coverage report
 pnpm test -- --coverage
 # Analyze component complexity
 pnpm analyze-component <path>
 # Review existing test
 pnpm analyze-component <path> --review
 ```
 ### File Naming
 - Test files: `ComponentName.spec.tsx` (same directory as component)
 - Integration tests: `web/__tests__/` directory
 ## Test Structure Template
 ```typescript
 import { render, screen, fireEvent, waitFor } from '@testing-library/react'
 import Component from './index'
 // ✅ Import real project components (DO NOT mock these)
 // import Loading from '@/app/components/base/loading'
 // import { ChildComponent } from './child-component'
 // ✅ Mock external dependencies only
 jest.mock('@/service/api')
 jest.mock('next/navigation', () => ({
  useRouter: () => ({ push: jest.fn() }),
  usePathname: () => '/test',
 }))
 // Shared state for mocks (if needed)
 let mockSharedState = false
 describe('ComponentName', () => {
  beforeEach(() => {
    jest.clearAllMocks()  // ✅ Reset mocks BEFORE each test
    mockSharedState = false  // ✅ Reset shared state
  })
  // Rendering tests (REQUIRED)
  describe('Rendering', () => {
    it('should render without crashing', () => {
      // Arrange
      const props = { title: 'Test' }
      // Act
      render(<Component {...props} />)
      // Assert
      expect(screen.getByText('Test')).toBeInTheDocument()
    })
  })
  // Props tests (REQUIRED)
  describe('Props', () => {
    it('should apply custom className', () => {
      render(<Component className="custom" />)
      expect(screen.getByRole('button')).toHaveClass('custom')
    })
  })
  // User Interactions
  describe('User Interactions', () => {
    it('should handle click events', () => {
      const handleClick = jest.fn()
      render(<Component onClick={handleClick} />)
      fireEvent.click(screen.getByRole('button'))
      expect(handleClick).toHaveBeenCalledTimes(1)
    })
  })
  // Edge Cases (REQUIRED)
  describe('Edge Cases', () => {
    it('should handle null data', () => {
      render(<Component data={null} />)
      expect(screen.getByText(/no data/i)).toBeInTheDocument()
    })
    it('should handle empty array', () => {
      render(<Component items={[]} />)
      expect(screen.getByText(/empty/i)).toBeInTheDocument()
    })
  })
 })
 ```
 ## Testing Workflow (CRITICAL)
 ### ⚠️ Incremental Approach Required
 **NEVER generate all test files at once.** For complex components or multi-file directories:
 1. **Analyze & Plan**: List all files, order by complexity (simple → complex)
 1. **Process ONE at a time**: Write test → Run test → Fix if needed → Next
 1. **Verify before proceeding**: Do NOT continue to next file until current passes
 ```
 For each file:
  ┌────────────────────────────────────────┐
  │ 1. Write test                          │
  │ 2. Run: pnpm test -- <file>.spec.tsx   │
  │ 3. PASS? → Mark complete, next file    │
  │    FAIL? → Fix first, then continue    │
  └────────────────────────────────────────┘
 ```
 ### Complexity-Based Order
 Process in this order for multi-file testing:
 1. 🟢 Utility functions (simplest)
 1. 🟢 Custom hooks
 1. 🟡 Simple components (presentational)
 1. 🟡 Medium components (state, effects)
 1. 🔴 Complex components (API, routing)
 1. 🔴 Integration tests (index files - last)
 ### When to Refactor First
 - **Complexity > 50**: Break into smaller pieces before testing
 - **500+ lines**: Consider splitting before testing
 - **Many dependencies**: Extract logic into hooks first
 > 📖 See `guides/workflow.md` for complete workflow details and todo list format.
 ## Testing Strategy
 ### Path-Level Testing (Directory Testing)
 When assigned to test a directory/path, test **ALL content** within that path:
 - Test all components, hooks, utilities in the directory (not just `index` file)
 - Use incremental approach: one file at a time, verify each before proceeding
 - Goal: 100% coverage of ALL files in the directory
 ### Integration Testing First
 **Prefer integration testing** when writing tests for a directory:
 - ✅ **Import real project components** directly (including base components and siblings)
 - ✅ **Only mock**: API services (`@/service/*`), `next/navigation`, complex context providers
 - ❌ **DO NOT mock** base components (`@/app/components/base/*`)
 - ❌ **DO NOT mock** sibling/child components in the same directory
 > See [Test Structure Template](#test-structure-template) for correct import/mock patterns.
 ## Core Principles
 ### 1. AAA Pattern (Arrange-Act-Assert)
 Every test should clearly separate:
 - **Arrange**: Setup test data and render component
 - **Act**: Perform user actions
 - **Assert**: Verify expected outcomes
 ### 2. Black-Box Testing
 - Test observable behavior, not implementation details
 - Use semantic queries (getByRole, getByLabelText)
 - Avoid testing internal state directly
 - **Prefer pattern matching over hardcoded strings** in assertions:
 ```typescript
 // ❌ Avoid: hardcoded text assertions
 expect(screen.getByText('Loading...')).toBeInTheDocument()
 // ✅ Better: role-based queries
 expect(screen.getByRole('status')).toBeInTheDocument()
 // ✅ Better: pattern matching
 expect(screen.getByText(/loading/i)).toBeInTheDocument()
 ```
 ### 3. Single Behavior Per Test
 Each test verifies ONE user-observable behavior:
 ```typescript
 // ✅ Good: One behavior
 it('should disable button when loading', () => {
  render(<Button loading />)
  expect(screen.getByRole('button')).toBeDisabled()
 })
 // ❌ Bad: Multiple behaviors
 it('should handle loading state', () => {
  render(<Button loading />)
  expect(screen.getByRole('button')).toBeDisabled()
  expect(screen.getByText('Loading...')).toBeInTheDocument()
  expect(screen.getByRole('button')).toHaveClass('loading')
 })
 ```
 ### 4. Semantic Naming
 Use `should <behavior> when <condition>`:
 ```typescript
 it('should show error message when validation fails')
 it('should call onSubmit when form is valid')
 it('should disable input when isReadOnly is true')
 ```
 ## Required Test Scenarios
 ### Always Required (All Components)
 1. **Rendering**: Component renders without crashing
 1. **Props**: Required props, optional props, default values
 1. **Edge Cases**: null, undefined, empty values, boundary conditions
 ### Conditional (When Present)
 | Feature | Test Focus |
 |---------|-----------|
 | `useState` | Initial state, transitions, cleanup |
 | `useEffect` | Execution, dependencies, cleanup |
 | Event handlers | All onClick, onChange, onSubmit, keyboard |
 | API calls | Loading, success, error states |
 | Routing | Navigation, params, query strings |
 | `useCallback`/`useMemo` | Referential equality |
 | Context | Provider values, consumer behavior |
 | Forms | Validation, submission, error display |
 ## Coverage Goals (Per File)
 For each test file generated, aim for:
 - ✅ **100%** function coverage
 - ✅ **100%** statement coverage
 - ✅ **>95%** branch coverage
 - ✅ **>95%** line coverage
 > **Note**: For multi-file directories, process one file at a time with full coverage each. See `guides/workflow.md`.
 ## Detailed Guides
 For more detailed information, refer to:
 - `guides/workflow.md` - **Incremental testing workflow** (MUST READ for multi-file testing)
 - `guides/mocking.md` - Mock patterns and best practices
 - `guides/async-testing.md` - Async operations and API calls
 - `guides/domain-components.md` - Workflow, Dataset, Configuration testing
 - `guides/common-patterns.md` - Frequently used testing patterns
 ## Authoritative References
 ### Primary Specification (MUST follow)
 - **`web/testing/testing.md`** - The canonical testing specification. This skill is derived from this document.
 ### Reference Examples in Codebase
 - `web/utils/classnames.spec.ts` - Utility function tests
 - `web/app/components/base/button/index.spec.tsx` - Component tests
 - `web/__mocks__/provider-context.ts` - Mock factory example
 ### Project Configuration
 - `web/jest.config.ts` - Jest configuration
 - `web/jest.setup.ts` - Test environment setup
 - `web/testing/analyze-component.js` - Component analysis tool
 - `web/__mocks__/react-i18next.ts` - Shared i18n mock (auto-loaded by Jest, no explicit mock needed; override locally only for custom translations)
--- a/.claude/skills/frontend-testing/guides/async-testing.md
+++ b/.claude/skills/frontend-testing/guides/async-testing.md
@@ -0,0 +1,345 @@
 # Async Testing Guide
 ## Core Async Patterns
 ### 1. waitFor - Wait for Condition
 ```typescript
 import { render, screen, waitFor } from '@testing-library/react'
 it('should load and display data', async () => {
  render(<DataComponent />)
  // Wait for element to appear
  await waitFor(() => {
    expect(screen.getByText('Loaded Data')).toBeInTheDocument()
  })
 })
 it('should hide loading spinner after load', async () => {
  render(<DataComponent />)
  // Wait for element to disappear
  await waitFor(() => {
    expect(screen.queryByText('Loading...')).not.toBeInTheDocument()
  })
 })
 ```
 ### 2. findBy\* - Async Queries
 ```typescript
 it('should show user name after fetch', async () => {
  render(<UserProfile />)
  // findBy returns a promise, auto-waits up to 1000ms
  const userName = await screen.findByText('John Doe')
  expect(userName).toBeInTheDocument()
  // findByRole with options
  const button = await screen.findByRole('button', { name: /submit/i })
  expect(button).toBeEnabled()
 })
 ```
 ### 3. userEvent for Async Interactions
 ```typescript
 import userEvent from '@testing-library/user-event'
 it('should submit form', async () => {
  const user = userEvent.setup()
  const onSubmit = jest.fn()
  render(<Form onSubmit={onSubmit} />)
  // userEvent methods are async
  await user.type(screen.getByLabelText('Email'), 'test@example.com')
  await user.click(screen.getByRole('button', { name: /submit/i }))
  await waitFor(() => {
    expect(onSubmit).toHaveBeenCalledWith({ email: 'test@example.com' })
  })
 })
 ```
 ## Fake Timers
 ### When to Use Fake Timers
 - Testing components with `setTimeout`/`setInterval`
 - Testing debounce/throttle behavior
 - Testing animations or delayed transitions
 - Testing polling or retry logic
 ### Basic Fake Timer Setup
 ```typescript
 describe('Debounced Search', () => {
  beforeEach(() => {
    jest.useFakeTimers()
  })
  afterEach(() => {
    jest.useRealTimers()
  })
  it('should debounce search input', async () => {
    const onSearch = jest.fn()
    render(<SearchInput onSearch={onSearch} debounceMs={300} />)
    // Type in the input
    fireEvent.change(screen.getByRole('textbox'), { target: { value: 'query' } })
    // Search not called immediately
    expect(onSearch).not.toHaveBeenCalled()
    // Advance timers
    jest.advanceTimersByTime(300)
    // Now search is called
    expect(onSearch).toHaveBeenCalledWith('query')
  })
 })
 ```
 ### Fake Timers with Async Code
 ```typescript
 it('should retry on failure', async () => {
  jest.useFakeTimers()
  const fetchData = jest.fn()
    .mockRejectedValueOnce(new Error('Network error'))
    .mockResolvedValueOnce({ data: 'success' })
  render(<RetryComponent fetchData={fetchData} retryDelayMs={1000} />)
  // First call fails
  await waitFor(() => {
    expect(fetchData).toHaveBeenCalledTimes(1)
  })
  // Advance timer for retry
  jest.advanceTimersByTime(1000)
  // Second call succeeds
  await waitFor(() => {
    expect(fetchData).toHaveBeenCalledTimes(2)
    expect(screen.getByText('success')).toBeInTheDocument()
  })
  jest.useRealTimers()
 })
 ```
 ### Common Fake Timer Utilities
 ```typescript
 // Run all pending timers
 jest.runAllTimers()
 // Run only pending timers (not new ones created during execution)
 jest.runOnlyPendingTimers()
 // Advance by specific time
 jest.advanceTimersByTime(1000)
 // Get current fake time
 jest.now()
 // Clear all timers
 jest.clearAllTimers()
 ```
 ## API Testing Patterns
 ### Loading → Success → Error States
 ```typescript
 describe('DataFetcher', () => {
  beforeEach(() => {
    jest.clearAllMocks()
  })
  it('should show loading state', () => {
    mockedApi.fetchData.mockImplementation(() => new Promise(() => {})) // Never resolves
    render(<DataFetcher />)
    expect(screen.getByTestId('loading-spinner')).toBeInTheDocument()
  })
  it('should show data on success', async () => {
    mockedApi.fetchData.mockResolvedValue({ items: ['Item 1', 'Item 2'] })
    render(<DataFetcher />)
    // Use findBy* for multiple async elements (better error messages than waitFor with multiple assertions)
    const item1 = await screen.findByText('Item 1')
    const item2 = await screen.findByText('Item 2')
    expect(item1).toBeInTheDocument()
    expect(item2).toBeInTheDocument()
    expect(screen.queryByTestId('loading-spinner')).not.toBeInTheDocument()
  })
  it('should show error on failure', async () => {
    mockedApi.fetchData.mockRejectedValue(new Error('Failed to fetch'))
    render(<DataFetcher />)
    await waitFor(() => {
      expect(screen.getByText(/failed to fetch/i)).toBeInTheDocument()
    })
  })
  it('should retry on error', async () => {
    mockedApi.fetchData.mockRejectedValue(new Error('Network error'))
    render(<DataFetcher />)
    await waitFor(() => {
      expect(screen.getByRole('button', { name: /retry/i })).toBeInTheDocument()
    })
    mockedApi.fetchData.mockResolvedValue({ items: ['Item 1'] })
    fireEvent.click(screen.getByRole('button', { name: /retry/i }))
    await waitFor(() => {
      expect(screen.getByText('Item 1')).toBeInTheDocument()
    })
  })
 })
 ```
 ### Testing Mutations
 ```typescript
 it('should submit form and show success', async () => {
  const user = userEvent.setup()
  mockedApi.createItem.mockResolvedValue({ id: '1', name: 'New Item' })
  render(<CreateItemForm />)
  await user.type(screen.getByLabelText('Name'), 'New Item')
  await user.click(screen.getByRole('button', { name: /create/i }))
  // Button should be disabled during submission
  expect(screen.getByRole('button', { name: /creating/i })).toBeDisabled()
  await waitFor(() => {
    expect(screen.getByText(/created successfully/i)).toBeInTheDocument()
  })
  expect(mockedApi.createItem).toHaveBeenCalledWith({ name: 'New Item' })
 })
 ```
 ## useEffect Testing
 ### Testing Effect Execution
 ```typescript
 it('should fetch data on mount', async () => {
  const fetchData = jest.fn().mockResolvedValue({ data: 'test' })
  render(<ComponentWithEffect fetchData={fetchData} />)
  await waitFor(() => {
    expect(fetchData).toHaveBeenCalledTimes(1)
  })
 })
 ```
 ### Testing Effect Dependencies
 ```typescript
 it('should refetch when id changes', async () => {
  const fetchData = jest.fn().mockResolvedValue({ data: 'test' })
  const { rerender } = render(<ComponentWithEffect id="1" fetchData={fetchData} />)
  await waitFor(() => {
    expect(fetchData).toHaveBeenCalledWith('1')
  })
  rerender(<ComponentWithEffect id="2" fetchData={fetchData} />)
  await waitFor(() => {
    expect(fetchData).toHaveBeenCalledWith('2')
    expect(fetchData).toHaveBeenCalledTimes(2)
  })
 })
 ```
 ### Testing Effect Cleanup
 ```typescript
 it('should cleanup subscription on unmount', () => {
  const subscribe = jest.fn()
  const unsubscribe = jest.fn()
  subscribe.mockReturnValue(unsubscribe)
  const { unmount } = render(<SubscriptionComponent subscribe={subscribe} />)
  expect(subscribe).toHaveBeenCalledTimes(1)
  unmount()
  expect(unsubscribe).toHaveBeenCalledTimes(1)
 })
 ```
 ## Common Async Pitfalls
 ### ❌ Don't: Forget to await
 ```typescript
 // Bad - test may pass even if assertion fails
 it('should load data', () => {
  render(<Component />)
  waitFor(() => {
    expect(screen.getByText('Data')).toBeInTheDocument()
  })
 })
 // Good - properly awaited
 it('should load data', async () => {
  render(<Component />)
  await waitFor(() => {
    expect(screen.getByText('Data')).toBeInTheDocument()
  })
 })
 ```
 ### ❌ Don't: Use multiple assertions in single waitFor
 ```typescript
 // Bad - if first assertion fails, won't know about second
 await waitFor(() => {
  expect(screen.getByText('Title')).toBeInTheDocument()
  expect(screen.getByText('Description')).toBeInTheDocument()
 })
 // Good - separate waitFor or use findBy
 const title = await screen.findByText('Title')
 const description = await screen.findByText('Description')
 expect(title).toBeInTheDocument()
 expect(description).toBeInTheDocument()
 ```
 ### ❌ Don't: Mix fake timers with real async
 ```typescript
 // Bad - fake timers don't work well with real Promises
 jest.useFakeTimers()
 await waitFor(() => {
  expect(screen.getByText('Data')).toBeInTheDocument()
 }) // May timeout!
 // Good - use runAllTimers or advanceTimersByTime
 jest.useFakeTimers()
 render(<Component />)
 jest.runAllTimers()
 expect(screen.getByText('Data')).toBeInTheDocument()
 ```
--- a/.claude/skills/frontend-testing/guides/common-patterns.md
+++ b/.claude/skills/frontend-testing/guides/common-patterns.md
@@ -0,0 +1,449 @@
 # Common Testing Patterns
 ## Query Priority
 Use queries in this order (most to least preferred):
 ```typescript
 // 1. getByRole - Most recommended (accessibility)
 screen.getByRole('button', { name: /submit/i })
 screen.getByRole('textbox', { name: /email/i })
 screen.getByRole('heading', { level: 1 })
 // 2. getByLabelText - Form fields
 screen.getByLabelText('Email address')
 screen.getByLabelText(/password/i)
 // 3. getByPlaceholderText - When no label
 screen.getByPlaceholderText('Search...')
 // 4. getByText - Non-interactive elements
 screen.getByText('Welcome to Dify')
 screen.getByText(/loading/i)
 // 5. getByDisplayValue - Current input value
 screen.getByDisplayValue('current value')
 // 6. getByAltText - Images
 screen.getByAltText('Company logo')
 // 7. getByTitle - Tooltip elements
 screen.getByTitle('Close')
 // 8. getByTestId - Last resort only!
 screen.getByTestId('custom-element')
 ```
 ## Event Handling Patterns
 ### Click Events
 ```typescript
 // Basic click
 fireEvent.click(screen.getByRole('button'))
 // With userEvent (preferred for realistic interaction)
 const user = userEvent.setup()
 await user.click(screen.getByRole('button'))
 // Double click
 await user.dblClick(screen.getByRole('button'))
 // Right click
 await user.pointer({ keys: '[MouseRight]', target: screen.getByRole('button') })
 ```
 ### Form Input
 ```typescript
 const user = userEvent.setup()
 // Type in input
 await user.type(screen.getByRole('textbox'), 'Hello World')
 // Clear and type
 await user.clear(screen.getByRole('textbox'))
 await user.type(screen.getByRole('textbox'), 'New value')
 // Select option
 await user.selectOptions(screen.getByRole('combobox'), 'option-value')
 // Check checkbox
 await user.click(screen.getByRole('checkbox'))
 // Upload file
 const file = new File(['content'], 'test.pdf', { type: 'application/pdf' })
 await user.upload(screen.getByLabelText(/upload/i), file)
 ```
 ### Keyboard Events
 ```typescript
 const user = userEvent.setup()
 // Press Enter
 await user.keyboard('{Enter}')
 // Press Escape
 await user.keyboard('{Escape}')
 // Keyboard shortcut
 await user.keyboard('{Control>}a{/Control}') // Ctrl+A
 // Tab navigation
 await user.tab()
 // Arrow keys
 await user.keyboard('{ArrowDown}')
 await user.keyboard('{ArrowUp}')
 ```
 ## Component State Testing
 ### Testing State Transitions
 ```typescript
 describe('Counter', () => {
  it('should increment count', async () => {
    const user = userEvent.setup()
    render(<Counter initialCount={0} />)
    // Initial state
    expect(screen.getByText('Count: 0')).toBeInTheDocument()
    // Trigger transition
    await user.click(screen.getByRole('button', { name: /increment/i }))
    // New state
    expect(screen.getByText('Count: 1')).toBeInTheDocument()
  })
 })
 ```
 ### Testing Controlled Components
 ```typescript
 describe('ControlledInput', () => {
  it('should call onChange with new value', async () => {
    const user = userEvent.setup()
    const handleChange = jest.fn()
    render(<ControlledInput value="" onChange={handleChange} />)
    await user.type(screen.getByRole('textbox'), 'a')
    expect(handleChange).toHaveBeenCalledWith('a')
  })
  it('should display controlled value', () => {
    render(<ControlledInput value="controlled" onChange={jest.fn()} />)
    expect(screen.getByRole('textbox')).toHaveValue('controlled')
  })
 })
 ```
 ## Conditional Rendering Testing
 ```typescript
 describe('ConditionalComponent', () => {
  it('should show loading state', () => {
    render(<DataDisplay isLoading={true} data={null} />)
    expect(screen.getByText(/loading/i)).toBeInTheDocument()
    expect(screen.queryByTestId('data-content')).not.toBeInTheDocument()
  })
  it('should show error state', () => {
    render(<DataDisplay isLoading={false} data={null} error="Failed to load" />)
    expect(screen.getByText(/failed to load/i)).toBeInTheDocument()
  })
  it('should show data when loaded', () => {
    render(<DataDisplay isLoading={false} data={{ name: 'Test' }} />)
    expect(screen.getByText('Test')).toBeInTheDocument()
  })
  it('should show empty state when no data', () => {
    render(<DataDisplay isLoading={false} data={[]} />)
    expect(screen.getByText(/no data/i)).toBeInTheDocument()
  })
 })
 ```
 ## List Rendering Testing
 ```typescript
 describe('ItemList', () => {
  const items = [
    { id: '1', name: 'Item 1' },
    { id: '2', name: 'Item 2' },
    { id: '3', name: 'Item 3' },
  ]
  it('should render all items', () => {
    render(<ItemList items={items} />)
    expect(screen.getAllByRole('listitem')).toHaveLength(3)
    items.forEach(item => {
      expect(screen.getByText(item.name)).toBeInTheDocument()
    })
  })
  it('should handle item selection', async () => {
    const user = userEvent.setup()
    const onSelect = jest.fn()
    render(<ItemList items={items} onSelect={onSelect} />)
    await user.click(screen.getByText('Item 2'))
    expect(onSelect).toHaveBeenCalledWith(items[1])
  })
  it('should handle empty list', () => {
    render(<ItemList items={[]} />)
    expect(screen.getByText(/no items/i)).toBeInTheDocument()
  })
 })
 ```
 ## Modal/Dialog Testing
 ```typescript
 describe('Modal', () => {
  it('should not render when closed', () => {
    render(<Modal isOpen={false} onClose={jest.fn()} />)
    expect(screen.queryByRole('dialog')).not.toBeInTheDocument()
  })
  it('should render when open', () => {
    render(<Modal isOpen={true} onClose={jest.fn()} />)
    expect(screen.getByRole('dialog')).toBeInTheDocument()
  })
  it('should call onClose when clicking overlay', async () => {
    const user = userEvent.setup()
    const handleClose = jest.fn()
    render(<Modal isOpen={true} onClose={handleClose} />)
    await user.click(screen.getByTestId('modal-overlay'))
    expect(handleClose).toHaveBeenCalled()
  })
  it('should call onClose when pressing Escape', async () => {
    const user = userEvent.setup()
    const handleClose = jest.fn()
    render(<Modal isOpen={true} onClose={handleClose} />)
    await user.keyboard('{Escape}')
    expect(handleClose).toHaveBeenCalled()
  })
  it('should trap focus inside modal', async () => {
    const user = userEvent.setup()
    render(
      <Modal isOpen={true} onClose={jest.fn()}>
        <button>First</button>
        <button>Second</button>
      </Modal>
    )
    // Focus should cycle within modal
    await user.tab()
    expect(screen.getByText('First')).toHaveFocus()
    await user.tab()
    expect(screen.getByText('Second')).toHaveFocus()
    await user.tab()
    expect(screen.getByText('First')).toHaveFocus() // Cycles back
  })
 })
 ```
 ## Form Testing
 ```typescript
 describe('LoginForm', () => {
  it('should submit valid form', async () => {
    const user = userEvent.setup()
    const onSubmit = jest.fn()
    render(<LoginForm onSubmit={onSubmit} />)
    await user.type(screen.getByLabelText(/email/i), 'test@example.com')
    await user.type(screen.getByLabelText(/password/i), 'password123')
    await user.click(screen.getByRole('button', { name: /sign in/i }))
    expect(onSubmit).toHaveBeenCalledWith({
      email: 'test@example.com',
      password: 'password123',
    })
  })
  it('should show validation errors', async () => {
    const user = userEvent.setup()
    render(<LoginForm onSubmit={jest.fn()} />)
    // Submit empty form
    await user.click(screen.getByRole('button', { name: /sign in/i }))
    expect(screen.getByText(/email is required/i)).toBeInTheDocument()
    expect(screen.getByText(/password is required/i)).toBeInTheDocument()
  })
  it('should validate email format', async () => {
    const user = userEvent.setup()
    render(<LoginForm onSubmit={jest.fn()} />)
    await user.type(screen.getByLabelText(/email/i), 'invalid-email')
    await user.click(screen.getByRole('button', { name: /sign in/i }))
    expect(screen.getByText(/invalid email/i)).toBeInTheDocument()
  })
  it('should disable submit button while submitting', async () => {
    const user = userEvent.setup()
    const onSubmit = jest.fn(() => new Promise(resolve => setTimeout(resolve, 100)))
    render(<LoginForm onSubmit={onSubmit} />)
    await user.type(screen.getByLabelText(/email/i), 'test@example.com')
    await user.type(screen.getByLabelText(/password/i), 'password123')
    await user.click(screen.getByRole('button', { name: /sign in/i }))
    expect(screen.getByRole('button', { name: /signing in/i })).toBeDisabled()
    await waitFor(() => {
      expect(screen.getByRole('button', { name: /sign in/i })).toBeEnabled()
    })
  })
 })
 ```
 ## Data-Driven Tests with test.each
 ```typescript
 describe('StatusBadge', () => {
  test.each([
    ['success', 'bg-green-500'],
    ['warning', 'bg-yellow-500'],
    ['error', 'bg-red-500'],
    ['info', 'bg-blue-500'],
  ])('should apply correct class for %s status', (status, expectedClass) => {
    render(<StatusBadge status={status} />)
    expect(screen.getByTestId('status-badge')).toHaveClass(expectedClass)
  })
  test.each([
    { input: null, expected: 'Unknown' },
    { input: undefined, expected: 'Unknown' },
    { input: '', expected: 'Unknown' },
    { input: 'invalid', expected: 'Unknown' },
  ])('should show "Unknown" for invalid input: $input', ({ input, expected }) => {
    render(<StatusBadge status={input} />)
    expect(screen.getByText(expected)).toBeInTheDocument()
  })
 })
 ```
 ## Debugging Tips
 ```typescript
 // Print entire DOM
 screen.debug()
 // Print specific element
 screen.debug(screen.getByRole('button'))
 // Log testing playground URL
 screen.logTestingPlaygroundURL()
 // Pretty print DOM
 import { prettyDOM } from '@testing-library/react'
 console.log(prettyDOM(screen.getByRole('dialog')))
 // Check available roles
 import { getRoles } from '@testing-library/react'
 console.log(getRoles(container))
 ```
 ## Common Mistakes to Avoid
 ### ❌ Don't Use Implementation Details
 ```typescript
 // Bad - testing implementation
 expect(component.state.isOpen).toBe(true)
 expect(wrapper.find('.internal-class').length).toBe(1)
 // Good - testing behavior
 expect(screen.getByRole('dialog')).toBeInTheDocument()
 ```
 ### ❌ Don't Forget Cleanup
 ```typescript
 // Bad - may leak state between tests
 it('test 1', () => {
  render(<Component />)
 })
 // Good - cleanup is automatic with RTL, but reset mocks
 beforeEach(() => {
  jest.clearAllMocks()
 })
 ```
 ### ❌ Don't Use Exact String Matching (Prefer Black-Box Assertions)
 ```typescript
 // ❌ Bad - hardcoded strings are brittle
 expect(screen.getByText('Submit Form')).toBeInTheDocument()
 expect(screen.getByText('Loading...')).toBeInTheDocument()
 // ✅ Good - role-based queries (most semantic)
 expect(screen.getByRole('button', { name: /submit/i })).toBeInTheDocument()
 expect(screen.getByRole('status')).toBeInTheDocument()
 // ✅ Good - pattern matching (flexible)
 expect(screen.getByText(/submit/i)).toBeInTheDocument()
 expect(screen.getByText(/loading/i)).toBeInTheDocument()
 // ✅ Good - test behavior, not exact UI text
 expect(screen.getByRole('button')).toBeDisabled()
 expect(screen.getByRole('alert')).toBeInTheDocument()
 ```
 **Why prefer black-box assertions?**
 - Text content may change (i18n, copy updates)
 - Role-based queries test accessibility
 - Pattern matching is resilient to minor changes
 - Tests focus on behavior, not implementation details
 ### ❌ Don't Assert on Absence Without Query
 ```typescript
 // Bad - throws if not found
 expect(screen.getByText('Error')).not.toBeInTheDocument() // Error!
 // Good - use queryBy for absence assertions
 expect(screen.queryByText('Error')).not.toBeInTheDocument()
 ```
--- a/.claude/skills/frontend-testing/guides/domain-components.md
+++ b/.claude/skills/frontend-testing/guides/domain-components.md
@@ -0,0 +1,523 @@
 # Domain-Specific Component Testing
 This guide covers testing patterns for Dify's domain-specific components.
 ## Workflow Components (`workflow/`)
 Workflow components handle node configuration, data flow, and graph operations.
 ### Key Test Areas
 1. **Node Configuration**
 1. **Data Validation**
 1. **Variable Passing**
 1. **Edge Connections**
 1. **Error Handling**
 ### Example: Node Configuration Panel
 ```typescript
 import { render, screen, fireEvent, waitFor } from '@testing-library/react'
 import userEvent from '@testing-library/user-event'
 import NodeConfigPanel from './node-config-panel'
 import { createMockNode, createMockWorkflowContext } from '@/__mocks__/workflow'
 // Mock workflow context
 jest.mock('@/app/components/workflow/hooks', () => ({
  useWorkflowStore: () => mockWorkflowStore,
  useNodesInteractions: () => mockNodesInteractions,
 }))
 let mockWorkflowStore = {
  nodes: [],
  edges: [],
  updateNode: jest.fn(),
 }
 let mockNodesInteractions = {
  handleNodeSelect: jest.fn(),
  handleNodeDelete: jest.fn(),
 }
 describe('NodeConfigPanel', () => {
  beforeEach(() => {
    jest.clearAllMocks()
    mockWorkflowStore = {
      nodes: [],
      edges: [],
      updateNode: jest.fn(),
    }
  })
  describe('Node Configuration', () => {
    it('should render node type selector', () => {
      const node = createMockNode({ type: 'llm' })
      render(<NodeConfigPanel node={node} />)
      expect(screen.getByLabelText(/model/i)).toBeInTheDocument()
    })
    it('should update node config on change', async () => {
      const user = userEvent.setup()
      const node = createMockNode({ type: 'llm' })
      render(<NodeConfigPanel node={node} />)
      await user.selectOptions(screen.getByLabelText(/model/i), 'gpt-4')
      expect(mockWorkflowStore.updateNode).toHaveBeenCalledWith(
        node.id,
        expect.objectContaining({ model: 'gpt-4' })
      )
    })
  })
  describe('Data Validation', () => {
    it('should show error for invalid input', async () => {
      const user = userEvent.setup()
      const node = createMockNode({ type: 'code' })
      render(<NodeConfigPanel node={node} />)
      // Enter invalid code
      const codeInput = screen.getByLabelText(/code/i)
      await user.clear(codeInput)
      await user.type(codeInput, 'invalid syntax {{{')
      await waitFor(() => {
        expect(screen.getByText(/syntax error/i)).toBeInTheDocument()
      })
    })
    it('should validate required fields', async () => {
      const node = createMockNode({ type: 'http', data: { url: '' } })
      render(<NodeConfigPanel node={node} />)
      fireEvent.click(screen.getByRole('button', { name: /save/i }))
      await waitFor(() => {
        expect(screen.getByText(/url is required/i)).toBeInTheDocument()
      })
    })
  })
  describe('Variable Passing', () => {
    it('should display available variables from upstream nodes', () => {
      const upstreamNode = createMockNode({
        id: 'node-1',
        type: 'start',
        data: { outputs: [{ name: 'user_input', type: 'string' }] },
      })
      const currentNode = createMockNode({
        id: 'node-2',
        type: 'llm',
      })
      mockWorkflowStore.nodes = [upstreamNode, currentNode]
      mockWorkflowStore.edges = [{ source: 'node-1', target: 'node-2' }]
      render(<NodeConfigPanel node={currentNode} />)
      // Variable selector should show upstream variables
      fireEvent.click(screen.getByRole('button', { name: /add variable/i }))
      expect(screen.getByText('user_input')).toBeInTheDocument()
    })
    it('should insert variable into prompt template', async () => {
      const user = userEvent.setup()
      const node = createMockNode({ type: 'llm' })
      render(<NodeConfigPanel node={node} />)
      // Click variable button
      await user.click(screen.getByRole('button', { name: /insert variable/i }))
      await user.click(screen.getByText('user_input'))
      const promptInput = screen.getByLabelText(/prompt/i)
      expect(promptInput).toHaveValue(expect.stringContaining('{{user_input}}'))
    })
  })
 })
 ```
 ## Dataset Components (`dataset/`)
 Dataset components handle file uploads, data display, and search/filter operations.
 ### Key Test Areas
 1. **File Upload**
 1. **File Type Validation**
 1. **Pagination**
 1. **Search & Filtering**
 1. **Data Format Handling**
 ### Example: Document Uploader
 ```typescript
 import { render, screen, fireEvent, waitFor } from '@testing-library/react'
 import userEvent from '@testing-library/user-event'
 import DocumentUploader from './document-uploader'
 jest.mock('@/service/datasets', () => ({
  uploadDocument: jest.fn(),
  parseDocument: jest.fn(),
 }))
 import * as datasetService from '@/service/datasets'
 const mockedService = datasetService as jest.Mocked<typeof datasetService>
 describe('DocumentUploader', () => {
  beforeEach(() => {
    jest.clearAllMocks()
  })
  describe('File Upload', () => {
    it('should accept valid file types', async () => {
      const user = userEvent.setup()
      const onUpload = jest.fn()
      mockedService.uploadDocument.mockResolvedValue({ id: 'doc-1' })
      render(<DocumentUploader onUpload={onUpload} />)
      const file = new File(['content'], 'test.pdf', { type: 'application/pdf' })
      const input = screen.getByLabelText(/upload/i)
      await user.upload(input, file)
      await waitFor(() => {
        expect(mockedService.uploadDocument).toHaveBeenCalledWith(
          expect.any(FormData)
        )
      })
    })
    it('should reject invalid file types', async () => {
      const user = userEvent.setup()
      render(<DocumentUploader />)
      const file = new File(['content'], 'test.exe', { type: 'application/x-msdownload' })
      const input = screen.getByLabelText(/upload/i)
      await user.upload(input, file)
      expect(screen.getByText(/unsupported file type/i)).toBeInTheDocument()
      expect(mockedService.uploadDocument).not.toHaveBeenCalled()
    })
    it('should show upload progress', async () => {
      const user = userEvent.setup()
      // Mock upload with progress
      mockedService.uploadDocument.mockImplementation(() => {
        return new Promise((resolve) => {
          setTimeout(() => resolve({ id: 'doc-1' }), 100)
        })
      })
      render(<DocumentUploader />)
      const file = new File(['content'], 'test.pdf', { type: 'application/pdf' })
      await user.upload(screen.getByLabelText(/upload/i), file)
      expect(screen.getByRole('progressbar')).toBeInTheDocument()
      await waitFor(() => {
        expect(screen.queryByRole('progressbar')).not.toBeInTheDocument()
      })
    })
  })
  describe('Error Handling', () => {
    it('should handle upload failure', async () => {
      const user = userEvent.setup()
      mockedService.uploadDocument.mockRejectedValue(new Error('Upload failed'))
      render(<DocumentUploader />)
      const file = new File(['content'], 'test.pdf', { type: 'application/pdf' })
      await user.upload(screen.getByLabelText(/upload/i), file)
      await waitFor(() => {
        expect(screen.getByText(/upload failed/i)).toBeInTheDocument()
      })
    })
    it('should allow retry after failure', async () => {
      const user = userEvent.setup()
      mockedService.uploadDocument
        .mockRejectedValueOnce(new Error('Network error'))
        .mockResolvedValueOnce({ id: 'doc-1' })
      render(<DocumentUploader />)
      const file = new File(['content'], 'test.pdf', { type: 'application/pdf' })
      await user.upload(screen.getByLabelText(/upload/i), file)
      await waitFor(() => {
        expect(screen.getByRole('button', { name: /retry/i })).toBeInTheDocument()
      })
      await user.click(screen.getByRole('button', { name: /retry/i }))
      await waitFor(() => {
        expect(screen.getByText(/uploaded successfully/i)).toBeInTheDocument()
      })
    })
  })
 })
 ```
 ### Example: Document List with Pagination
 ```typescript
 describe('DocumentList', () => {
  describe('Pagination', () => {
    it('should load first page on mount', async () => {
      mockedService.getDocuments.mockResolvedValue({
        data: [{ id: '1', name: 'Doc 1' }],
        total: 50,
        page: 1,
        pageSize: 10,
      })
      render(<DocumentList datasetId="ds-1" />)
      await waitFor(() => {
        expect(screen.getByText('Doc 1')).toBeInTheDocument()
      })
      expect(mockedService.getDocuments).toHaveBeenCalledWith('ds-1', { page: 1 })
    })
    it('should navigate to next page', async () => {
      const user = userEvent.setup()
      mockedService.getDocuments.mockResolvedValue({
        data: [{ id: '1', name: 'Doc 1' }],
        total: 50,
        page: 1,
        pageSize: 10,
      })
      render(<DocumentList datasetId="ds-1" />)
      await waitFor(() => {
        expect(screen.getByText('Doc 1')).toBeInTheDocument()
      })
      mockedService.getDocuments.mockResolvedValue({
        data: [{ id: '11', name: 'Doc 11' }],
        total: 50,
        page: 2,
        pageSize: 10,
      })
      await user.click(screen.getByRole('button', { name: /next/i }))
      await waitFor(() => {
        expect(screen.getByText('Doc 11')).toBeInTheDocument()
      })
    })
  })
  describe('Search & Filtering', () => {
    it('should filter by search query', async () => {
      const user = userEvent.setup()
      jest.useFakeTimers()
      render(<DocumentList datasetId="ds-1" />)
      await user.type(screen.getByPlaceholderText(/search/i), 'test query')
      // Debounce
      jest.advanceTimersByTime(300)
      await waitFor(() => {
        expect(mockedService.getDocuments).toHaveBeenCalledWith(
          'ds-1',
          expect.objectContaining({ search: 'test query' })
        )
      })
      jest.useRealTimers()
    })
  })
 })
 ```
 ## Configuration Components (`app/configuration/`, `config/`)
 Configuration components handle forms, validation, and data persistence.
 ### Key Test Areas
 1. **Form Validation**
 1. **Save/Reset**
 1. **Required vs Optional Fields**
 1. **Configuration Persistence**
 1. **Error Feedback**
 ### Example: App Configuration Form
 ```typescript
 import { render, screen, fireEvent, waitFor } from '@testing-library/react'
 import userEvent from '@testing-library/user-event'
 import AppConfigForm from './app-config-form'
 jest.mock('@/service/apps', () => ({
  updateAppConfig: jest.fn(),
  getAppConfig: jest.fn(),
 }))
 import * as appService from '@/service/apps'
 const mockedService = appService as jest.Mocked<typeof appService>
 describe('AppConfigForm', () => {
  const defaultConfig = {
    name: 'My App',
    description: '',
    icon: 'default',
    openingStatement: '',
  }
  beforeEach(() => {
    jest.clearAllMocks()
    mockedService.getAppConfig.mockResolvedValue(defaultConfig)
  })
  describe('Form Validation', () => {
    it('should require app name', async () => {
      const user = userEvent.setup()
      render(<AppConfigForm appId="app-1" />)
      await waitFor(() => {
        expect(screen.getByLabelText(/name/i)).toHaveValue('My App')
      })
      // Clear name field
      await user.clear(screen.getByLabelText(/name/i))
      await user.click(screen.getByRole('button', { name: /save/i }))
      expect(screen.getByText(/name is required/i)).toBeInTheDocument()
      expect(mockedService.updateAppConfig).not.toHaveBeenCalled()
    })
    it('should validate name length', async () => {
      const user = userEvent.setup()
      render(<AppConfigForm appId="app-1" />)
      await waitFor(() => {
        expect(screen.getByLabelText(/name/i)).toBeInTheDocument()
      })
      // Enter very long name
      await user.clear(screen.getByLabelText(/name/i))
      await user.type(screen.getByLabelText(/name/i), 'a'.repeat(101))
      expect(screen.getByText(/name must be less than 100 characters/i)).toBeInTheDocument()
    })
    it('should allow empty optional fields', async () => {
      const user = userEvent.setup()
      mockedService.updateAppConfig.mockResolvedValue({ success: true })
      render(<AppConfigForm appId="app-1" />)
      await waitFor(() => {
        expect(screen.getByLabelText(/name/i)).toHaveValue('My App')
      })
      // Leave description empty (optional)
      await user.click(screen.getByRole('button', { name: /save/i }))
      await waitFor(() => {
        expect(mockedService.updateAppConfig).toHaveBeenCalled()
      })
    })
  })
  describe('Save/Reset Functionality', () => {
    it('should save configuration', async () => {
      const user = userEvent.setup()
      mockedService.updateAppConfig.mockResolvedValue({ success: true })
      render(<AppConfigForm appId="app-1" />)
      await waitFor(() => {
        expect(screen.getByLabelText(/name/i)).toHaveValue('My App')
      })
      await user.clear(screen.getByLabelText(/name/i))
      await user.type(screen.getByLabelText(/name/i), 'Updated App')
      await user.click(screen.getByRole('button', { name: /save/i }))
      await waitFor(() => {
        expect(mockedService.updateAppConfig).toHaveBeenCalledWith(
          'app-1',
          expect.objectContaining({ name: 'Updated App' })
        )
      })
      expect(screen.getByText(/saved successfully/i)).toBeInTheDocument()
    })
    it('should reset to default values', async () => {
      const user = userEvent.setup()
      render(<AppConfigForm appId="app-1" />)
      await waitFor(() => {
        expect(screen.getByLabelText(/name/i)).toHaveValue('My App')
      })
      // Make changes
      await user.clear(screen.getByLabelText(/name/i))
      await user.type(screen.getByLabelText(/name/i), 'Changed Name')
      // Reset
      await user.click(screen.getByRole('button', { name: /reset/i }))
      expect(screen.getByLabelText(/name/i)).toHaveValue('My App')
    })
    it('should show unsaved changes warning', async () => {
      const user = userEvent.setup()
      render(<AppConfigForm appId="app-1" />)
      await waitFor(() => {
        expect(screen.getByLabelText(/name/i)).toHaveValue('My App')
      })
      // Make changes
      await user.type(screen.getByLabelText(/name/i), ' Updated')
      expect(screen.getByText(/unsaved changes/i)).toBeInTheDocument()
    })
  })
  describe('Error Handling', () => {
    it('should show error on save failure', async () => {
      const user = userEvent.setup()
      mockedService.updateAppConfig.mockRejectedValue(new Error('Server error'))
      render(<AppConfigForm appId="app-1" />)
      await waitFor(() => {
        expect(screen.getByLabelText(/name/i)).toHaveValue('My App')
      })
      await user.click(screen.getByRole('button', { name: /save/i }))
      await waitFor(() => {
        expect(screen.getByText(/failed to save/i)).toBeInTheDocument()
      })
    })
  })
 })
 ```
--- a/.claude/skills/frontend-testing/guides/mocking.md
+++ b/.claude/skills/frontend-testing/guides/mocking.md
@@ -0,0 +1,363 @@
 # Mocking Guide for Dify Frontend Tests
 ## ⚠️ Important: What NOT to Mock
 ### DO NOT Mock Base Components
 **Never mock components from `@/app/components/base/`** such as:
 - `Loading`, `Spinner`
 - `Button`, `Input`, `Select`
 - `Tooltip`, `Modal`, `Dropdown`
 - `Icon`, `Badge`, `Tag`
 **Why?**
 - Base components will have their own dedicated tests
 - Mocking them creates false positives (tests pass but real integration fails)
 - Using real components tests actual integration behavior
 ```typescript
 // ❌ WRONG: Don't mock base components
 jest.mock('@/app/components/base/loading', () => () => <div>Loading</div>)
 jest.mock('@/app/components/base/button', () => ({ children }: any) => <button>{children}</button>)
 // ✅ CORRECT: Import and use real base components
 import Loading from '@/app/components/base/loading'
 import Button from '@/app/components/base/button'
 // They will render normally in tests
 ```
 ### What TO Mock
 Only mock these categories:
 1. **API services** (`@/service/*`) - Network calls
 1. **Complex context providers** - When setup is too difficult
 1. **Third-party libraries with side effects** - `next/navigation`, external SDKs
 1. **i18n** - Always mock to return keys
 ## Mock Placement
 | Location | Purpose |
 |----------|---------|
 | `web/__mocks__/` | Reusable mocks shared across multiple test files |
 | Test file | Test-specific mocks, inline with `jest.mock()` |
 ## Essential Mocks
 ### 1. i18n (Auto-loaded via Shared Mock)
 A shared mock is available at `web/__mocks__/react-i18next.ts` and is auto-loaded by Jest.
 **No explicit mock needed** for most tests - it returns translation keys as-is.
 For tests requiring custom translations, override the mock:
 ```typescript
 jest.mock('react-i18next', () => ({
  useTranslation: () => ({
    t: (key: string) => {
      const translations: Record<string, string> = {
        'my.custom.key': 'Custom translation',
      }
      return translations[key] || key
    },
  }),
 }))
 ```
 ### 2. Next.js Router
 ```typescript
 const mockPush = jest.fn()
 const mockReplace = jest.fn()
 jest.mock('next/navigation', () => ({
  useRouter: () => ({
    push: mockPush,
    replace: mockReplace,
    back: jest.fn(),
    prefetch: jest.fn(),
  }),
  usePathname: () => '/current-path',
  useSearchParams: () => new URLSearchParams('?key=value'),
 }))
 describe('Component', () => {
  beforeEach(() => {
    jest.clearAllMocks()
  })
  it('should navigate on click', () => {
    render(<Component />)
    fireEvent.click(screen.getByRole('button'))
    expect(mockPush).toHaveBeenCalledWith('/expected-path')
  })
 })
 ```
 ### 3. Portal Components (with Shared State)
 ```typescript
 // ⚠️ Important: Use shared state for components that depend on each other
 let mockPortalOpenState = false
 jest.mock('@/app/components/base/portal-to-follow-elem', () => ({
  PortalToFollowElem: ({ children, open, ...props }: any) => {
    mockPortalOpenState = open || false  // Update shared state
    return <div data-testid="portal" data-open={open}>{children}</div>
  },
  PortalToFollowElemContent: ({ children }: any) => {
    // ✅ Matches actual: returns null when portal is closed
    if (!mockPortalOpenState) return null
    return <div data-testid="portal-content">{children}</div>
  },
  PortalToFollowElemTrigger: ({ children }: any) => (
    <div data-testid="portal-trigger">{children}</div>
  ),
 }))
 describe('Component', () => {
  beforeEach(() => {
    jest.clearAllMocks()
    mockPortalOpenState = false  // ✅ Reset shared state
  })
 })
 ```
 ### 4. API Service Mocks
 ```typescript
 import * as api from '@/service/api'
 jest.mock('@/service/api')
 const mockedApi = api as jest.Mocked<typeof api>
 describe('Component', () => {
  beforeEach(() => {
    jest.clearAllMocks()
    // Setup default mock implementation
    mockedApi.fetchData.mockResolvedValue({ data: [] })
  })
  it('should show data on success', async () => {
    mockedApi.fetchData.mockResolvedValue({ data: [{ id: 1 }] })
    render(<Component />)
    await waitFor(() => {
      expect(screen.getByText('1')).toBeInTheDocument()
    })
  })
  it('should show error on failure', async () => {
    mockedApi.fetchData.mockRejectedValue(new Error('Network error'))
    render(<Component />)
    await waitFor(() => {
      expect(screen.getByText(/error/i)).toBeInTheDocument()
    })
  })
 })
 ```
 ### 5. HTTP Mocking with Nock
 ```typescript
 import nock from 'nock'
 const GITHUB_HOST = 'https://api.github.com'
 const GITHUB_PATH = '/repos/owner/repo'
 const mockGithubApi = (status: number, body: Record<string, unknown>, delayMs = 0) => {
  return nock(GITHUB_HOST)
    .get(GITHUB_PATH)
    .delay(delayMs)
    .reply(status, body)
 }
 describe('GithubComponent', () => {
  afterEach(() => {
    nock.cleanAll()
  })
  it('should display repo info', async () => {
    mockGithubApi(200, { name: 'dify', stars: 1000 })
    render(<GithubComponent />)
    await waitFor(() => {
      expect(screen.getByText('dify')).toBeInTheDocument()
    })
  })
  it('should handle API error', async () => {
    mockGithubApi(500, { message: 'Server error' })
    render(<GithubComponent />)
    await waitFor(() => {
      expect(screen.getByText(/error/i)).toBeInTheDocument()
    })
  })
 })
 ```
 ### 6. Context Providers
 ```typescript
 import { ProviderContext } from '@/context/provider-context'
 import { createMockProviderContextValue, createMockPlan } from '@/__mocks__/provider-context'
 describe('Component with Context', () => {
  it('should render for free plan', () => {
    const mockContext = createMockPlan('sandbox')
    render(
      <ProviderContext.Provider value={mockContext}>
        <Component />
      </ProviderContext.Provider>
    )
    expect(screen.getByText('Upgrade')).toBeInTheDocument()
  })
  it('should render for pro plan', () => {
    const mockContext = createMockPlan('professional')
    render(
      <ProviderContext.Provider value={mockContext}>
        <Component />
      </ProviderContext.Provider>
    )
    expect(screen.queryByText('Upgrade')).not.toBeInTheDocument()
  })
 })
 ```
 ### 7. SWR / React Query
 ```typescript
 // SWR
 jest.mock('swr', () => ({
  __esModule: true,
  default: jest.fn(),
 }))
 import useSWR from 'swr'
 const mockedUseSWR = useSWR as jest.Mock
 describe('Component with SWR', () => {
  it('should show loading state', () => {
    mockedUseSWR.mockReturnValue({
      data: undefined,
      error: undefined,
      isLoading: true,
    })
    render(<Component />)
    expect(screen.getByText(/loading/i)).toBeInTheDocument()
  })
 })
 // React Query
 import { QueryClient, QueryClientProvider } from '@tanstack/react-query'
 const createTestQueryClient = () => new QueryClient({
  defaultOptions: {
    queries: { retry: false },
    mutations: { retry: false },
  },
 })
 const renderWithQueryClient = (ui: React.ReactElement) => {
  const queryClient = createTestQueryClient()
  return render(
    <QueryClientProvider client={queryClient}>
      {ui}
    </QueryClientProvider>
  )
 }
 ```
 ## Mock Best Practices
 ### ✅ DO
 1. **Use real base components** - Import from `@/app/components/base/` directly
 1. **Use real project components** - Prefer importing over mocking
 1. **Reset mocks in `beforeEach`**, not `afterEach`
 1. **Match actual component behavior** in mocks (when mocking is necessary)
 1. **Use factory functions** for complex mock data
 1. **Import actual types** for type safety
 1. **Reset shared mock state** in `beforeEach`
 ### ❌ DON'T
 1. **Don't mock base components** (`Loading`, `Button`, `Tooltip`, etc.)
 1. Don't mock components you can import directly
 1. Don't create overly simplified mocks that miss conditional logic
 1. Don't forget to clean up nock after each test
 1. Don't use `any` types in mocks without necessity
 ### Mock Decision Tree
 ```
 Need to use a component in test?
 │
 ├─ Is it from @/app/components/base/*?
 │  └─ YES → Import real component, DO NOT mock
 │
 ├─ Is it a project component?
 │  └─ YES → Prefer importing real component
 │           Only mock if setup is extremely complex
 │
 ├─ Is it an API service (@/service/*)?
 │  └─ YES → Mock it
 │
 ├─ Is it a third-party lib with side effects?
 │  └─ YES → Mock it (next/navigation, external SDKs)
 │
 └─ Is it i18n?
   └─ YES → Uses shared mock (auto-loaded). Override only for custom translations
 ```
 ## Factory Function Pattern
 ```typescript
 // __mocks__/data-factories.ts
 import type { User, Project } from '@/types'
 export const createMockUser = (overrides: Partial<User> = {}): User => ({
  id: 'user-1',
  name: 'Test User',
  email: 'test@example.com',
  role: 'member',
  createdAt: new Date().toISOString(),
  ...overrides,
 })
 export const createMockProject = (overrides: Partial<Project> = {}): Project => ({
  id: 'project-1',
  name: 'Test Project',
  description: 'A test project',
  owner: createMockUser(),
  members: [],
  createdAt: new Date().toISOString(),
  ...overrides,
 })
 // Usage in tests
 it('should display project owner', () => {
  const project = createMockProject({
    owner: createMockUser({ name: 'John Doe' }),
  })
  render(<ProjectCard project={project} />)
  expect(screen.getByText('John Doe')).toBeInTheDocument()
 })
 ```
--- a/.claude/skills/frontend-testing/guides/workflow.md
+++ b/.claude/skills/frontend-testing/guides/workflow.md
@@ -0,0 +1,269 @@
 # Testing Workflow Guide
 This guide defines the workflow for generating tests, especially for complex components or directories with multiple files.
 ## Scope Clarification
 This guide addresses **multi-file workflow** (how to process multiple test files). For coverage requirements within a single test file, see `web/testing/testing.md` § Coverage Goals.
 | Scope | Rule |
 |-------|------|
 | **Single file** | Complete coverage in one generation (100% function, >95% branch) |
 | **Multi-file directory** | Process one file at a time, verify each before proceeding |
 ## ⚠️ Critical Rule: Incremental Approach for Multi-File Testing
 When testing a **directory with multiple files**, **NEVER generate all test files at once.** Use an incremental, verify-as-you-go approach.
 ### Why Incremental?
 | Batch Approach (❌) | Incremental Approach (✅) |
 |---------------------|---------------------------|
 | Generate 5+ tests at once | Generate 1 test at a time |
 | Run tests only at the end | Run test immediately after each file |
 | Multiple failures compound | Single point of failure, easy to debug |
 | Hard to identify root cause | Clear cause-effect relationship |
 | Mock issues affect many files | Mock issues caught early |
 | Messy git history | Clean, atomic commits possible |
 ## Single File Workflow
 When testing a **single component, hook, or utility**:
 ```
 1. Read source code completely
 2. Run `pnpm analyze-component <path>` (if available)
 3. Check complexity score and features detected
 4. Write the test file
 5. Run test: `pnpm test -- <file>.spec.tsx`
 6. Fix any failures
 7. Verify coverage meets goals (100% function, >95% branch)
 ```
 ## Directory/Multi-File Workflow (MUST FOLLOW)
 When testing a **directory or multiple files**, follow this strict workflow:
 ### Step 1: Analyze and Plan
 1. **List all files** that need tests in the directory
 1. **Categorize by complexity**:
   - 🟢 **Simple**: Utility functions, simple hooks, presentational components
   - 🟡 **Medium**: Components with state, effects, or event handlers
   - 🔴 **Complex**: Components with API calls, routing, or many dependencies
 1. **Order by dependency**: Test dependencies before dependents
 1. **Create a todo list** to track progress
 ### Step 2: Determine Processing Order
 Process files in this recommended order:
 ```
 1. Utility functions (simplest, no React)
 2. Custom hooks (isolated logic)
 3. Simple presentational components (few/no props)
 4. Medium complexity components (state, effects)
 5. Complex components (API, routing, many deps)
 6. Container/index components (integration tests - last)
 ```
 **Rationale**:
 - Simpler files help establish mock patterns
 - Hooks used by components should be tested first
 - Integration tests (index files) depend on child components working
 ### Step 3: Process Each File Incrementally
 **For EACH file in the ordered list:**
 ```
 ┌─────────────────────────────────────────────┐
 │  1. Write test file                         │
 │  2. Run: pnpm test -- <file>.spec.tsx       │
 │  3. If FAIL → Fix immediately, re-run       │
 │  4. If PASS → Mark complete in todo list    │
 │  5. ONLY THEN proceed to next file          │
 └─────────────────────────────────────────────┘
 ```
 **DO NOT proceed to the next file until the current one passes.**
 ### Step 4: Final Verification
 After all individual tests pass:
 ```bash
 # Run all tests in the directory together
 pnpm test -- path/to/directory/
 # Check coverage
 pnpm test -- --coverage path/to/directory/
 ```
 ## Component Complexity Guidelines
 Use `pnpm analyze-component <path>` to assess complexity before testing.
 ### 🔴 Very Complex Components (Complexity > 50)
 **Consider refactoring BEFORE testing:**
 - Break component into smaller, testable pieces
 - Extract complex logic into custom hooks
 - Separate container and presentational layers
 **If testing as-is:**
 - Use integration tests for complex workflows
 - Use `test.each()` for data-driven testing
 - Multiple `describe` blocks for organization
 - Consider testing major sections separately
 ### 🟡 Medium Complexity (Complexity 30-50)
 - Group related tests in `describe` blocks
 - Test integration scenarios between internal parts
 - Focus on state transitions and side effects
 - Use helper functions to reduce test complexity
 ### 🟢 Simple Components (Complexity < 30)
 - Standard test structure
 - Focus on props, rendering, and edge cases
 - Usually straightforward to test
 ### 📏 Large Files (500+ lines)
 Regardless of complexity score:
 - **Strongly consider refactoring** before testing
 - If testing as-is, test major sections separately
 - Create helper functions for test setup
 - May need multiple test files
 ## Todo List Format
 When testing multiple files, use a todo list like this:
 ```
 Testing: path/to/directory/
 Ordered by complexity (simple → complex):
 ☐ utils/helper.ts           [utility, simple]
 ☐ hooks/use-custom-hook.ts  [hook, simple]
 ☐ empty-state.tsx           [component, simple]
 ☐ item-card.tsx             [component, medium]
 ☐ list.tsx                  [component, complex]
 ☐ index.tsx                 [integration]
 Progress: 0/6 complete
 ```
 Update status as you complete each:
 - ☐ → ⏳ (in progress)
 - ⏳ → ✅ (complete and verified)
 - ⏳ → ❌ (blocked, needs attention)
 ## When to Stop and Verify
 **Always run tests after:**
 - Completing a test file
 - Making changes to fix a failure
 - Modifying shared mocks
 - Updating test utilities or helpers
 **Signs you should pause:**
 - More than 2 consecutive test failures
 - Mock-related errors appearing
 - Unclear why a test is failing
 - Test passing but coverage unexpectedly low
 ## Common Pitfalls to Avoid
 ### ❌ Don't: Generate Everything First
 ```
 # BAD: Writing all files then testing
 Write component-a.spec.tsx
 Write component-b.spec.tsx  
 Write component-c.spec.tsx
 Write component-d.spec.tsx
 Run pnpm test  ← Multiple failures, hard to debug
 ```
 ### ✅ Do: Verify Each Step
 ```
 # GOOD: Incremental with verification
 Write component-a.spec.tsx
 Run pnpm test -- component-a.spec.tsx ✅
 Write component-b.spec.tsx
 Run pnpm test -- component-b.spec.tsx ✅
 ...continue...
 ```
 ### ❌ Don't: Skip Verification for "Simple" Components
 Even simple components can have:
 - Import errors
 - Missing mock setup
 - Incorrect assumptions about props
 **Always verify, regardless of perceived simplicity.**
 ### ❌ Don't: Continue When Tests Fail
 Failing tests compound:
 - A mock issue in file A affects files B, C, D
 - Fixing A later requires revisiting all dependent tests
 - Time wasted on debugging cascading failures
 **Fix failures immediately before proceeding.**
 ## Integration with Claude's Todo Feature
 When using Claude for multi-file testing:
 1. **Ask Claude to create a todo list** before starting
 1. **Request one file at a time** or ensure Claude processes incrementally
 1. **Verify each test passes** before asking for the next
 1. **Mark todos complete** as you progress
 Example prompt:
 ```
 Test all components in `path/to/directory/`.
 First, analyze the directory and create a todo list ordered by complexity.
 Then, process ONE file at a time, waiting for my confirmation that tests pass
 before proceeding to the next.
 ```
 ## Summary Checklist
 Before starting multi-file testing:
 - [ ] Listed all files needing tests
 - [ ] Ordered by complexity (simple → complex)
 - [ ] Created todo list for tracking
 - [ ] Understand dependencies between files
 During testing:
 - [ ] Processing ONE file at a time
 - [ ] Running tests after EACH file
 - [ ] Fixing failures BEFORE proceeding
 - [ ] Updating todo list progress
 After completion:
 - [ ] All individual tests pass
 - [ ] Full directory test run passes
 - [ ] Coverage goals met
 - [ ] Todo list shows all complete
--- a/.claude/skills/frontend-testing/templates/component-test.template.tsx
+++ b/.claude/skills/frontend-testing/templates/component-test.template.tsx
@@ -0,0 +1,289 @@
 /**
 * Test Template for React Components
 *
 * WHY THIS STRUCTURE?
 * - Organized sections make tests easy to navigate and maintain
 * - Mocks at top ensure consistent test isolation
 * - Factory functions reduce duplication and improve readability
 * - describe blocks group related scenarios for better debugging
 *
 * INSTRUCTIONS:
 * 1. Replace `ComponentName` with your component name
 * 2. Update import path
 * 3. Add/remove test sections based on component features (use analyze-component)
 * 4. Follow AAA pattern: Arrange → Act → Assert
 *
 * RUN FIRST: pnpm analyze-component <path> to identify required test scenarios
 */
 import { render, screen, fireEvent, waitFor } from '@testing-library/react'
 import userEvent from '@testing-library/user-event'
 // import ComponentName from './index'
 // ============================================================================
 // Mocks
 // ============================================================================
 // WHY: Mocks must be hoisted to top of file (Jest requirement).
 // They run BEFORE imports, so keep them before component imports.
 // i18n (always required in Dify)
 // WHY: Returns key instead of translation so tests don't depend on i18n files
 jest.mock('react-i18next', () => ({
  useTranslation: () => ({
    t: (key: string) => key,
  }),
 }))
 // Router (if component uses useRouter, usePathname, useSearchParams)
 // WHY: Isolates tests from Next.js routing, enables testing navigation behavior
 // const mockPush = jest.fn()
 // jest.mock('next/navigation', () => ({
 //   useRouter: () => ({ push: mockPush }),
 //   usePathname: () => '/test-path',
 // }))
 // API services (if component fetches data)
 // WHY: Prevents real network calls, enables testing all states (loading/success/error)
 // jest.mock('@/service/api')
 // import * as api from '@/service/api'
 // const mockedApi = api as jest.Mocked<typeof api>
 // Shared mock state (for portal/dropdown components)
 // WHY: Portal components like PortalToFollowElem need shared state between
 // parent and child mocks to correctly simulate open/close behavior
 // let mockOpenState = false
 // ============================================================================
 // Test Data Factories
 // ============================================================================
 // WHY FACTORIES?
 // - Avoid hard-coded test data scattered across tests
 // - Easy to create variations with overrides
 // - Type-safe when using actual types from source
 // - Single source of truth for default test values
 // const createMockProps = (overrides = {}) => ({
 //   // Default props that make component render successfully
 //   ...overrides,
 // })
 // const createMockItem = (overrides = {}) => ({
 //   id: 'item-1',
 //   name: 'Test Item',
 //   ...overrides,
 // })
 // ============================================================================
 // Test Helpers
 // ============================================================================
 // const renderComponent = (props = {}) => {
 //   return render(<ComponentName {...createMockProps(props)} />)
 // }
 // ============================================================================
 // Tests
 // ============================================================================
 describe('ComponentName', () => {
  // WHY beforeEach with clearAllMocks?
  // - Ensures each test starts with clean slate
  // - Prevents mock call history from leaking between tests
  // - MUST be beforeEach (not afterEach) to reset BEFORE assertions like toHaveBeenCalledTimes
  beforeEach(() => {
    jest.clearAllMocks()
    // Reset shared mock state if used (CRITICAL for portal/dropdown tests)
    // mockOpenState = false
  })
  // --------------------------------------------------------------------------
  // Rendering Tests (REQUIRED - Every component MUST have these)
  // --------------------------------------------------------------------------
  // WHY: Catches import errors, missing providers, and basic render issues
  describe('Rendering', () => {
    it('should render without crashing', () => {
      // Arrange - Setup data and mocks
      // const props = createMockProps()
      // Act - Render the component
      // render(<ComponentName {...props} />)
      // Assert - Verify expected output
      // Prefer getByRole for accessibility; it's what users "see"
      // expect(screen.getByRole('...')).toBeInTheDocument()
    })
    it('should render with default props', () => {
      // WHY: Verifies component works without optional props
      // render(<ComponentName />)
      // expect(screen.getByText('...')).toBeInTheDocument()
    })
  })
  // --------------------------------------------------------------------------
  // Props Tests (REQUIRED - Every component MUST test prop behavior)
  // --------------------------------------------------------------------------
  // WHY: Props are the component's API contract. Test them thoroughly.
  describe('Props', () => {
    it('should apply custom className', () => {
      // WHY: Common pattern in Dify - components should merge custom classes
      // render(<ComponentName className="custom-class" />)
      // expect(screen.getByTestId('component')).toHaveClass('custom-class')
    })
    it('should use default values for optional props', () => {
      // WHY: Verifies TypeScript defaults work at runtime
      // render(<ComponentName />)
      // expect(screen.getByRole('...')).toHaveAttribute('...', 'default-value')
    })
  })
  // --------------------------------------------------------------------------
  // User Interactions (if component has event handlers - on*, handle*)
  // --------------------------------------------------------------------------
  // WHY: Event handlers are core functionality. Test from user's perspective.
  describe('User Interactions', () => {
    it('should call onClick when clicked', async () => {
      // WHY userEvent over fireEvent?
      // - userEvent simulates real user behavior (focus, hover, then click)
      // - fireEvent is lower-level, doesn't trigger all browser events
      // const user = userEvent.setup()
      // const handleClick = jest.fn()
      // render(<ComponentName onClick={handleClick} />)
      //
      // await user.click(screen.getByRole('button'))
      //
      // expect(handleClick).toHaveBeenCalledTimes(1)
    })
    it('should call onChange when value changes', async () => {
      // const user = userEvent.setup()
      // const handleChange = jest.fn()
      // render(<ComponentName onChange={handleChange} />)
      //
      // await user.type(screen.getByRole('textbox'), 'new value')
      //
      // expect(handleChange).toHaveBeenCalled()
    })
  })
  // --------------------------------------------------------------------------
  // State Management (if component uses useState/useReducer)
  // --------------------------------------------------------------------------
  // WHY: Test state through observable UI changes, not internal state values
  describe('State Management', () => {
    it('should update state on interaction', async () => {
      // WHY test via UI, not state?
      // - State is implementation detail; UI is what users see
      // - If UI works correctly, state must be correct
      // const user = userEvent.setup()
      // render(<ComponentName />)
      //
      // // Initial state - verify what user sees
      // expect(screen.getByText('Initial')).toBeInTheDocument()
      //
      // // Trigger state change via user action
      // await user.click(screen.getByRole('button'))
      //
      // // New state - verify UI updated
      // expect(screen.getByText('Updated')).toBeInTheDocument()
    })
  })
  // --------------------------------------------------------------------------
  // Async Operations (if component fetches data - useSWR, useQuery, fetch)
  // --------------------------------------------------------------------------
  // WHY: Async operations have 3 states users experience: loading, success, error
  describe('Async Operations', () => {
    it('should show loading state', () => {
      // WHY never-resolving promise?
      // - Keeps component in loading state for assertion
      // - Alternative: use fake timers
      // mockedApi.fetchData.mockImplementation(() => new Promise(() => {}))
      // render(<ComponentName />)
      //
      // expect(screen.getByText(/loading/i)).toBeInTheDocument()
    })
    it('should show data on success', async () => {
      // WHY waitFor?
      // - Component updates asynchronously after fetch resolves
      // - waitFor retries assertion until it passes or times out
      // mockedApi.fetchData.mockResolvedValue({ items: ['Item 1'] })
      // render(<ComponentName />)
      //
      // await waitFor(() => {
      //   expect(screen.getByText('Item 1')).toBeInTheDocument()
      // })
    })
    it('should show error on failure', async () => {
      // mockedApi.fetchData.mockRejectedValue(new Error('Network error'))
      // render(<ComponentName />)
      //
      // await waitFor(() => {
      //   expect(screen.getByText(/error/i)).toBeInTheDocument()
      // })
    })
  })
  // --------------------------------------------------------------------------
  // Edge Cases (REQUIRED - Every component MUST handle edge cases)
  // --------------------------------------------------------------------------
  // WHY: Real-world data is messy. Components must handle:
  // - Null/undefined from API failures or optional fields
  // - Empty arrays/strings from user clearing data
  // - Boundary values (0, MAX_INT, special characters)
  describe('Edge Cases', () => {
    it('should handle null value', () => {
      // WHY test null specifically?
      // - API might return null for missing data
      // - Prevents "Cannot read property of null" in production
      // render(<ComponentName value={null} />)
      // expect(screen.getByText(/no data/i)).toBeInTheDocument()
    })
    it('should handle undefined value', () => {
      // WHY test undefined separately from null?
      // - TypeScript treats them differently
      // - Optional props are undefined, not null
      // render(<ComponentName value={undefined} />)
      // expect(screen.getByText(/no data/i)).toBeInTheDocument()
    })
    it('should handle empty array', () => {
      // WHY: Empty state often needs special UI (e.g., "No items yet")
      // render(<ComponentName items={[]} />)
      // expect(screen.getByText(/empty/i)).toBeInTheDocument()
    })
    it('should handle empty string', () => {
      // WHY: Empty strings are truthy in JS but visually empty
      // render(<ComponentName text="" />)
      // expect(screen.getByText(/placeholder/i)).toBeInTheDocument()
    })
  })
  // --------------------------------------------------------------------------
  // Accessibility (optional but recommended for Dify's enterprise users)
  // --------------------------------------------------------------------------
  // WHY: Dify has enterprise customers who may require accessibility compliance
  describe('Accessibility', () => {
    it('should have accessible name', () => {
      // WHY getByRole with name?
      // - Tests that screen readers can identify the element
      // - Enforces proper labeling practices
      // render(<ComponentName label="Test Label" />)
      // expect(screen.getByRole('button', { name: /test label/i })).toBeInTheDocument()
    })
    it('should support keyboard navigation', async () => {
      // WHY: Some users can't use a mouse
      // const user = userEvent.setup()
      // render(<ComponentName />)
      //
      // await user.tab()
      // expect(screen.getByRole('button')).toHaveFocus()
    })
  })
 })
--- a/.claude/skills/frontend-testing/templates/hook-test.template.ts
+++ b/.claude/skills/frontend-testing/templates/hook-test.template.ts
@@ -0,0 +1,207 @@
 /**
 * Test Template for Custom Hooks
 *
 * Instructions:
 * 1. Replace `useHookName` with your hook name
 * 2. Update import path
 * 3. Add/remove test sections based on hook features
 */
 import { renderHook, act, waitFor } from '@testing-library/react'
 // import { useHookName } from './use-hook-name'
 // ============================================================================
 // Mocks
 // ============================================================================
 // API services (if hook fetches data)
 // jest.mock('@/service/api')
 // import * as api from '@/service/api'
 // const mockedApi = api as jest.Mocked<typeof api>
 // ============================================================================
 // Test Helpers
 // ============================================================================
 // Wrapper for hooks that need context
 // const createWrapper = (contextValue = {}) => {
 //   return ({ children }: { children: React.ReactNode }) => (
 //     <SomeContext.Provider value={contextValue}>
 //       {children}
 //     </SomeContext.Provider>
 //   )
 // }
 // ============================================================================
 // Tests
 // ============================================================================
 describe('useHookName', () => {
  beforeEach(() => {
    jest.clearAllMocks()
  })
  // --------------------------------------------------------------------------
  // Initial State
  // --------------------------------------------------------------------------
  describe('Initial State', () => {
    it('should return initial state', () => {
      // const { result } = renderHook(() => useHookName())
      //
      // expect(result.current.value).toBe(initialValue)
      // expect(result.current.isLoading).toBe(false)
    })
    it('should accept initial value from props', () => {
      // const { result } = renderHook(() => useHookName({ initialValue: 'custom' }))
      //
      // expect(result.current.value).toBe('custom')
    })
  })
  // --------------------------------------------------------------------------
  // State Updates
  // --------------------------------------------------------------------------
  describe('State Updates', () => {
    it('should update value when setValue is called', () => {
      // const { result } = renderHook(() => useHookName())
      //
      // act(() => {
      //   result.current.setValue('new value')
      // })
      //
      // expect(result.current.value).toBe('new value')
    })
    it('should reset to initial value', () => {
      // const { result } = renderHook(() => useHookName({ initialValue: 'initial' }))
      //
      // act(() => {
      //   result.current.setValue('changed')
      // })
      // expect(result.current.value).toBe('changed')
      //
      // act(() => {
      //   result.current.reset()
      // })
      // expect(result.current.value).toBe('initial')
    })
  })
  // --------------------------------------------------------------------------
  // Async Operations
  // --------------------------------------------------------------------------
  describe('Async Operations', () => {
    it('should fetch data on mount', async () => {
      // mockedApi.fetchData.mockResolvedValue({ data: 'test' })
      //
      // const { result } = renderHook(() => useHookName())
      //
      // // Initially loading
      // expect(result.current.isLoading).toBe(true)
      //
      // // Wait for data
      // await waitFor(() => {
      //   expect(result.current.isLoading).toBe(false)
      // })
      //
      // expect(result.current.data).toEqual({ data: 'test' })
    })
    it('should handle fetch error', async () => {
      // mockedApi.fetchData.mockRejectedValue(new Error('Network error'))
      //
      // const { result } = renderHook(() => useHookName())
      //
      // await waitFor(() => {
      //   expect(result.current.error).toBeTruthy()
      // })
      //
      // expect(result.current.error?.message).toBe('Network error')
    })
    it('should refetch when dependency changes', async () => {
      // mockedApi.fetchData.mockResolvedValue({ data: 'test' })
      //
      // const { result, rerender } = renderHook(
      //   ({ id }) => useHookName(id),
      //   { initialProps: { id: '1' } }
      // )
      //
      // await waitFor(() => {
      //   expect(mockedApi.fetchData).toHaveBeenCalledWith('1')
      // })
      //
      // rerender({ id: '2' })
      //
      // await waitFor(() => {
      //   expect(mockedApi.fetchData).toHaveBeenCalledWith('2')
      // })
    })
  })
  // --------------------------------------------------------------------------
  // Side Effects
  // --------------------------------------------------------------------------
  describe('Side Effects', () => {
    it('should call callback when value changes', () => {
      // const callback = jest.fn()
      // const { result } = renderHook(() => useHookName({ onChange: callback }))
      //
      // act(() => {
      //   result.current.setValue('new value')
      // })
      //
      // expect(callback).toHaveBeenCalledWith('new value')
    })
    it('should cleanup on unmount', () => {
      // const cleanup = jest.fn()
      // jest.spyOn(window, 'addEventListener')
      // jest.spyOn(window, 'removeEventListener')
      //
      // const { unmount } = renderHook(() => useHookName())
      //
      // expect(window.addEventListener).toHaveBeenCalled()
      //
      // unmount()
      //
      // expect(window.removeEventListener).toHaveBeenCalled()
    })
  })
  // --------------------------------------------------------------------------
  // Edge Cases
  // --------------------------------------------------------------------------
  describe('Edge Cases', () => {
    it('should handle null input', () => {
      // const { result } = renderHook(() => useHookName(null))
      //
      // expect(result.current.value).toBeNull()
    })
    it('should handle rapid updates', () => {
      // const { result } = renderHook(() => useHookName())
      //
      // act(() => {
      //   result.current.setValue('1')
      //   result.current.setValue('2')
      //   result.current.setValue('3')
      // })
      //
      // expect(result.current.value).toBe('3')
    })
  })
  // --------------------------------------------------------------------------
  // With Context (if hook uses context)
  // --------------------------------------------------------------------------
  describe('With Context', () => {
    it('should use context value', () => {
      // const wrapper = createWrapper({ someValue: 'context-value' })
      // const { result } = renderHook(() => useHookName(), { wrapper })
      //
      // expect(result.current.contextValue).toBe('context-value')
    })
  })
 })
--- a/.claude/skills/frontend-testing/templates/utility-test.template.ts
+++ b/.claude/skills/frontend-testing/templates/utility-test.template.ts
@@ -0,0 +1,154 @@
 /**
 * Test Template for Utility Functions
 *
 * Instructions:
 * 1. Replace `utilityFunction` with your function name
 * 2. Update import path
 * 3. Use test.each for data-driven tests
 */
 // import { utilityFunction } from './utility'
 // ============================================================================
 // Tests
 // ============================================================================
 describe('utilityFunction', () => {
  // --------------------------------------------------------------------------
  // Basic Functionality
  // --------------------------------------------------------------------------
  describe('Basic Functionality', () => {
    it('should return expected result for valid input', () => {
      // expect(utilityFunction('input')).toBe('expected-output')
    })
    it('should handle multiple arguments', () => {
      // expect(utilityFunction('a', 'b', 'c')).toBe('abc')
    })
  })
  // --------------------------------------------------------------------------
  // Data-Driven Tests
  // --------------------------------------------------------------------------
  describe('Input/Output Mapping', () => {
    test.each([
      // [input, expected]
      ['input1', 'output1'],
      ['input2', 'output2'],
      ['input3', 'output3'],
    ])('should return %s for input %s', (input, expected) => {
      // expect(utilityFunction(input)).toBe(expected)
    })
  })
  // --------------------------------------------------------------------------
  // Edge Cases
  // --------------------------------------------------------------------------
  describe('Edge Cases', () => {
    it('should handle empty string', () => {
      // expect(utilityFunction('')).toBe('')
    })
    it('should handle null', () => {
      // expect(utilityFunction(null)).toBe(null)
      // or
      // expect(() => utilityFunction(null)).toThrow()
    })
    it('should handle undefined', () => {
      // expect(utilityFunction(undefined)).toBe(undefined)
      // or
      // expect(() => utilityFunction(undefined)).toThrow()
    })
    it('should handle empty array', () => {
      // expect(utilityFunction([])).toEqual([])
    })
    it('should handle empty object', () => {
      // expect(utilityFunction({})).toEqual({})
    })
  })
  // --------------------------------------------------------------------------
  // Boundary Conditions
  // --------------------------------------------------------------------------
  describe('Boundary Conditions', () => {
    it('should handle minimum value', () => {
      // expect(utilityFunction(0)).toBe(0)
    })
    it('should handle maximum value', () => {
      // expect(utilityFunction(Number.MAX_SAFE_INTEGER)).toBe(...)
    })
    it('should handle negative numbers', () => {
      // expect(utilityFunction(-1)).toBe(...)
    })
  })
  // --------------------------------------------------------------------------
  // Type Coercion (if applicable)
  // --------------------------------------------------------------------------
  describe('Type Handling', () => {
    it('should handle numeric string', () => {
      // expect(utilityFunction('123')).toBe(123)
    })
    it('should handle boolean', () => {
      // expect(utilityFunction(true)).toBe(...)
    })
  })
  // --------------------------------------------------------------------------
  // Error Cases
  // --------------------------------------------------------------------------
  describe('Error Handling', () => {
    it('should throw for invalid input', () => {
      // expect(() => utilityFunction('invalid')).toThrow('Error message')
    })
    it('should throw with specific error type', () => {
      // expect(() => utilityFunction('invalid')).toThrow(ValidationError)
    })
  })
  // --------------------------------------------------------------------------
  // Complex Objects (if applicable)
  // --------------------------------------------------------------------------
  describe('Object Handling', () => {
    it('should preserve object structure', () => {
      // const input = { a: 1, b: 2 }
      // expect(utilityFunction(input)).toEqual({ a: 1, b: 2 })
    })
    it('should handle nested objects', () => {
      // const input = { nested: { deep: 'value' } }
      // expect(utilityFunction(input)).toEqual({ nested: { deep: 'transformed' } })
    })
    it('should not mutate input', () => {
      // const input = { a: 1 }
      // const inputCopy = { ...input }
      // utilityFunction(input)
      // expect(input).toEqual(inputCopy)
    })
  })
  // --------------------------------------------------------------------------
  // Array Handling (if applicable)
  // --------------------------------------------------------------------------
  describe('Array Handling', () => {
    it('should process all elements', () => {
      // expect(utilityFunction([1, 2, 3])).toEqual([2, 4, 6])
    })
    it('should handle single element array', () => {
      // expect(utilityFunction([1])).toEqual([2])
    })
    it('should preserve order', () => {
      // expect(utilityFunction(['c', 'a', 'b'])).toEqual(['c', 'a', 'b'])
    })
  })
 })
--- a/.coveragerc
+++ b/.coveragerc
@@ -0,0 +1,5 @@
 [run]
 omit =
    api/tests/*
    api/migrations/*
    api/core/rag/datasource/vdb/*
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -9,6 +9,14 @@
 # Backend (default owner, more specific rules below will override)
 api/ @QuantumGhost
 # Backend - MCP
 api/core/mcp/ @Nov1c444
 api/core/entities/mcp_provider.py @Nov1c444
 api/services/tools/mcp_tools_manage_service.py @Nov1c444
 api/controllers/mcp/ @Nov1c444
 api/controllers/console/app/mcp_server.py @Nov1c444
 api/tests/**/*mcp* @Nov1c444
 # Backend - Workflow - Engine (Core graph execution engine)
 api/core/workflow/graph_engine/ @laipz8200 @QuantumGhost
 api/core/workflow/runtime/ @laipz8200 @QuantumGhost
--- a/.github/ISSUE_TEMPLATE/refactor.yml
+++ b/.github/ISSUE_TEMPLATE/refactor.yml
@@ -1,8 +1,6 @@
-name: "✨ Refactor"
+name: "✨ Refactor or Chore"
-description: Refactor existing code for improved readability and maintainability.
+description: Refactor existing code or perform maintenance chores to improve readability and reliability.
-title: "[Chore/Refactor] "
+title: "[Refactor/Chore] "
 labels:
  - refactor
 body:
  - type: checkboxes
    attributes:
@@ -11,7 +9,7 @@ body:
      options:
        - label: I have read the [Contributing Guide](https://github.com/langgenius/dify/blob/main/CONTRIBUTING.md) and [Language Policy](https://github.com/langgenius/dify/issues/1542).
          required: true
-        - label: This is only for refactoring, if you would like to ask a question, please head to [Discussions](https://github.com/langgenius/dify/discussions/categories/general).
+        - label: This is only for refactors or chores; if you would like to ask a question, please head to [Discussions](https://github.com/langgenius/dify/discussions/categories/general).
          required: true
        - label: I have searched for existing issues [search for existing issues](https://github.com/langgenius/dify/issues), including closed ones.
          required: true
@@ -25,14 +23,14 @@ body:
    id: description
    attributes:
      label: Description
-      placeholder: "Describe the refactor you are proposing."
+      placeholder: "Describe the refactor or chore you are proposing."
    validations:
      required: true
  - type: textarea
    id: motivation
    attributes:
      label: Motivation
-      placeholder: "Explain why this refactor is necessary."
+      placeholder: "Explain why this refactor or chore is necessary."
    validations:
      required: false
  - type: textarea
--- a/.github/ISSUE_TEMPLATE/tracker.yml
+++ b/.github/ISSUE_TEMPLATE/tracker.yml
@@ -1,13 +0,0 @@
 name: "👾 Tracker"
 description: For inner usages, please do not use this template.
 title: "[Tracker] "
 labels:
  - tracker
 body:
  - type: textarea
    id: content
    attributes:
      label: Blockers
      placeholder: "- [ ] ..."
    validations:
      required: true
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -1,12 +0,0 @@
 # Copilot Instructions
 GitHub Copilot must follow the unified frontend testing requirements documented in `web/testing/testing.md`.
 Key reminders:
 - Generate tests using the mandated tech stack, naming, and code style (AAA pattern, `fireEvent`, descriptive test names, cleans up mocks).
 - Cover rendering, prop combinations, and edge cases by default; extend coverage for hooks, routing, async flows, and domain-specific components when applicable.
 - Target >95% line and branch coverage and 100% function/statement coverage.
 - Apply the project's mocking conventions for i18n, toast notifications, and Next.js utilities.
 Any suggestions from Copilot that conflict with `web/testing/testing.md` should be revised before acceptance.
--- a/.github/workflows/api-tests.yml
+++ b/.github/workflows/api-tests.yml
@@ -71,18 +71,18 @@ jobs:
        run: |
          cp api/tests/integration_tests/.env.example api/tests/integration_tests/.env
-      - name: Run Workflow
+      - name: Run API Tests
-        run: uv run --project api bash dev/pytest/pytest_workflow.sh
+        env:
-
+          STORAGE_TYPE: opendal
-      - name: Run Tool
+          OPENDAL_SCHEME: fs
-        run: uv run --project api bash dev/pytest/pytest_tools.sh
+          OPENDAL_FS_ROOT: /tmp/dify-storage
      - name: Run TestContainers
        run: uv run --project api bash dev/pytest/pytest_testcontainers.sh
      - name: Run Unit tests
        run: |
-          uv run --project api bash dev/pytest/pytest_unit_tests.sh
+          uv run --project api pytest \
            --timeout "${PYTEST_TIMEOUT:-180}" \
            api/tests/integration_tests/workflow \
            api/tests/integration_tests/tools \
            api/tests/test_containers_integration_tests \
            api/tests/unit_tests
      - name: Coverage Summary
        run: |
@@ -94,4 +94,3 @@ jobs:
          echo "### Test Coverage Summary :test_tube:" >> $GITHUB_STEP_SUMMARY
          echo "Total Coverage: ${TOTAL_COVERAGE}%" >> $GITHUB_STEP_SUMMARY
          uv run --project api coverage report --format=markdown >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/autofix.yml
+++ b/.github/workflows/autofix.yml
@@ -13,11 +13,12 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
-
+      - uses: actions/setup-python@v5
      # Use uv to ensure we have the same ruff version in CI and locally.
      - uses: astral-sh/setup-uv@v6
        with:
          python-version: "3.11"
      - uses: astral-sh/setup-uv@v6
      - run: |
          cd api
          uv sync --dev
@@ -35,10 +36,11 @@ jobs:
      - name: ast-grep
        run: |
-          uvx --from ast-grep-cli sg --pattern 'db.session.query($WHATEVER).filter($HERE)' --rewrite 'db.session.query($WHATEVER).where($HERE)' -l py --update-all
+          # ast-grep exits 1 if no matches are found; allow idempotent runs.
-          uvx --from ast-grep-cli sg --pattern 'session.query($WHATEVER).filter($HERE)' --rewrite 'session.query($WHATEVER).where($HERE)' -l py --update-all
+          uvx --from ast-grep-cli ast-grep --pattern 'db.session.query($WHATEVER).filter($HERE)' --rewrite 'db.session.query($WHATEVER).where($HERE)' -l py --update-all || true
-          uvx --from ast-grep-cli sg -p '$A = db.Column($$$B)' -r '$A = mapped_column($$$B)' -l py --update-all
+          uvx --from ast-grep-cli ast-grep --pattern 'session.query($WHATEVER).filter($HERE)' --rewrite 'session.query($WHATEVER).where($HERE)' -l py --update-all || true
-          uvx --from ast-grep-cli sg -p '$A : $T = db.Column($$$B)' -r '$A : $T = mapped_column($$$B)' -l py --update-all
+          uvx --from ast-grep-cli ast-grep -p '$A = db.Column($$$B)' -r '$A = mapped_column($$$B)' -l py --update-all || true
          uvx --from ast-grep-cli ast-grep -p '$A : $T = db.Column($$$B)' -r '$A : $T = mapped_column($$$B)' -l py --update-all || true
          # Convert Optional[T] to T | None (ignoring quoted types)
          cat > /tmp/optional-rule.yml << 'EOF'
          id: convert-optional-to-union
@@ -56,14 +58,15 @@ jobs:
                    pattern: $T
          fix: $T | None
          EOF
-          uvx --from ast-grep-cli sg scan --inline-rules "$(cat /tmp/optional-rule.yml)" --update-all
+          uvx --from ast-grep-cli ast-grep scan . --inline-rules "$(cat /tmp/optional-rule.yml)" --update-all
          # Fix forward references that were incorrectly converted (Python doesn't support "Type" | None syntax)
          find . -name "*.py" -type f -exec sed -i.bak -E 's/"([^"]+)" \| None/Optional["\1"]/g; s/'"'"'([^'"'"']+)'"'"' \| None/Optional['"'"'\1'"'"']/g' {} \;
          find . -name "*.py.bak" -type f -delete
      # mdformat breaks YAML front matter in markdown files. Add --exclude for directories containing YAML front matter.
      - name: mdformat
        run: |
-          uvx mdformat .
+          uvx --python 3.13 mdformat . --exclude ".claude/skills/**"
      - name: Install pnpm
        uses: pnpm/action-setup@v4
@@ -84,7 +87,6 @@ jobs:
      - name: oxlint
        working-directory: ./web
-        run: |
+        run: pnpm exec oxlint --config .oxlintrc.json --fix .
          pnpx oxlint --fix
      - uses: autofix-ci/action@635ffb0c9798bd160680f18fd73371e355b85f27
--- a/.github/workflows/semantic-pull-request.yml
+++ b/.github/workflows/semantic-pull-request.yml
@@ -0,0 +1,21 @@
 name: Semantic Pull Request
 on:
  pull_request:
    types:
      - opened
      - edited
      - reopened
      - synchronize
 jobs:
  lint:
    name: Validate PR title
    permissions:
      pull-requests: read
    runs-on: ubuntu-latest
    steps:
      - name: Check title
        uses: amannn/action-semantic-pull-request@v6.1.1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/style.yml
+++ b/.github/workflows/style.yml
@@ -106,7 +106,7 @@ jobs:
      - name: Web type check
        if: steps.changed-files.outputs.any_changed == 'true'
        working-directory: ./web
-        run: pnpm run type-check
+        run: pnpm run type-check:tsgo
  docker-compose-template:
    name: Docker Compose Template
--- a/.gitignore
+++ b/.gitignore
@@ -189,6 +189,7 @@ docker/volumes/matrixone/*
 docker/volumes/mysql/*
 docker/volumes/seekdb/*
 !docker/volumes/oceanbase/init.d
 docker/volumes/iris/*
 docker/nginx/conf.d/default.conf
 docker/nginx/ssl/*
--- a/.nvmrc
+++ b/.nvmrc
@@ -0,0 +1 @@
 22.11.0
--- a/.windsurf/rules/testing.md
+++ b/.windsurf/rules/testing.md
@@ -1,5 +0,0 @@
 # Windsurf Testing Rules
 - Use `web/testing/testing.md` as the single source of truth for frontend automated testing.
 - Honor every requirement in that document when generating or accepting tests.
 - When proposing or saving tests, re-read that document and follow every requirement.
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -24,8 +24,8 @@ The codebase is split into:
 ```bash
 cd web
 pnpm lint
 pnpm lint:fix
 pnpm type-check:tsgo
 pnpm test
 ```
@@ -39,7 +39,7 @@ pnpm test
 ## Language Style
 - **Python**: Keep type hints on functions and attributes, and implement relevant special methods (e.g., `__repr__`, `__str__`).
- **TypeScript**: Use the strict config, lean on ESLint + Prettier workflows, and avoid `any` types.
+- **TypeScript**: Use the strict config, rely on ESLint (`pnpm lint:fix` preferred) plus `pnpm type-check:tsgo`, and avoid `any` types.
 ## General Practices
--- a/README.md
+++ b/README.md
@@ -139,6 +139,19 @@ Star Dify on GitHub and be instantly notified of new releases.
 If you need to customize the configuration, please refer to the comments in our [.env.example](docker/.env.example) file and update the corresponding values in your `.env` file. Additionally, you might need to make adjustments to the `docker-compose.yaml` file itself, such as changing image versions, port mappings, or volume mounts, based on your specific deployment environment and requirements. After making any changes, please re-run `docker-compose up -d`. You can find the full list of available environment variables [here](https://docs.dify.ai/getting-started/install-self-hosted/environments).
 #### Customizing Suggested Questions
 You can now customize the "Suggested Questions After Answer" feature to better fit your use case. For example, to generate longer, more technical questions:
 ```bash
 # In your .env file
 SUGGESTED_QUESTIONS_PROMPT='Please help me predict the five most likely technical follow-up questions a developer would ask. Focus on implementation details, best practices, and architecture considerations. Keep each question between 40-60 characters. Output must be JSON array: ["question1","question2","question3","question4","question5"]'
 SUGGESTED_QUESTIONS_MAX_TOKENS=512
 SUGGESTED_QUESTIONS_TEMPERATURE=0.3
 ```
 See the [Suggested Questions Configuration Guide](docs/suggested-questions-configuration.md) for detailed examples and usage instructions.
 ### Metrics Monitoring with Grafana
 Import the dashboard to Grafana, using Dify's PostgreSQL database as data source, to monitor metrics in granularity of apps, tenants, messages, and more.
--- a/api/.env.example
+++ b/api/.env.example
@@ -633,8 +633,41 @@ SWAGGER_UI_PATH=/swagger-ui.html
 # Set to false to export dataset IDs as plain text for easier cross-environment import
 DSL_EXPORT_ENCRYPT_DATASET_ID=true
 # Suggested Questions After Answer Configuration
 # These environment variables allow customization of the suggested questions feature
 #
 # Custom prompt for generating suggested questions (optional)
 # If not set, uses the default prompt that generates 3 questions under 20 characters each
 # Example: "Please help me predict the five most likely technical follow-up questions a developer would ask. Focus on implementation details, best practices, and architecture considerations. Keep each question between 40-60 characters. Output must be JSON array: [\"question1\",\"question2\",\"question3\",\"question4\",\"question5\"]"
 # SUGGESTED_QUESTIONS_PROMPT=
 # Maximum number of tokens for suggested questions generation (default: 256)
 # Adjust this value for longer questions or more questions
 # SUGGESTED_QUESTIONS_MAX_TOKENS=256
 # Temperature for suggested questions generation (default: 0.0)
 # Higher values (0.5-1.0) produce more creative questions, lower values (0.0-0.3) produce more focused questions
 # SUGGESTED_QUESTIONS_TEMPERATURE=0
 # Tenant isolated task queue configuration
 TENANT_ISOLATED_TASK_CONCURRENCY=1
 # Maximum number of segments for dataset segments API (0 for unlimited)
 DATASET_MAX_SEGMENTS_PER_REQUEST=0
 # Multimodal knowledgebase limit
 SINGLE_CHUNK_ATTACHMENT_LIMIT=10
 ATTACHMENT_IMAGE_FILE_SIZE_LIMIT=2
 ATTACHMENT_IMAGE_DOWNLOAD_TIMEOUT=60
 IMAGE_FILE_BATCH_LIMIT=10
 # Maximum allowed CSV file size for annotation import in megabytes
 ANNOTATION_IMPORT_FILE_SIZE_LIMIT=2
 #Maximum number of annotation records allowed in a single import
 ANNOTATION_IMPORT_MAX_RECORDS=10000
 # Minimum number of annotation records required in a single import
 ANNOTATION_IMPORT_MIN_RECORDS=1
 ANNOTATION_IMPORT_RATE_LIMIT_PER_MINUTE=5
 ANNOTATION_IMPORT_RATE_LIMIT_PER_HOUR=20
 # Maximum number of concurrent annotation import tasks per tenant
 ANNOTATION_IMPORT_MAX_CONCURRENT=5
--- a/api/.ruff.toml
+++ b/api/.ruff.toml
@@ -36,17 +36,20 @@ select = [
    "UP",      # pyupgrade rules
    "W191",    # tab-indentation
    "W605",    # invalid-escape-sequence
    "G001",    # don't use str format to logging messages
    "G003",    # don't use + in logging messages
    "G004",    # don't use f-strings to format logging messages
    "UP042",   # use StrEnum,
    "S110",    # disallow the try-except-pass pattern.
    # security related linting rules
    # RCE proctection (sort of)
    "S102", # exec-builtin, disallow use of `exec`
    "S307", # suspicious-eval-usage, disallow use of `eval` and `ast.literal_eval`
    "S301", # suspicious-pickle-usage, disallow use of `pickle` and its wrappers.
    "S302", # suspicious-marshal-usage, disallow use of `marshal` module
-    "S311", # suspicious-non-cryptographic-random-usage
+    "S311", # suspicious-non-cryptographic-random-usage,
-    "G001", # don't use str format to logging messages
+
    "G003", # don't use + in logging messages
    "G004", # don't use f-strings to format logging messages
    "UP042", # use StrEnum
 ]
 ignore = [
@@ -91,18 +94,16 @@ ignore = [
 "configs/*" = [
    "N802", # invalid-function-name
 ]
-"core/model_runtime/callbacks/base_callback.py" = [
+"core/model_runtime/callbacks/base_callback.py" = ["T201"]
-    "T201",
+"core/workflow/callbacks/workflow_logging_callback.py" = ["T201"]
 ]
 "core/workflow/callbacks/workflow_logging_callback.py" = [
    "T201",
 ]
 "libs/gmpy2_pkcs10aep_cipher.py" = [
    "N803", # invalid-argument-name
 ]
 "tests/*" = [
    "F811", # redefined-while-unused
-    "T201", # allow print in tests
+    "T201", # allow print in tests,
    "S110", # allow ignoring exceptions in tests code (currently)
 ]
 [lint.pyflakes]
--- a/api/app_factory.py
+++ b/api/app_factory.py
@@ -1,6 +1,8 @@
 import logging
 import time
 from opentelemetry.trace import get_current_span
 from configs import dify_config
 from contexts.wrapper import RecyclableContextVar
 from dify_app import DifyApp
@@ -26,8 +28,25 @@ def create_flask_app_with_configs() -> DifyApp:
        # add an unique identifier to each request
        RecyclableContextVar.increment_thread_recycles()
    # add after request hook for injecting X-Trace-Id header from OpenTelemetry span context
    @dify_app.after_request
    def add_trace_id_header(response):
        try:
            span = get_current_span()
            ctx = span.get_span_context() if span else None
            if ctx and ctx.is_valid:
                trace_id_hex = format(ctx.trace_id, "032x")
                # Avoid duplicates if some middleware added it
                if "X-Trace-Id" not in response.headers:
                    response.headers["X-Trace-Id"] = trace_id_hex
        except Exception:
            # Never break the response due to tracing header injection
            logger.warning("Failed to add trace ID to response header", exc_info=True)
        return response
    # Capture the decorator's return value to avoid pyright reportUnusedFunction
    _ = before_request
    _ = add_trace_id_header
    return dify_app
@@ -64,6 +83,7 @@ def initialize_extensions(app: DifyApp):
        ext_redis,
        ext_request_logging,
        ext_sentry,
        ext_session_factory,
        ext_set_secretkey,
        ext_storage,
        ext_timezone,
@@ -95,6 +115,7 @@ def initialize_extensions(app: DifyApp):
        ext_commands,
        ext_otel,
        ext_request_logging,
        ext_session_factory,
    ]
    for ext in extensions:
        short_name = ext.__name__.split(".")[-1]
--- a/api/commands.py
+++ b/api/commands.py
@@ -1139,6 +1139,7 @@ def remove_orphaned_files_on_storage(force: bool):
        click.echo(click.style(f"Found {len(all_files_in_tables)} files in tables.", fg="white"))
    except Exception as e:
        click.echo(click.style(f"Error fetching keys: {str(e)}", fg="red"))
        return
    all_files_on_storage = []
    for storage_path in storage_paths:
--- a/api/configs/feature/init.py
+++ b/api/configs/feature/init.py
@@ -360,6 +360,57 @@ class FileUploadConfig(BaseSettings):
        default=10,
    )
    IMAGE_FILE_BATCH_LIMIT: PositiveInt = Field(
        description="Maximum number of files allowed in a image batch upload operation",
        default=10,
    )
    SINGLE_CHUNK_ATTACHMENT_LIMIT: PositiveInt = Field(
        description="Maximum number of files allowed in a single chunk attachment",
        default=10,
    )
    ATTACHMENT_IMAGE_FILE_SIZE_LIMIT: NonNegativeInt = Field(
        description="Maximum allowed image file size for attachments in megabytes",
        default=2,
    )
    ATTACHMENT_IMAGE_DOWNLOAD_TIMEOUT: NonNegativeInt = Field(
        description="Timeout for downloading image attachments in seconds",
        default=60,
    )
    # Annotation Import Security Configurations
    ANNOTATION_IMPORT_FILE_SIZE_LIMIT: NonNegativeInt = Field(
        description="Maximum allowed CSV file size for annotation import in megabytes",
        default=2,
    )
    ANNOTATION_IMPORT_MAX_RECORDS: PositiveInt = Field(
        description="Maximum number of annotation records allowed in a single import",
        default=10000,
    )
    ANNOTATION_IMPORT_MIN_RECORDS: PositiveInt = Field(
        description="Minimum number of annotation records required in a single import",
        default=1,
    )
    ANNOTATION_IMPORT_RATE_LIMIT_PER_MINUTE: PositiveInt = Field(
        description="Maximum number of annotation import requests per minute per tenant",
        default=5,
    )
    ANNOTATION_IMPORT_RATE_LIMIT_PER_HOUR: PositiveInt = Field(
        description="Maximum number of annotation import requests per hour per tenant",
        default=20,
    )
    ANNOTATION_IMPORT_MAX_CONCURRENT: PositiveInt = Field(
        description="Maximum number of concurrent annotation import tasks per tenant",
        default=2,
    )
    inner_UPLOAD_FILE_EXTENSION_BLACKLIST: str = Field(
        description=(
            "Comma-separated list of file extensions that are blocked from upload. "
@@ -553,7 +604,10 @@ class LoggingConfig(BaseSettings):
    LOG_FORMAT: str = Field(
        description="Format string for log messages",
-        default="%(asctime)s.%(msecs)03d %(levelname)s [%(threadName)s] [%(filename)s:%(lineno)d] - %(message)s",
+        default=(
            "%(asctime)s.%(msecs)03d %(levelname)s [%(threadName)s] "
            "[%(filename)s:%(lineno)d] %(trace_id)s - %(message)s"
        ),
    )
    LOG_DATEFORMAT: str | None = Field(
--- a/api/configs/middleware/init.py
+++ b/api/configs/middleware/init.py
@@ -26,6 +26,7 @@ from .vdb.clickzetta_config import ClickzettaConfig
 from .vdb.couchbase_config import CouchbaseConfig
 from .vdb.elasticsearch_config import ElasticsearchConfig
 from .vdb.huawei_cloud_config import HuaweiCloudConfig
 from .vdb.iris_config import IrisVectorConfig
 from .vdb.lindorm_config import LindormConfig
 from .vdb.matrixone_config import MatrixoneConfig
 from .vdb.milvus_config import MilvusConfig
@@ -106,7 +107,7 @@ class KeywordStoreConfig(BaseSettings):
 class DatabaseConfig(BaseSettings):
    # Database type selector
-    DB_TYPE: Literal["postgresql", "mysql", "oceanbase"] = Field(
+    DB_TYPE: Literal["postgresql", "mysql", "oceanbase", "seekdb"] = Field(
        description="Database type to use. OceanBase is MySQL-compatible.",
        default="postgresql",
    )
@@ -336,6 +337,7 @@ class MiddlewareConfig(
    ChromaConfig,
    ClickzettaConfig,
    HuaweiCloudConfig,
    IrisVectorConfig,
    MilvusConfig,
    AlibabaCloudMySQLConfig,
    MyScaleConfig,
--- a/api/configs/middleware/vdb/iris_config.py
+++ b/api/configs/middleware/vdb/iris_config.py
@@ -0,0 +1,91 @@
 """Configuration for InterSystems IRIS vector database."""
 from pydantic import Field, PositiveInt, model_validator
 from pydantic_settings import BaseSettings
 class IrisVectorConfig(BaseSettings):
    """Configuration settings for IRIS vector database connection and pooling."""
    IRIS_HOST: str | None = Field(
        description="Hostname or IP address of the IRIS server.",
        default="localhost",
    )
    IRIS_SUPER_SERVER_PORT: PositiveInt | None = Field(
        description="Port number for IRIS connection.",
        default=1972,
    )
    IRIS_USER: str | None = Field(
        description="Username for IRIS authentication.",
        default="_SYSTEM",
    )
    IRIS_PASSWORD: str | None = Field(
        description="Password for IRIS authentication.",
        default="Dify@1234",
    )
    IRIS_SCHEMA: str | None = Field(
        description="Schema name for IRIS tables.",
        default="dify",
    )
    IRIS_DATABASE: str | None = Field(
        description="Database namespace for IRIS connection.",
        default="USER",
    )
    IRIS_CONNECTION_URL: str | None = Field(
        description="Full connection URL for IRIS (overrides individual fields if provided).",
        default=None,
    )
    IRIS_MIN_CONNECTION: PositiveInt = Field(
        description="Minimum number of connections in the pool.",
        default=1,
    )
    IRIS_MAX_CONNECTION: PositiveInt = Field(
        description="Maximum number of connections in the pool.",
        default=3,
    )
    IRIS_TEXT_INDEX: bool = Field(
        description="Enable full-text search index using %iFind.Index.Basic.",
        default=True,
    )
    IRIS_TEXT_INDEX_LANGUAGE: str = Field(
        description="Language for full-text search index (e.g., 'en', 'ja', 'zh', 'de').",
        default="en",
    )
    @model_validator(mode="before")
    @classmethod
    def validate_config(cls, values: dict) -> dict:
        """Validate IRIS configuration values.
        Args:
            values: Configuration dictionary
        Returns:
            Validated configuration dictionary
        Raises:
            ValueError: If required fields are missing or pool settings are invalid
        """
        # Only validate required fields if IRIS is being used as the vector store
        # This allows the config to be loaded even when IRIS is not in use
        # vector_store = os.environ.get("VECTOR_STORE", "")
        # We rely on Pydantic defaults for required fields if they are missing from env.
        # Strict existence check is removed to allow defaults to work.
        min_conn = values.get("IRIS_MIN_CONNECTION", 1)
        max_conn = values.get("IRIS_MAX_CONNECTION", 3)
        if min_conn > max_conn:
            raise ValueError("IRIS_MIN_CONNECTION must be less than or equal to IRIS_MAX_CONNECTION")
        return values
--- a/api/constants/languages.py
+++ b/api/constants/languages.py
@@ -20,6 +20,7 @@ language_timezone_mapping = {
    "sl-SI": "Europe/Ljubljana",
    "th-TH": "Asia/Bangkok",
    "id-ID": "Asia/Jakarta",
    "ar-TN": "Africa/Tunis",
 }
 languages = list(language_timezone_mapping.keys())
--- a/api/controllers/common/schema.py
+++ b/api/controllers/common/schema.py
@@ -0,0 +1,26 @@
 """Helpers for registering Pydantic models with Flask-RESTX namespaces."""
 from flask_restx import Namespace
 from pydantic import BaseModel
 DEFAULT_REF_TEMPLATE_SWAGGER_2_0 = "#/definitions/{model}"
 def register_schema_model(namespace: Namespace, model: type[BaseModel]) -> None:
    """Register a single BaseModel with a namespace for Swagger documentation."""
    namespace.schema_model(model.__name__, model.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0))
 def register_schema_models(namespace: Namespace, *models: type[BaseModel]) -> None:
    """Register multiple BaseModels with a namespace."""
    for model in models:
        register_schema_model(namespace, model)
 __all__ = [
    "DEFAULT_REF_TEMPLATE_SWAGGER_2_0",
    "register_schema_model",
    "register_schema_models",
 ]
--- a/api/controllers/console/admin.py
+++ b/api/controllers/console/admin.py
@@ -3,21 +3,47 @@ from functools import wraps
 from typing import ParamSpec, TypeVar
 from flask import request
-from flask_restx import Resource, fields, reqparse
+from flask_restx import Resource
 from pydantic import BaseModel, Field, field_validator
 from sqlalchemy import select
 from sqlalchemy.orm import Session
 from werkzeug.exceptions import NotFound, Unauthorized
 P = ParamSpec("P")
 R = TypeVar("R")
 from configs import dify_config
 from constants.languages import supported_language
 from controllers.console import console_ns
 from controllers.console.wraps import only_edition_cloud
 from core.db.session_factory import session_factory
 from extensions.ext_database import db
 from libs.token import extract_access_token
 from models.model import App, InstalledApp, RecommendedApp
 P = ParamSpec("P")
 R = TypeVar("R")
 DEFAULT_REF_TEMPLATE_SWAGGER_2_0 = "#/definitions/{model}"
 class InsertExploreAppPayload(BaseModel):
    app_id: str = Field(...)
    desc: str | None = None
    copyright: str | None = None
    privacy_policy: str | None = None
    custom_disclaimer: str | None = None
    language: str = Field(...)
    category: str = Field(...)
    position: int = Field(...)
    @field_validator("language")
    @classmethod
    def validate_language(cls, value: str) -> str:
        return supported_language(value)
 console_ns.schema_model(
    InsertExploreAppPayload.__name__,
    InsertExploreAppPayload.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0),
 )
 def admin_required(view: Callable[P, R]):
    @wraps(view)
@@ -40,59 +66,34 @@ def admin_required(view: Callable[P, R]):
 class InsertExploreAppListApi(Resource):
    @console_ns.doc("insert_explore_app")
    @console_ns.doc(description="Insert or update an app in the explore list")
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[InsertExploreAppPayload.__name__])
        console_ns.model(
            "InsertExploreAppRequest",
            {
                "app_id": fields.String(required=True, description="Application ID"),
                "desc": fields.String(description="App description"),
                "copyright": fields.String(description="Copyright information"),
                "privacy_policy": fields.String(description="Privacy policy"),
                "custom_disclaimer": fields.String(description="Custom disclaimer"),
                "language": fields.String(required=True, description="Language code"),
                "category": fields.String(required=True, description="App category"),
                "position": fields.Integer(required=True, description="Display position"),
            },
        )
    )
    @console_ns.response(200, "App updated successfully")
    @console_ns.response(201, "App inserted successfully")
    @console_ns.response(404, "App not found")
    @only_edition_cloud
    @admin_required
    def post(self):
-        parser = (
+        payload = InsertExploreAppPayload.model_validate(console_ns.payload)
            reqparse.RequestParser()
            .add_argument("app_id", type=str, required=True, nullable=False, location="json")
            .add_argument("desc", type=str, location="json")
            .add_argument("copyright", type=str, location="json")
            .add_argument("privacy_policy", type=str, location="json")
            .add_argument("custom_disclaimer", type=str, location="json")
            .add_argument("language", type=supported_language, required=True, nullable=False, location="json")
            .add_argument("category", type=str, required=True, nullable=False, location="json")
            .add_argument("position", type=int, required=True, nullable=False, location="json")
        )
        args = parser.parse_args()
-        app = db.session.execute(select(App).where(App.id == args["app_id"])).scalar_one_or_none()
+        app = db.session.execute(select(App).where(App.id == payload.app_id)).scalar_one_or_none()
        if not app:
-            raise NotFound(f"App '{args['app_id']}' is not found")
+            raise NotFound(f"App '{payload.app_id}' is not found")
        site = app.site
        if not site:
-            desc = args["desc"] or ""
+            desc = payload.desc or ""
-            copy_right = args["copyright"] or ""
+            copy_right = payload.copyright or ""
-            privacy_policy = args["privacy_policy"] or ""
+            privacy_policy = payload.privacy_policy or ""
-            custom_disclaimer = args["custom_disclaimer"] or ""
+            custom_disclaimer = payload.custom_disclaimer or ""
        else:
-            desc = site.description or args["desc"] or ""
+            desc = site.description or payload.desc or ""
-            copy_right = site.copyright or args["copyright"] or ""
+            copy_right = site.copyright or payload.copyright or ""
-            privacy_policy = site.privacy_policy or args["privacy_policy"] or ""
+            privacy_policy = site.privacy_policy or payload.privacy_policy or ""
-            custom_disclaimer = site.custom_disclaimer or args["custom_disclaimer"] or ""
+            custom_disclaimer = site.custom_disclaimer or payload.custom_disclaimer or ""
-        with Session(db.engine) as session:
+        with session_factory.create_session() as session:
            recommended_app = session.execute(
-                select(RecommendedApp).where(RecommendedApp.app_id == args["app_id"])
+                select(RecommendedApp).where(RecommendedApp.app_id == payload.app_id)
            ).scalar_one_or_none()
            if not recommended_app:
@@ -102,9 +103,9 @@ class InsertExploreAppListApi(Resource):
                    copyright=copy_right,
                    privacy_policy=privacy_policy,
                    custom_disclaimer=custom_disclaimer,
-                    language=args["language"],
+                    language=payload.language,
-                    category=args["category"],
+                    category=payload.category,
-                    position=args["position"],
+                    position=payload.position,
                )
                db.session.add(recommended_app)
@@ -118,9 +119,9 @@ class InsertExploreAppListApi(Resource):
                recommended_app.copyright = copy_right
                recommended_app.privacy_policy = privacy_policy
                recommended_app.custom_disclaimer = custom_disclaimer
-                recommended_app.language = args["language"]
+                recommended_app.language = payload.language
-                recommended_app.category = args["category"]
+                recommended_app.category = payload.category
-                recommended_app.position = args["position"]
+                recommended_app.position = payload.position
                app.is_public = True
@@ -138,7 +139,7 @@ class InsertExploreAppApi(Resource):
    @only_edition_cloud
    @admin_required
    def delete(self, app_id):
-        with Session(db.engine) as session:
+        with session_factory.create_session() as session:
            recommended_app = session.execute(
                select(RecommendedApp).where(RecommendedApp.app_id == str(app_id))
            ).scalar_one_or_none()
@@ -146,13 +147,13 @@ class InsertExploreAppApi(Resource):
        if not recommended_app:
            return {"result": "success"}, 204
-        with Session(db.engine) as session:
+        with session_factory.create_session() as session:
            app = session.execute(select(App).where(App.id == recommended_app.app_id)).scalar_one_or_none()
        if app:
            app.is_public = False
-        with Session(db.engine) as session:
+        with session_factory.create_session() as session:
            installed_apps = (
                session.execute(
                    select(InstalledApp).where(
--- a/api/controllers/console/app/agent.py
+++ b/api/controllers/console/app/agent.py
@@ -1,4 +1,6 @@
-from flask_restx import Resource, fields, reqparse
+from flask import request
 from flask_restx import Resource, fields
 from pydantic import BaseModel, Field, field_validator
 from controllers.console import console_ns
 from controllers.console.app.wraps import get_app_model
@@ -8,10 +10,21 @@ from libs.login import login_required
 from models.model import AppMode
 from services.agent_service import AgentService
-parser = (
+DEFAULT_REF_TEMPLATE_SWAGGER_2_0 = "#/definitions/{model}"
-    reqparse.RequestParser()
+
-    .add_argument("message_id", type=uuid_value, required=True, location="args", help="Message UUID")
+
-    .add_argument("conversation_id", type=uuid_value, required=True, location="args", help="Conversation UUID")
+class AgentLogQuery(BaseModel):
    message_id: str = Field(..., description="Message UUID")
    conversation_id: str = Field(..., description="Conversation UUID")
    @field_validator("message_id", "conversation_id")
    @classmethod
    def validate_uuid(cls, value: str) -> str:
        return uuid_value(value)
 console_ns.schema_model(
    AgentLogQuery.__name__, AgentLogQuery.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0)
 )
@@ -20,7 +33,7 @@ class AgentLogApi(Resource):
    @console_ns.doc("get_agent_logs")
    @console_ns.doc(description="Get agent execution logs for an application")
    @console_ns.doc(params={"app_id": "Application ID"})
-    @console_ns.expect(parser)
+    @console_ns.expect(console_ns.models[AgentLogQuery.__name__])
    @console_ns.response(
        200, "Agent logs retrieved successfully", fields.List(fields.Raw(description="Agent log entries"))
    )
@@ -31,6 +44,6 @@ class AgentLogApi(Resource):
    @get_app_model(mode=[AppMode.AGENT_CHAT])
    def get(self, app_model):
        """Get agent logs"""
-        args = parser.parse_args()
+        args = AgentLogQuery.model_validate(request.args.to_dict(flat=True))  # type: ignore
-        return AgentService.get_agent_logs(app_model, args["conversation_id"], args["message_id"])
+        return AgentService.get_agent_logs(app_model, args.conversation_id, args.message_id)
--- a/api/controllers/console/app/annotation.py
+++ b/api/controllers/console/app/annotation.py
@@ -1,12 +1,15 @@
-from typing import Literal
+from typing import Any, Literal
-from flask import request
+from flask import abort, make_response, request
-from flask_restx import Resource, fields, marshal, marshal_with, reqparse
+from flask_restx import Resource, fields, marshal, marshal_with
 from pydantic import BaseModel, Field, field_validator
 from controllers.common.errors import NoFileUploadedError, TooManyFilesError
 from controllers.console import console_ns
 from controllers.console.wraps import (
    account_initialization_required,
    annotation_import_concurrency_limit,
    annotation_import_rate_limit,
    cloud_edition_billing_resource_check,
    edit_permission_required,
    setup_required,
@@ -21,22 +24,79 @@ from libs.helper import uuid_value
 from libs.login import login_required
 from services.annotation_service import AppAnnotationService
 DEFAULT_REF_TEMPLATE_SWAGGER_2_0 = "#/definitions/{model}"
 class AnnotationReplyPayload(BaseModel):
    score_threshold: float = Field(..., description="Score threshold for annotation matching")
    embedding_provider_name: str = Field(..., description="Embedding provider name")
    embedding_model_name: str = Field(..., description="Embedding model name")
 class AnnotationSettingUpdatePayload(BaseModel):
    score_threshold: float = Field(..., description="Score threshold")
 class AnnotationListQuery(BaseModel):
    page: int = Field(default=1, ge=1, description="Page number")
    limit: int = Field(default=20, ge=1, description="Page size")
    keyword: str = Field(default="", description="Search keyword")
 class CreateAnnotationPayload(BaseModel):
    message_id: str | None = Field(default=None, description="Message ID")
    question: str | None = Field(default=None, description="Question text")
    answer: str | None = Field(default=None, description="Answer text")
    content: str | None = Field(default=None, description="Content text")
    annotation_reply: dict[str, Any] | None = Field(default=None, description="Annotation reply data")
    @field_validator("message_id")
    @classmethod
    def validate_message_id(cls, value: str | None) -> str | None:
        if value is None:
            return value
        return uuid_value(value)
 class UpdateAnnotationPayload(BaseModel):
    question: str | None = None
    answer: str | None = None
    content: str | None = None
    annotation_reply: dict[str, Any] | None = None
 class AnnotationReplyStatusQuery(BaseModel):
    action: Literal["enable", "disable"]
 class AnnotationFilePayload(BaseModel):
    message_id: str = Field(..., description="Message ID")
    @field_validator("message_id")
    @classmethod
    def validate_message_id(cls, value: str) -> str:
        return uuid_value(value)
 def reg(model: type[BaseModel]) -> None:
    console_ns.schema_model(model.__name__, model.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0))
 reg(AnnotationReplyPayload)
 reg(AnnotationSettingUpdatePayload)
 reg(AnnotationListQuery)
 reg(CreateAnnotationPayload)
 reg(UpdateAnnotationPayload)
 reg(AnnotationReplyStatusQuery)
 reg(AnnotationFilePayload)
@console_ns.route("/apps/<uuid:app_id>/annotation-reply/<string:action>")
 class AnnotationReplyActionApi(Resource):
    @console_ns.doc("annotation_reply_action")
    @console_ns.doc(description="Enable or disable annotation reply for an app")
    @console_ns.doc(params={"app_id": "Application ID", "action": "Action to perform (enable/disable)"})
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[AnnotationReplyPayload.__name__])
        console_ns.model(
            "AnnotationReplyActionRequest",
            {
                "score_threshold": fields.Float(required=True, description="Score threshold for annotation matching"),
                "embedding_provider_name": fields.String(required=True, description="Embedding provider name"),
                "embedding_model_name": fields.String(required=True, description="Embedding model name"),
            },
        )
    )
    @console_ns.response(200, "Action completed successfully")
    @console_ns.response(403, "Insufficient permissions")
    @setup_required
@@ -46,15 +106,9 @@ class AnnotationReplyActionApi(Resource):
    @edit_permission_required
    def post(self, app_id, action: Literal["enable", "disable"]):
        app_id = str(app_id)
-        parser = (
+        args = AnnotationReplyPayload.model_validate(console_ns.payload)
            reqparse.RequestParser()
            .add_argument("score_threshold", required=True, type=float, location="json")
            .add_argument("embedding_provider_name", required=True, type=str, location="json")
            .add_argument("embedding_model_name", required=True, type=str, location="json")
        )
        args = parser.parse_args()
        if action == "enable":
-            result = AppAnnotationService.enable_app_annotation(args, app_id)
+            result = AppAnnotationService.enable_app_annotation(args.model_dump(), app_id)
        elif action == "disable":
            result = AppAnnotationService.disable_app_annotation(app_id)
        return result, 200
@@ -82,16 +136,7 @@ class AppAnnotationSettingUpdateApi(Resource):
    @console_ns.doc("update_annotation_setting")
    @console_ns.doc(description="Update annotation settings for an app")
    @console_ns.doc(params={"app_id": "Application ID", "annotation_setting_id": "Annotation setting ID"})
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[AnnotationSettingUpdatePayload.__name__])
        console_ns.model(
            "AnnotationSettingUpdateRequest",
            {
                "score_threshold": fields.Float(required=True, description="Score threshold"),
                "embedding_provider_name": fields.String(required=True, description="Embedding provider"),
                "embedding_model_name": fields.String(required=True, description="Embedding model"),
            },
        )
    )
    @console_ns.response(200, "Settings updated successfully")
    @console_ns.response(403, "Insufficient permissions")
    @setup_required
@@ -102,10 +147,9 @@ class AppAnnotationSettingUpdateApi(Resource):
        app_id = str(app_id)
        annotation_setting_id = str(annotation_setting_id)
-        parser = reqparse.RequestParser().add_argument("score_threshold", required=True, type=float, location="json")
+        args = AnnotationSettingUpdatePayload.model_validate(console_ns.payload)
        args = parser.parse_args()
-        result = AppAnnotationService.update_app_annotation_setting(app_id, annotation_setting_id, args)
+        result = AppAnnotationService.update_app_annotation_setting(app_id, annotation_setting_id, args.model_dump())
        return result, 200
@@ -142,12 +186,7 @@ class AnnotationApi(Resource):
    @console_ns.doc("list_annotations")
    @console_ns.doc(description="Get annotations for an app with pagination")
    @console_ns.doc(params={"app_id": "Application ID"})
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[AnnotationListQuery.__name__])
        console_ns.parser()
        .add_argument("page", type=int, location="args", default=1, help="Page number")
        .add_argument("limit", type=int, location="args", default=20, help="Page size")
        .add_argument("keyword", type=str, location="args", default="", help="Search keyword")
    )
    @console_ns.response(200, "Annotations retrieved successfully")
    @console_ns.response(403, "Insufficient permissions")
    @setup_required
@@ -155,9 +194,10 @@ class AnnotationApi(Resource):
    @account_initialization_required
    @edit_permission_required
    def get(self, app_id):
-        page = request.args.get("page", default=1, type=int)
+        args = AnnotationListQuery.model_validate(request.args.to_dict(flat=True))  # type: ignore
-        limit = request.args.get("limit", default=20, type=int)
+        page = args.page
-        keyword = request.args.get("keyword", default="", type=str)
+        limit = args.limit
        keyword = args.keyword
        app_id = str(app_id)
        annotation_list, total = AppAnnotationService.get_annotation_list_by_app_id(app_id, page, limit, keyword)
@@ -173,18 +213,7 @@ class AnnotationApi(Resource):
    @console_ns.doc("create_annotation")
    @console_ns.doc(description="Create a new annotation for an app")
    @console_ns.doc(params={"app_id": "Application ID"})
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[CreateAnnotationPayload.__name__])
        console_ns.model(
            "CreateAnnotationRequest",
            {
                "message_id": fields.String(description="Message ID (optional)"),
                "question": fields.String(description="Question text (required when message_id not provided)"),
                "answer": fields.String(description="Answer text (use 'answer' or 'content')"),
                "content": fields.String(description="Content text (use 'answer' or 'content')"),
                "annotation_reply": fields.Raw(description="Annotation reply data"),
            },
        )
    )
    @console_ns.response(201, "Annotation created successfully", build_annotation_model(console_ns))
    @console_ns.response(403, "Insufficient permissions")
    @setup_required
@@ -195,16 +224,9 @@ class AnnotationApi(Resource):
    @edit_permission_required
    def post(self, app_id):
        app_id = str(app_id)
-        parser = (
+        args = CreateAnnotationPayload.model_validate(console_ns.payload)
-            reqparse.RequestParser()
+        data = args.model_dump(exclude_none=True)
-            .add_argument("message_id", required=False, type=uuid_value, location="json")
+        annotation = AppAnnotationService.up_insert_app_annotation_from_message(data, app_id)
            .add_argument("question", required=False, type=str, location="json")
            .add_argument("answer", required=False, type=str, location="json")
            .add_argument("content", required=False, type=str, location="json")
            .add_argument("annotation_reply", required=False, type=dict, location="json")
        )
        args = parser.parse_args()
        annotation = AppAnnotationService.up_insert_app_annotation_from_message(args, app_id)
        return annotation
    @setup_required
@@ -237,7 +259,7 @@ class AnnotationApi(Resource):
@console_ns.route("/apps/<uuid:app_id>/annotations/export")
 class AnnotationExportApi(Resource):
    @console_ns.doc("export_annotations")
-    @console_ns.doc(description="Export all annotations for an app")
+    @console_ns.doc(description="Export all annotations for an app with CSV injection protection")
    @console_ns.doc(params={"app_id": "Application ID"})
    @console_ns.response(
        200,
@@ -252,15 +274,14 @@ class AnnotationExportApi(Resource):
    def get(self, app_id):
        app_id = str(app_id)
        annotation_list = AppAnnotationService.export_annotation_list_by_app_id(app_id)
-        response = {"data": marshal(annotation_list, annotation_fields)}
+        response_data = {"data": marshal(annotation_list, annotation_fields)}
        return response, 200
        # Create response with secure headers for CSV export
        response = make_response(response_data, 200)
        response.headers["Content-Type"] = "application/json; charset=utf-8"
        response.headers["X-Content-Type-Options"] = "nosniff"
-parser = (
+        return response
    reqparse.RequestParser()
    .add_argument("question", required=True, type=str, location="json")
    .add_argument("answer", required=True, type=str, location="json")
 )
@console_ns.route("/apps/<uuid:app_id>/annotations/<uuid:annotation_id>")
@@ -271,7 +292,7 @@ class AnnotationUpdateDeleteApi(Resource):
    @console_ns.response(200, "Annotation updated successfully", build_annotation_model(console_ns))
    @console_ns.response(204, "Annotation deleted successfully")
    @console_ns.response(403, "Insufficient permissions")
-    @console_ns.expect(parser)
+    @console_ns.expect(console_ns.models[UpdateAnnotationPayload.__name__])
    @setup_required
    @login_required
    @account_initialization_required
@@ -281,8 +302,10 @@ class AnnotationUpdateDeleteApi(Resource):
    def post(self, app_id, annotation_id):
        app_id = str(app_id)
        annotation_id = str(annotation_id)
-        args = parser.parse_args()
+        args = UpdateAnnotationPayload.model_validate(console_ns.payload)
-        annotation = AppAnnotationService.update_app_annotation_directly(args, app_id, annotation_id)
+        annotation = AppAnnotationService.update_app_annotation_directly(
            args.model_dump(exclude_none=True), app_id, annotation_id
        )
        return annotation
    @setup_required
@@ -299,18 +322,25 @@ class AnnotationUpdateDeleteApi(Resource):
@console_ns.route("/apps/<uuid:app_id>/annotations/batch-import")
 class AnnotationBatchImportApi(Resource):
    @console_ns.doc("batch_import_annotations")
-    @console_ns.doc(description="Batch import annotations from CSV file")
+    @console_ns.doc(description="Batch import annotations from CSV file with rate limiting and security checks")
    @console_ns.doc(params={"app_id": "Application ID"})
    @console_ns.response(200, "Batch import started successfully")
    @console_ns.response(403, "Insufficient permissions")
    @console_ns.response(400, "No file uploaded or too many files")
    @console_ns.response(413, "File too large")
    @console_ns.response(429, "Too many requests or concurrent imports")
    @setup_required
    @login_required
    @account_initialization_required
    @cloud_edition_billing_resource_check("annotation")
    @annotation_import_rate_limit
    @annotation_import_concurrency_limit
    @edit_permission_required
    def post(self, app_id):
        from configs import dify_config
        app_id = str(app_id)
        # check file
        if "file" not in request.files:
            raise NoFileUploadedError()
@@ -320,9 +350,27 @@ class AnnotationBatchImportApi(Resource):
        # get file from request
        file = request.files["file"]
        # check file type
        if not file.filename or not file.filename.lower().endswith(".csv"):
            raise ValueError("Invalid file type. Only CSV files are allowed")
        # Check file size before processing
        file.seek(0, 2)  # Seek to end of file
        file_size = file.tell()
        file.seek(0)  # Reset to beginning
        max_size_bytes = dify_config.ANNOTATION_IMPORT_FILE_SIZE_LIMIT * 1024 * 1024
        if file_size > max_size_bytes:
            abort(
                413,
                f"File size exceeds maximum limit of {dify_config.ANNOTATION_IMPORT_FILE_SIZE_LIMIT}MB. "
                f"Please reduce the file size and try again.",
            )
        if file_size == 0:
            raise ValueError("The uploaded file is empty")
        return AppAnnotationService.batch_import_app_annotations(app_id, file)
--- a/api/controllers/console/app/app.py
+++ b/api/controllers/console/app/app.py
@@ -31,7 +31,6 @@ from fields.app_fields import (
 from fields.workflow_fields import workflow_partial_fields as _workflow_partial_fields_dict
 from libs.helper import AppIconUrlField, TimestampField
 from libs.login import current_account_with_tenant, login_required
 from libs.validators import validate_description_length
 from models import App, Workflow
 from services.app_dsl_service import AppDslService, ImportMode
 from services.app_service import AppService
@@ -76,51 +75,30 @@ class AppListQuery(BaseModel):
 class CreateAppPayload(BaseModel):
    name: str = Field(..., min_length=1, description="App name")
-    description: str | None = Field(default=None, description="App description (max 400 chars)")
+    description: str | None = Field(default=None, description="App description (max 400 chars)", max_length=400)
    mode: Literal["chat", "agent-chat", "advanced-chat", "workflow", "completion"] = Field(..., description="App mode")
    icon_type: str | None = Field(default=None, description="Icon type")
    icon: str | None = Field(default=None, description="Icon")
    icon_background: str | None = Field(default=None, description="Icon background color")
    @field_validator("description")
    @classmethod
    def validate_description(cls, value: str | None) -> str | None:
        if value is None:
            return value
        return validate_description_length(value)
 class UpdateAppPayload(BaseModel):
    name: str = Field(..., min_length=1, description="App name")
-    description: str | None = Field(default=None, description="App description (max 400 chars)")
+    description: str | None = Field(default=None, description="App description (max 400 chars)", max_length=400)
    icon_type: str | None = Field(default=None, description="Icon type")
    icon: str | None = Field(default=None, description="Icon")
    icon_background: str | None = Field(default=None, description="Icon background color")
    use_icon_as_answer_icon: bool | None = Field(default=None, description="Use icon as answer icon")
    max_active_requests: int | None = Field(default=None, description="Maximum active requests")
    @field_validator("description")
    @classmethod
    def validate_description(cls, value: str | None) -> str | None:
        if value is None:
            return value
        return validate_description_length(value)
 class CopyAppPayload(BaseModel):
    name: str | None = Field(default=None, description="Name for the copied app")
-    description: str | None = Field(default=None, description="Description for the copied app")
+    description: str | None = Field(default=None, description="Description for the copied app", max_length=400)
    icon_type: str | None = Field(default=None, description="Icon type")
    icon: str | None = Field(default=None, description="Icon")
    icon_background: str | None = Field(default=None, description="Icon background color")
    @field_validator("description")
    @classmethod
    def validate_description(cls, value: str | None) -> str | None:
        if value is None:
            return value
        return validate_description_length(value)
 class AppExportQuery(BaseModel):
    include_secret: bool = Field(default=False, description="Include secrets in export")
@@ -146,7 +124,14 @@ class AppApiStatusPayload(BaseModel):
 class AppTracePayload(BaseModel):
    enabled: bool = Field(..., description="Enable or disable tracing")
-    tracing_provider: str = Field(..., description="Tracing provider")
+    tracing_provider: str | None = Field(default=None, description="Tracing provider")
    @field_validator("tracing_provider")
    @classmethod
    def validate_tracing_provider(cls, value: str | None, info) -> str | None:
        if info.data.get("enabled") and not value:
            raise ValueError("tracing_provider is required when enabled is True")
        return value
 def reg(cls: type[BaseModel]):
@@ -324,10 +309,13 @@ class AppListApi(Resource):
                NodeType.TRIGGER_PLUGIN,
            }
            for workflow in draft_workflows:
-                for _, node_data in workflow.walk_nodes():
+                try:
-                    if node_data.get("type") in trigger_node_types:
+                    for _, node_data in workflow.walk_nodes():
-                        draft_trigger_app_ids.add(str(workflow.app_id))
+                        if node_data.get("type") in trigger_node_types:
-                        break
+                            draft_trigger_app_ids.add(str(workflow.app_id))
                            break
                except Exception:
                    continue
        for app in app_pagination.items:
            app.has_draft_trigger = str(app.id) in draft_trigger_app_ids
--- a/api/controllers/console/app/app_import.py
+++ b/api/controllers/console/app/app_import.py
@@ -1,4 +1,5 @@
-from flask_restx import Resource, fields, marshal_with, reqparse
+from flask_restx import Resource, fields, marshal_with
 from pydantic import BaseModel, Field
 from sqlalchemy.orm import Session
 from controllers.console.app.wraps import get_app_model
@@ -35,23 +36,29 @@ app_import_check_dependencies_model = console_ns.model(
    "AppImportCheckDependencies", app_import_check_dependencies_fields_copy
 )
-parser = (
+DEFAULT_REF_TEMPLATE_SWAGGER_2_0 = "#/definitions/{model}"
-    reqparse.RequestParser()
+
-    .add_argument("mode", type=str, required=True, location="json")
+
-    .add_argument("yaml_content", type=str, location="json")
+class AppImportPayload(BaseModel):
-    .add_argument("yaml_url", type=str, location="json")
+    mode: str = Field(..., description="Import mode")
-    .add_argument("name", type=str, location="json")
+    yaml_content: str | None = None
-    .add_argument("description", type=str, location="json")
+    yaml_url: str | None = None
-    .add_argument("icon_type", type=str, location="json")
+    name: str | None = None
-    .add_argument("icon", type=str, location="json")
+    description: str | None = None
-    .add_argument("icon_background", type=str, location="json")
+    icon_type: str | None = None
-    .add_argument("app_id", type=str, location="json")
+    icon: str | None = None
    icon_background: str | None = None
    app_id: str | None = None
 console_ns.schema_model(
    AppImportPayload.__name__, AppImportPayload.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0)
 )
@console_ns.route("/apps/imports")
 class AppImportApi(Resource):
-    @console_ns.expect(parser)
+    @console_ns.expect(console_ns.models[AppImportPayload.__name__])
    @setup_required
    @login_required
    @account_initialization_required
@@ -61,7 +68,7 @@ class AppImportApi(Resource):
    def post(self):
        # Check user role first
        current_user, _ = current_account_with_tenant()
-        args = parser.parse_args()
+        args = AppImportPayload.model_validate(console_ns.payload)
        # Create service with session
        with Session(db.engine) as session:
@@ -70,15 +77,15 @@ class AppImportApi(Resource):
            account = current_user
            result = import_service.import_app(
                account=account,
-                import_mode=args["mode"],
+                import_mode=args.mode,
-                yaml_content=args.get("yaml_content"),
+                yaml_content=args.yaml_content,
-                yaml_url=args.get("yaml_url"),
+                yaml_url=args.yaml_url,
-                name=args.get("name"),
+                name=args.name,
-                description=args.get("description"),
+                description=args.description,
-                icon_type=args.get("icon_type"),
+                icon_type=args.icon_type,
-                icon=args.get("icon"),
+                icon=args.icon,
-                icon_background=args.get("icon_background"),
+                icon_background=args.icon_background,
-                app_id=args.get("app_id"),
+                app_id=args.app_id,
            )
            session.commit()
        if result.app_id and FeatureService.get_system_features().webapp_auth.enabled:
--- a/api/controllers/console/app/audio.py
+++ b/api/controllers/console/app/audio.py
@@ -1,7 +1,8 @@
 import logging
 from flask import request
-from flask_restx import Resource, fields, reqparse
+from flask_restx import Resource, fields
 from pydantic import BaseModel, Field
 from werkzeug.exceptions import InternalServerError
 import services
@@ -32,6 +33,27 @@ from services.errors.audio import (
 )
 logger = logging.getLogger(__name__)
 DEFAULT_REF_TEMPLATE_SWAGGER_2_0 = "#/definitions/{model}"
 class TextToSpeechPayload(BaseModel):
    message_id: str | None = Field(default=None, description="Message ID")
    text: str = Field(..., description="Text to convert")
    voice: str | None = Field(default=None, description="Voice name")
    streaming: bool | None = Field(default=None, description="Whether to stream audio")
 class TextToSpeechVoiceQuery(BaseModel):
    language: str = Field(..., description="Language code")
 console_ns.schema_model(
    TextToSpeechPayload.__name__, TextToSpeechPayload.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0)
 )
 console_ns.schema_model(
    TextToSpeechVoiceQuery.__name__,
    TextToSpeechVoiceQuery.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0),
 )
@console_ns.route("/apps/<uuid:app_id>/audio-to-text")
@@ -92,17 +114,7 @@ class ChatMessageTextApi(Resource):
    @console_ns.doc("chat_message_text_to_speech")
    @console_ns.doc(description="Convert text to speech for chat messages")
    @console_ns.doc(params={"app_id": "App ID"})
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[TextToSpeechPayload.__name__])
        console_ns.model(
            "TextToSpeechRequest",
            {
                "message_id": fields.String(description="Message ID"),
                "text": fields.String(required=True, description="Text to convert to speech"),
                "voice": fields.String(description="Voice to use for TTS"),
                "streaming": fields.Boolean(description="Whether to stream the audio"),
            },
        )
    )
    @console_ns.response(200, "Text to speech conversion successful")
    @console_ns.response(400, "Bad request - Invalid parameters")
    @get_app_model
@@ -111,21 +123,14 @@ class ChatMessageTextApi(Resource):
    @account_initialization_required
    def post(self, app_model: App):
        try:
-            parser = (
+            payload = TextToSpeechPayload.model_validate(console_ns.payload)
                reqparse.RequestParser()
                .add_argument("message_id", type=str, location="json")
                .add_argument("text", type=str, location="json")
                .add_argument("voice", type=str, location="json")
                .add_argument("streaming", type=bool, location="json")
            )
            args = parser.parse_args()
            message_id = args.get("message_id", None)
            text = args.get("text", None)
            voice = args.get("voice", None)
            response = AudioService.transcript_tts(
-                app_model=app_model, text=text, voice=voice, message_id=message_id, is_draft=True
+                app_model=app_model,
                text=payload.text,
                voice=payload.voice,
                message_id=payload.message_id,
                is_draft=True,
            )
            return response
        except services.errors.app_model_config.AppModelConfigBrokenError:
@@ -159,9 +164,7 @@ class TextModesApi(Resource):
    @console_ns.doc("get_text_to_speech_voices")
    @console_ns.doc(description="Get available TTS voices for a specific language")
    @console_ns.doc(params={"app_id": "App ID"})
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[TextToSpeechVoiceQuery.__name__])
        console_ns.parser().add_argument("language", type=str, required=True, location="args", help="Language code")
    )
    @console_ns.response(
        200, "TTS voices retrieved successfully", fields.List(fields.Raw(description="Available voices"))
    )
@@ -172,12 +175,11 @@ class TextModesApi(Resource):
    @account_initialization_required
    def get(self, app_model):
        try:
-            parser = reqparse.RequestParser().add_argument("language", type=str, required=True, location="args")
+            args = TextToSpeechVoiceQuery.model_validate(request.args.to_dict(flat=True))  # type: ignore
            args = parser.parse_args()
            response = AudioService.transcript_tts_voices(
                tenant_id=app_model.tenant_id,
-                language=args["language"],
+                language=args.language,
            )
            return response
--- a/api/controllers/console/app/conversation.py
+++ b/api/controllers/console/app/conversation.py
@@ -49,7 +49,6 @@ class CompletionConversationQuery(BaseConversationQuery):
 class ChatConversationQuery(BaseConversationQuery):
    message_count_gte: int | None = Field(default=None, ge=1, description="Minimum message count")
    sort_by: Literal["created_at", "-created_at", "updated_at", "-updated_at"] = Field(
        default="-updated_at", description="Sort field and direction"
    )
@@ -509,14 +508,6 @@ class ChatConversationApi(Resource):
                .having(func.count(MessageAnnotation.id) == 0)
            )
        if args.message_count_gte and args.message_count_gte >= 1:
            query = (
                query.options(joinedload(Conversation.messages))  # type: ignore
                .join(Message, Message.conversation_id == Conversation.id)
                .group_by(Conversation.id)
                .having(func.count(Message.id) >= args.message_count_gte)
            )
        if app_model.mode == AppMode.ADVANCED_CHAT:
            query = query.where(Conversation.invoke_from != InvokeFrom.DEBUGGER)
--- a/api/controllers/console/app/mcp_server.py
+++ b/api/controllers/console/app/mcp_server.py
@@ -1,7 +1,8 @@
 import json
 from enum import StrEnum
-from flask_restx import Resource, fields, marshal_with, reqparse
+from flask_restx import Resource, marshal_with
 from pydantic import BaseModel, Field
 from werkzeug.exceptions import NotFound
 from controllers.console import console_ns
@@ -12,6 +13,8 @@ from fields.app_fields import app_server_fields
 from libs.login import current_account_with_tenant, login_required
 from models.model import AppMCPServer
 DEFAULT_REF_TEMPLATE_SWAGGER_2_0 = "#/definitions/{model}"
 # Register model for flask_restx to avoid dict type issues in Swagger
 app_server_model = console_ns.model("AppServer", app_server_fields)
@@ -21,6 +24,22 @@ class AppMCPServerStatus(StrEnum):
    INACTIVE = "inactive"
 class MCPServerCreatePayload(BaseModel):
    description: str | None = Field(default=None, description="Server description")
    parameters: dict = Field(..., description="Server parameters configuration")
 class MCPServerUpdatePayload(BaseModel):
    id: str = Field(..., description="Server ID")
    description: str | None = Field(default=None, description="Server description")
    parameters: dict = Field(..., description="Server parameters configuration")
    status: str | None = Field(default=None, description="Server status")
 for model in (MCPServerCreatePayload, MCPServerUpdatePayload):
    console_ns.schema_model(model.__name__, model.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0))
@console_ns.route("/apps/<uuid:app_id>/server")
 class AppMCPServerController(Resource):
    @console_ns.doc("get_app_mcp_server")
@@ -39,15 +58,7 @@ class AppMCPServerController(Resource):
    @console_ns.doc("create_app_mcp_server")
    @console_ns.doc(description="Create MCP server configuration for an application")
    @console_ns.doc(params={"app_id": "Application ID"})
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[MCPServerCreatePayload.__name__])
        console_ns.model(
            "MCPServerCreateRequest",
            {
                "description": fields.String(description="Server description"),
                "parameters": fields.Raw(required=True, description="Server parameters configuration"),
            },
        )
    )
    @console_ns.response(201, "MCP server configuration created successfully", app_server_model)
    @console_ns.response(403, "Insufficient permissions")
    @account_initialization_required
@@ -58,21 +69,16 @@ class AppMCPServerController(Resource):
    @edit_permission_required
    def post(self, app_model):
        _, current_tenant_id = current_account_with_tenant()
-        parser = (
+        payload = MCPServerCreatePayload.model_validate(console_ns.payload or {})
            reqparse.RequestParser()
            .add_argument("description", type=str, required=False, location="json")
            .add_argument("parameters", type=dict, required=True, location="json")
        )
        args = parser.parse_args()
-        description = args.get("description")
+        description = payload.description
        if not description:
            description = app_model.description or ""
        server = AppMCPServer(
            name=app_model.name,
            description=description,
-            parameters=json.dumps(args["parameters"], ensure_ascii=False),
+            parameters=json.dumps(payload.parameters, ensure_ascii=False),
            status=AppMCPServerStatus.ACTIVE,
            app_id=app_model.id,
            tenant_id=current_tenant_id,
@@ -85,17 +91,7 @@ class AppMCPServerController(Resource):
    @console_ns.doc("update_app_mcp_server")
    @console_ns.doc(description="Update MCP server configuration for an application")
    @console_ns.doc(params={"app_id": "Application ID"})
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[MCPServerUpdatePayload.__name__])
        console_ns.model(
            "MCPServerUpdateRequest",
            {
                "id": fields.String(required=True, description="Server ID"),
                "description": fields.String(description="Server description"),
                "parameters": fields.Raw(required=True, description="Server parameters configuration"),
                "status": fields.String(description="Server status"),
            },
        )
    )
    @console_ns.response(200, "MCP server configuration updated successfully", app_server_model)
    @console_ns.response(403, "Insufficient permissions")
    @console_ns.response(404, "Server not found")
@@ -106,19 +102,12 @@ class AppMCPServerController(Resource):
    @marshal_with(app_server_model)
    @edit_permission_required
    def put(self, app_model):
-        parser = (
+        payload = MCPServerUpdatePayload.model_validate(console_ns.payload or {})
-            reqparse.RequestParser()
+        server = db.session.query(AppMCPServer).where(AppMCPServer.id == payload.id).first()
            .add_argument("id", type=str, required=True, location="json")
            .add_argument("description", type=str, required=False, location="json")
            .add_argument("parameters", type=dict, required=True, location="json")
            .add_argument("status", type=str, required=False, location="json")
        )
        args = parser.parse_args()
        server = db.session.query(AppMCPServer).where(AppMCPServer.id == args["id"]).first()
        if not server:
            raise NotFound()
-        description = args.get("description")
+        description = payload.description
        if description is None:
            pass
        elif not description:
@@ -126,11 +115,11 @@ class AppMCPServerController(Resource):
        else:
            server.description = description
-        server.parameters = json.dumps(args["parameters"], ensure_ascii=False)
+        server.parameters = json.dumps(payload.parameters, ensure_ascii=False)
-        if args["status"]:
+        if payload.status:
-            if args["status"] not in [status.value for status in AppMCPServerStatus]:
+            if payload.status not in [status.value for status in AppMCPServerStatus]:
                raise ValueError("Invalid status")
-            server.status = args["status"]
+            server.status = payload.status
        db.session.commit()
        return server
--- a/api/controllers/console/app/message.py
+++ b/api/controllers/console/app/message.py
@@ -61,6 +61,7 @@ class ChatMessagesQuery(BaseModel):
 class MessageFeedbackPayload(BaseModel):
    message_id: str = Field(..., description="Message ID")
    rating: Literal["like", "dislike"] | None = Field(default=None, description="Feedback rating")
    content: str | None = Field(default=None, description="Feedback content")
    @field_validator("message_id")
    @classmethod
@@ -324,6 +325,7 @@ class MessageFeedbackApi(Resource):
            db.session.delete(feedback)
        elif args.rating and feedback:
            feedback.rating = args.rating
            feedback.content = args.content
        elif not args.rating and not feedback:
            raise ValueError("rating cannot be None when feedback not exists")
        else:
@@ -335,6 +337,7 @@ class MessageFeedbackApi(Resource):
                conversation_id=message.conversation_id,
                message_id=message.id,
                rating=rating_value,
                content=args.content,
                from_source="admin",
                from_account_id=current_user.id,
            )
--- a/api/controllers/console/app/ops_trace.py
+++ b/api/controllers/console/app/ops_trace.py
@@ -1,4 +1,8 @@
-from flask_restx import Resource, fields, reqparse
+from typing import Any
 from flask import request
 from flask_restx import Resource, fields
 from pydantic import BaseModel, Field
 from werkzeug.exceptions import BadRequest
 from controllers.console import console_ns
@@ -7,6 +11,26 @@ from controllers.console.wraps import account_initialization_required, setup_req
 from libs.login import login_required
 from services.ops_service import OpsService
 DEFAULT_REF_TEMPLATE_SWAGGER_2_0 = "#/definitions/{model}"
 class TraceProviderQuery(BaseModel):
    tracing_provider: str = Field(..., description="Tracing provider name")
 class TraceConfigPayload(BaseModel):
    tracing_provider: str = Field(..., description="Tracing provider name")
    tracing_config: dict[str, Any] = Field(..., description="Tracing configuration data")
 console_ns.schema_model(
    TraceProviderQuery.__name__,
    TraceProviderQuery.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0),
 )
 console_ns.schema_model(
    TraceConfigPayload.__name__, TraceConfigPayload.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0)
 )
@console_ns.route("/apps/<uuid:app_id>/trace-config")
 class TraceAppConfigApi(Resource):
@@ -17,11 +41,7 @@ class TraceAppConfigApi(Resource):
    @console_ns.doc("get_trace_app_config")
    @console_ns.doc(description="Get tracing configuration for an application")
    @console_ns.doc(params={"app_id": "Application ID"})
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[TraceProviderQuery.__name__])
        console_ns.parser().add_argument(
            "tracing_provider", type=str, required=True, location="args", help="Tracing provider name"
        )
    )
    @console_ns.response(
        200, "Tracing configuration retrieved successfully", fields.Raw(description="Tracing configuration data")
    )
@@ -30,11 +50,10 @@ class TraceAppConfigApi(Resource):
    @login_required
    @account_initialization_required
    def get(self, app_id):
-        parser = reqparse.RequestParser().add_argument("tracing_provider", type=str, required=True, location="args")
+        args = TraceProviderQuery.model_validate(request.args.to_dict(flat=True))  # type: ignore
        args = parser.parse_args()
        try:
-            trace_config = OpsService.get_tracing_app_config(app_id=app_id, tracing_provider=args["tracing_provider"])
+            trace_config = OpsService.get_tracing_app_config(app_id=app_id, tracing_provider=args.tracing_provider)
            if not trace_config:
                return {"has_not_configured": True}
            return trace_config
@@ -44,15 +63,7 @@ class TraceAppConfigApi(Resource):
    @console_ns.doc("create_trace_app_config")
    @console_ns.doc(description="Create a new tracing configuration for an application")
    @console_ns.doc(params={"app_id": "Application ID"})
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[TraceConfigPayload.__name__])
        console_ns.model(
            "TraceConfigCreateRequest",
            {
                "tracing_provider": fields.String(required=True, description="Tracing provider name"),
                "tracing_config": fields.Raw(required=True, description="Tracing configuration data"),
            },
        )
    )
    @console_ns.response(
        201, "Tracing configuration created successfully", fields.Raw(description="Created configuration data")
    )
@@ -62,16 +73,11 @@ class TraceAppConfigApi(Resource):
    @account_initialization_required
    def post(self, app_id):
        """Create a new trace app configuration"""
-        parser = (
+        args = TraceConfigPayload.model_validate(console_ns.payload)
            reqparse.RequestParser()
            .add_argument("tracing_provider", type=str, required=True, location="json")
            .add_argument("tracing_config", type=dict, required=True, location="json")
        )
        args = parser.parse_args()
        try:
            result = OpsService.create_tracing_app_config(
-                app_id=app_id, tracing_provider=args["tracing_provider"], tracing_config=args["tracing_config"]
+                app_id=app_id, tracing_provider=args.tracing_provider, tracing_config=args.tracing_config
            )
            if not result:
                raise TracingConfigIsExist()
@@ -84,15 +90,7 @@ class TraceAppConfigApi(Resource):
    @console_ns.doc("update_trace_app_config")
    @console_ns.doc(description="Update an existing tracing configuration for an application")
    @console_ns.doc(params={"app_id": "Application ID"})
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[TraceConfigPayload.__name__])
        console_ns.model(
            "TraceConfigUpdateRequest",
            {
                "tracing_provider": fields.String(required=True, description="Tracing provider name"),
                "tracing_config": fields.Raw(required=True, description="Updated tracing configuration data"),
            },
        )
    )
    @console_ns.response(200, "Tracing configuration updated successfully", fields.Raw(description="Success response"))
    @console_ns.response(400, "Invalid request parameters or configuration not found")
    @setup_required
@@ -100,16 +98,11 @@ class TraceAppConfigApi(Resource):
    @account_initialization_required
    def patch(self, app_id):
        """Update an existing trace app configuration"""
-        parser = (
+        args = TraceConfigPayload.model_validate(console_ns.payload)
            reqparse.RequestParser()
            .add_argument("tracing_provider", type=str, required=True, location="json")
            .add_argument("tracing_config", type=dict, required=True, location="json")
        )
        args = parser.parse_args()
        try:
            result = OpsService.update_tracing_app_config(
-                app_id=app_id, tracing_provider=args["tracing_provider"], tracing_config=args["tracing_config"]
+                app_id=app_id, tracing_provider=args.tracing_provider, tracing_config=args.tracing_config
            )
            if not result:
                raise TracingConfigNotExist()
@@ -120,11 +113,7 @@ class TraceAppConfigApi(Resource):
    @console_ns.doc("delete_trace_app_config")
    @console_ns.doc(description="Delete an existing tracing configuration for an application")
    @console_ns.doc(params={"app_id": "Application ID"})
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[TraceProviderQuery.__name__])
        console_ns.parser().add_argument(
            "tracing_provider", type=str, required=True, location="args", help="Tracing provider name"
        )
    )
    @console_ns.response(204, "Tracing configuration deleted successfully")
    @console_ns.response(400, "Invalid request parameters or configuration not found")
    @setup_required
@@ -132,11 +121,10 @@ class TraceAppConfigApi(Resource):
    @account_initialization_required
    def delete(self, app_id):
        """Delete an existing trace app configuration"""
-        parser = reqparse.RequestParser().add_argument("tracing_provider", type=str, required=True, location="args")
+        args = TraceProviderQuery.model_validate(request.args.to_dict(flat=True))  # type: ignore
        args = parser.parse_args()
        try:
-            result = OpsService.delete_tracing_app_config(app_id=app_id, tracing_provider=args["tracing_provider"])
+            result = OpsService.delete_tracing_app_config(app_id=app_id, tracing_provider=args.tracing_provider)
            if not result:
                raise TracingConfigNotExist()
            return {"result": "success"}, 204
--- a/api/controllers/console/app/site.py
+++ b/api/controllers/console/app/site.py
@@ -1,4 +1,7 @@
-from flask_restx import Resource, fields, marshal_with, reqparse
+from typing import Literal
 from flask_restx import Resource, marshal_with
 from pydantic import BaseModel, Field, field_validator
 from werkzeug.exceptions import NotFound
 from constants.languages import supported_language
@@ -16,69 +19,50 @@ from libs.datetime_utils import naive_utc_now
 from libs.login import current_account_with_tenant, login_required
 from models import Site
 DEFAULT_REF_TEMPLATE_SWAGGER_2_0 = "#/definitions/{model}"
 class AppSiteUpdatePayload(BaseModel):
    title: str | None = Field(default=None)
    icon_type: str | None = Field(default=None)
    icon: str | None = Field(default=None)
    icon_background: str | None = Field(default=None)
    description: str | None = Field(default=None)
    default_language: str | None = Field(default=None)
    chat_color_theme: str | None = Field(default=None)
    chat_color_theme_inverted: bool | None = Field(default=None)
    customize_domain: str | None = Field(default=None)
    copyright: str | None = Field(default=None)
    privacy_policy: str | None = Field(default=None)
    custom_disclaimer: str | None = Field(default=None)
    customize_token_strategy: Literal["must", "allow", "not_allow"] | None = Field(default=None)
    prompt_public: bool | None = Field(default=None)
    show_workflow_steps: bool | None = Field(default=None)
    use_icon_as_answer_icon: bool | None = Field(default=None)
    @field_validator("default_language")
    @classmethod
    def validate_language(cls, value: str | None) -> str | None:
        if value is None:
            return value
        return supported_language(value)
 console_ns.schema_model(
    AppSiteUpdatePayload.__name__,
    AppSiteUpdatePayload.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0),
 )
 # Register model for flask_restx to avoid dict type issues in Swagger
 app_site_model = console_ns.model("AppSite", app_site_fields)
 def parse_app_site_args():
    parser = (
        reqparse.RequestParser()
        .add_argument("title", type=str, required=False, location="json")
        .add_argument("icon_type", type=str, required=False, location="json")
        .add_argument("icon", type=str, required=False, location="json")
        .add_argument("icon_background", type=str, required=False, location="json")
        .add_argument("description", type=str, required=False, location="json")
        .add_argument("default_language", type=supported_language, required=False, location="json")
        .add_argument("chat_color_theme", type=str, required=False, location="json")
        .add_argument("chat_color_theme_inverted", type=bool, required=False, location="json")
        .add_argument("customize_domain", type=str, required=False, location="json")
        .add_argument("copyright", type=str, required=False, location="json")
        .add_argument("privacy_policy", type=str, required=False, location="json")
        .add_argument("custom_disclaimer", type=str, required=False, location="json")
        .add_argument(
            "customize_token_strategy",
            type=str,
            choices=["must", "allow", "not_allow"],
            required=False,
            location="json",
        )
        .add_argument("prompt_public", type=bool, required=False, location="json")
        .add_argument("show_workflow_steps", type=bool, required=False, location="json")
        .add_argument("use_icon_as_answer_icon", type=bool, required=False, location="json")
    )
    return parser.parse_args()
@console_ns.route("/apps/<uuid:app_id>/site")
 class AppSite(Resource):
    @console_ns.doc("update_app_site")
    @console_ns.doc(description="Update application site configuration")
    @console_ns.doc(params={"app_id": "Application ID"})
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[AppSiteUpdatePayload.__name__])
        console_ns.model(
            "AppSiteRequest",
            {
                "title": fields.String(description="Site title"),
                "icon_type": fields.String(description="Icon type"),
                "icon": fields.String(description="Icon"),
                "icon_background": fields.String(description="Icon background color"),
                "description": fields.String(description="Site description"),
                "default_language": fields.String(description="Default language"),
                "chat_color_theme": fields.String(description="Chat color theme"),
                "chat_color_theme_inverted": fields.Boolean(description="Inverted chat color theme"),
                "customize_domain": fields.String(description="Custom domain"),
                "copyright": fields.String(description="Copyright text"),
                "privacy_policy": fields.String(description="Privacy policy"),
                "custom_disclaimer": fields.String(description="Custom disclaimer"),
                "customize_token_strategy": fields.String(
                    enum=["must", "allow", "not_allow"], description="Token strategy"
                ),
                "prompt_public": fields.Boolean(description="Make prompt public"),
                "show_workflow_steps": fields.Boolean(description="Show workflow steps"),
                "use_icon_as_answer_icon": fields.Boolean(description="Use icon as answer icon"),
            },
        )
    )
    @console_ns.response(200, "Site configuration updated successfully", app_site_model)
    @console_ns.response(403, "Insufficient permissions")
    @console_ns.response(404, "App not found")
@@ -89,7 +73,7 @@ class AppSite(Resource):
    @get_app_model
    @marshal_with(app_site_model)
    def post(self, app_model):
-        args = parse_app_site_args()
+        args = AppSiteUpdatePayload.model_validate(console_ns.payload or {})
        current_user, _ = current_account_with_tenant()
        site = db.session.query(Site).where(Site.app_id == app_model.id).first()
        if not site:
@@ -113,7 +97,7 @@ class AppSite(Resource):
            "show_workflow_steps",
            "use_icon_as_answer_icon",
        ]:
-            value = args.get(attr_name)
+            value = getattr(args, attr_name)
            if value is not None:
                setattr(site, attr_name, value)
--- a/api/controllers/console/app/workflow_draft_variable.py
+++ b/api/controllers/console/app/workflow_draft_variable.py
@@ -1,10 +1,11 @@
 import logging
 from collections.abc import Callable
 from functools import wraps
-from typing import NoReturn, ParamSpec, TypeVar
+from typing import Any, NoReturn, ParamSpec, TypeVar
-from flask import Response
+from flask import Response, request
-from flask_restx import Resource, fields, inputs, marshal, marshal_with, reqparse
+from flask_restx import Resource, fields, marshal, marshal_with
 from pydantic import BaseModel, Field
 from sqlalchemy.orm import Session
 from controllers.console import console_ns
@@ -29,6 +30,27 @@ from services.workflow_draft_variable_service import WorkflowDraftVariableList,
 from services.workflow_service import WorkflowService
 logger = logging.getLogger(__name__)
 DEFAULT_REF_TEMPLATE_SWAGGER_2_0 = "#/definitions/{model}"
 class WorkflowDraftVariableListQuery(BaseModel):
    page: int = Field(default=1, ge=1, le=100_000, description="Page number")
    limit: int = Field(default=20, ge=1, le=100, description="Items per page")
 class WorkflowDraftVariableUpdatePayload(BaseModel):
    name: str | None = Field(default=None, description="Variable name")
    value: Any | None = Field(default=None, description="Variable value")
 console_ns.schema_model(
    WorkflowDraftVariableListQuery.__name__,
    WorkflowDraftVariableListQuery.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0),
 )
 console_ns.schema_model(
    WorkflowDraftVariableUpdatePayload.__name__,
    WorkflowDraftVariableUpdatePayload.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0),
 )
 def _convert_values_to_json_serializable_object(value: Segment):
@@ -57,22 +79,6 @@ def _serialize_var_value(variable: WorkflowDraftVariable):
    return _convert_values_to_json_serializable_object(value)
 def _create_pagination_parser():
    parser = (
        reqparse.RequestParser()
        .add_argument(
            "page",
            type=inputs.int_range(1, 100_000),
            required=False,
            default=1,
            location="args",
            help="the page of data requested",
        )
        .add_argument("limit", type=inputs.int_range(1, 100), required=False, default=20, location="args")
    )
    return parser
 def _serialize_variable_type(workflow_draft_var: WorkflowDraftVariable) -> str:
    value_type = workflow_draft_var.value_type
    return value_type.exposed_type().value
@@ -201,7 +207,7 @@ def _api_prerequisite(f: Callable[P, R]):
@console_ns.route("/apps/<uuid:app_id>/workflows/draft/variables")
 class WorkflowVariableCollectionApi(Resource):
-    @console_ns.expect(_create_pagination_parser())
+    @console_ns.expect(console_ns.models[WorkflowDraftVariableListQuery.__name__])
    @console_ns.doc("get_workflow_variables")
    @console_ns.doc(description="Get draft workflow variables")
    @console_ns.doc(params={"app_id": "Application ID"})
@@ -215,8 +221,7 @@ class WorkflowVariableCollectionApi(Resource):
        """
        Get draft workflow
        """
-        parser = _create_pagination_parser()
+        args = WorkflowDraftVariableListQuery.model_validate(request.args.to_dict(flat=True))  # type: ignore
        args = parser.parse_args()
        # fetch draft workflow by app_model
        workflow_service = WorkflowService()
@@ -323,15 +328,7 @@ class VariableApi(Resource):
    @console_ns.doc("update_variable")
    @console_ns.doc(description="Update a workflow variable")
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[WorkflowDraftVariableUpdatePayload.__name__])
        console_ns.model(
            "UpdateVariableRequest",
            {
                "name": fields.String(description="Variable name"),
                "value": fields.Raw(description="Variable value"),
            },
        )
    )
    @console_ns.response(200, "Variable updated successfully", workflow_draft_variable_model)
    @console_ns.response(404, "Variable not found")
    @_api_prerequisite
@@ -358,16 +355,10 @@ class VariableApi(Resource):
        #         "upload_file_id": "1602650a-4fe4-423c-85a2-af76c083e3c4"
        #     }
        parser = (
            reqparse.RequestParser()
            .add_argument(self._PATCH_NAME_FIELD, type=str, required=False, nullable=True, location="json")
            .add_argument(self._PATCH_VALUE_FIELD, type=lambda x: x, required=False, nullable=True, location="json")
        )
        draft_var_srv = WorkflowDraftVariableService(
            session=db.session(),
        )
-        args = parser.parse_args(strict=True)
+        args_model = WorkflowDraftVariableUpdatePayload.model_validate(console_ns.payload or {})
        variable = draft_var_srv.get_variable(variable_id=variable_id)
        if variable is None:
@@ -375,8 +366,8 @@ class VariableApi(Resource):
        if variable.app_id != app_model.id:
            raise NotFoundError(description=f"variable not found, id={variable_id}")
-        new_name = args.get(self._PATCH_NAME_FIELD, None)
+        new_name = args_model.name
-        raw_value = args.get(self._PATCH_VALUE_FIELD, None)
+        raw_value = args_model.value
        if new_name is None and raw_value is None:
            return variable
--- a/api/controllers/console/app/workflow_trigger.py
+++ b/api/controllers/console/app/workflow_trigger.py
@@ -114,7 +114,7 @@ class AppTriggersApi(Resource):
@console_ns.route("/apps/<uuid:app_id>/trigger-enable")
 class AppTriggerEnableApi(Resource):
-    @console_ns.expect(console_ns.models[ParserEnable.__name__], validate=True)
+    @console_ns.expect(console_ns.models[ParserEnable.__name__])
    @setup_required
    @login_required
    @account_initialization_required
--- a/api/controllers/console/auth/activate.py
+++ b/api/controllers/console/auth/activate.py
@@ -1,28 +1,53 @@
 from flask import request
-from flask_restx import Resource, fields, reqparse
+from flask_restx import Resource, fields
 from pydantic import BaseModel, Field, field_validator
 from constants.languages import supported_language
 from controllers.console import console_ns
 from controllers.console.error import AlreadyActivateError
 from extensions.ext_database import db
 from libs.datetime_utils import naive_utc_now
-from libs.helper import StrLen, email, extract_remote_ip, timezone
+from libs.helper import EmailStr, extract_remote_ip, timezone
 from models import AccountStatus
 from services.account_service import AccountService, RegisterService
-active_check_parser = (
+DEFAULT_REF_TEMPLATE_SWAGGER_2_0 = "#/definitions/{model}"
-    reqparse.RequestParser()
+
-    .add_argument("workspace_id", type=str, required=False, nullable=True, location="args", help="Workspace ID")
+
-    .add_argument("email", type=email, required=False, nullable=True, location="args", help="Email address")
+class ActivateCheckQuery(BaseModel):
-    .add_argument("token", type=str, required=True, nullable=False, location="args", help="Activation token")
+    workspace_id: str | None = Field(default=None)
-)
+    email: EmailStr | None = Field(default=None)
    token: str
 class ActivatePayload(BaseModel):
    workspace_id: str | None = Field(default=None)
    email: EmailStr | None = Field(default=None)
    token: str
    name: str = Field(..., max_length=30)
    interface_language: str = Field(...)
    timezone: str = Field(...)
    @field_validator("interface_language")
    @classmethod
    def validate_lang(cls, value: str) -> str:
        return supported_language(value)
    @field_validator("timezone")
    @classmethod
    def validate_tz(cls, value: str) -> str:
        return timezone(value)
 for model in (ActivateCheckQuery, ActivatePayload):
    console_ns.schema_model(model.__name__, model.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0))
@console_ns.route("/activate/check")
 class ActivateCheckApi(Resource):
    @console_ns.doc("check_activation_token")
    @console_ns.doc(description="Check if activation token is valid")
-    @console_ns.expect(active_check_parser)
+    @console_ns.expect(console_ns.models[ActivateCheckQuery.__name__])
    @console_ns.response(
        200,
        "Success",
@@ -35,11 +60,11 @@ class ActivateCheckApi(Resource):
        ),
    )
    def get(self):
-        args = active_check_parser.parse_args()
+        args = ActivateCheckQuery.model_validate(request.args.to_dict(flat=True))  # type: ignore
-        workspaceId = args["workspace_id"]
+        workspaceId = args.workspace_id
-        reg_email = args["email"]
+        reg_email = args.email
-        token = args["token"]
+        token = args.token
        invitation = RegisterService.get_invitation_if_token_valid(workspaceId, reg_email, token)
        if invitation:
@@ -56,22 +81,11 @@ class ActivateCheckApi(Resource):
            return {"is_valid": False}
 active_parser = (
    reqparse.RequestParser()
    .add_argument("workspace_id", type=str, required=False, nullable=True, location="json")
    .add_argument("email", type=email, required=False, nullable=True, location="json")
    .add_argument("token", type=str, required=True, nullable=False, location="json")
    .add_argument("name", type=StrLen(30), required=True, nullable=False, location="json")
    .add_argument("interface_language", type=supported_language, required=True, nullable=False, location="json")
    .add_argument("timezone", type=timezone, required=True, nullable=False, location="json")
 )
@console_ns.route("/activate")
 class ActivateApi(Resource):
    @console_ns.doc("activate_account")
    @console_ns.doc(description="Activate account with invitation token")
-    @console_ns.expect(active_parser)
+    @console_ns.expect(console_ns.models[ActivatePayload.__name__])
    @console_ns.response(
        200,
        "Account activated successfully",
@@ -85,19 +99,19 @@ class ActivateApi(Resource):
    )
    @console_ns.response(400, "Already activated or invalid token")
    def post(self):
-        args = active_parser.parse_args()
+        args = ActivatePayload.model_validate(console_ns.payload)
-        invitation = RegisterService.get_invitation_if_token_valid(args["workspace_id"], args["email"], args["token"])
+        invitation = RegisterService.get_invitation_if_token_valid(args.workspace_id, args.email, args.token)
        if invitation is None:
            raise AlreadyActivateError()
-        RegisterService.revoke_token(args["workspace_id"], args["email"], args["token"])
+        RegisterService.revoke_token(args.workspace_id, args.email, args.token)
        account = invitation["account"]
-        account.name = args["name"]
+        account.name = args.name
-        account.interface_language = args["interface_language"]
+        account.interface_language = args.interface_language
-        account.timezone = args["timezone"]
+        account.timezone = args.timezone
        account.interface_theme = "light"
        account.status = AccountStatus.ACTIVE
        account.initialized_at = naive_utc_now()
--- a/api/controllers/console/auth/data_source_bearer_auth.py
+++ b/api/controllers/console/auth/data_source_bearer_auth.py
@@ -1,12 +1,26 @@
-from flask_restx import Resource, reqparse
+from flask_restx import Resource
 from pydantic import BaseModel, Field
 from controllers.console import console_ns
 from controllers.console.auth.error import ApiKeyAuthFailedError
 from controllers.console.wraps import is_admin_or_owner_required
 from libs.login import current_account_with_tenant, login_required
 from services.auth.api_key_auth_service import ApiKeyAuthService
-from ..wraps import account_initialization_required, setup_required
+from .. import console_ns
 from ..auth.error import ApiKeyAuthFailedError
 from ..wraps import account_initialization_required, is_admin_or_owner_required, setup_required
 DEFAULT_REF_TEMPLATE_SWAGGER_2_0 = "#/definitions/{model}"
 class ApiKeyAuthBindingPayload(BaseModel):
    category: str = Field(...)
    provider: str = Field(...)
    credentials: dict = Field(...)
 console_ns.schema_model(
    ApiKeyAuthBindingPayload.__name__,
    ApiKeyAuthBindingPayload.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0),
 )
@console_ns.route("/api-key-auth/data-source")
@@ -40,19 +54,15 @@ class ApiKeyAuthDataSourceBinding(Resource):
    @login_required
    @account_initialization_required
    @is_admin_or_owner_required
    @console_ns.expect(console_ns.models[ApiKeyAuthBindingPayload.__name__])
    def post(self):
        # The role of the current user in the table must be admin or owner
        _, current_tenant_id = current_account_with_tenant()
-        parser = (
+        payload = ApiKeyAuthBindingPayload.model_validate(console_ns.payload)
-            reqparse.RequestParser()
+        data = payload.model_dump()
-            .add_argument("category", type=str, required=True, nullable=False, location="json")
+        ApiKeyAuthService.validate_api_key_auth_args(data)
            .add_argument("provider", type=str, required=True, nullable=False, location="json")
            .add_argument("credentials", type=dict, required=True, nullable=False, location="json")
        )
        args = parser.parse_args()
        ApiKeyAuthService.validate_api_key_auth_args(args)
        try:
-            ApiKeyAuthService.create_provider_auth(current_tenant_id, args)
+            ApiKeyAuthService.create_provider_auth(current_tenant_id, data)
        except Exception as e:
            raise ApiKeyAuthFailedError(str(e))
        return {"result": "success"}, 200
--- a/api/controllers/console/auth/data_source_oauth.py
+++ b/api/controllers/console/auth/data_source_oauth.py
@@ -5,12 +5,11 @@ from flask import current_app, redirect, request
 from flask_restx import Resource, fields
 from configs import dify_config
 from controllers.console import console_ns
 from controllers.console.wraps import is_admin_or_owner_required
 from libs.login import login_required
 from libs.oauth_data_source import NotionOAuth
-from ..wraps import account_initialization_required, setup_required
+from .. import console_ns
 from ..wraps import account_initialization_required, is_admin_or_owner_required, setup_required
 logger = logging.getLogger(__name__)
--- a/api/controllers/console/auth/email_register.py
+++ b/api/controllers/console/auth/email_register.py
@@ -1,5 +1,6 @@
 from flask import request
-from flask_restx import Resource, reqparse
+from flask_restx import Resource
 from pydantic import BaseModel, Field, field_validator
 from sqlalchemy import select
 from sqlalchemy.orm import Session
@@ -14,16 +15,45 @@ from controllers.console.auth.error import (
    InvalidTokenError,
    PasswordMismatchError,
 )
 from controllers.console.error import AccountInFreezeError, EmailSendIpLimitError
 from controllers.console.wraps import email_password_login_enabled, email_register_enabled, setup_required
 from extensions.ext_database import db
-from libs.helper import email, extract_remote_ip
+from libs.helper import EmailStr, extract_remote_ip
 from libs.password import valid_password
 from models import Account
 from services.account_service import AccountService
 from services.billing_service import BillingService
 from services.errors.account import AccountNotFoundError, AccountRegisterError
 from ..error import AccountInFreezeError, EmailSendIpLimitError
 from ..wraps import email_password_login_enabled, email_register_enabled, setup_required
 DEFAULT_REF_TEMPLATE_SWAGGER_2_0 = "#/definitions/{model}"
 class EmailRegisterSendPayload(BaseModel):
    email: EmailStr = Field(..., description="Email address")
    language: str | None = Field(default=None, description="Language code")
 class EmailRegisterValidityPayload(BaseModel):
    email: EmailStr = Field(...)
    code: str = Field(...)
    token: str = Field(...)
 class EmailRegisterResetPayload(BaseModel):
    token: str = Field(...)
    new_password: str = Field(...)
    password_confirm: str = Field(...)
    @field_validator("new_password", "password_confirm")
    @classmethod
    def validate_password(cls, value: str) -> str:
        return valid_password(value)
 for model in (EmailRegisterSendPayload, EmailRegisterValidityPayload, EmailRegisterResetPayload):
    console_ns.schema_model(model.__name__, model.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0))
@console_ns.route("/email-register/send-email")
 class EmailRegisterSendEmailApi(Resource):
@@ -31,27 +61,22 @@ class EmailRegisterSendEmailApi(Resource):
    @email_password_login_enabled
    @email_register_enabled
    def post(self):
-        parser = (
+        args = EmailRegisterSendPayload.model_validate(console_ns.payload)
            reqparse.RequestParser()
            .add_argument("email", type=email, required=True, location="json")
            .add_argument("language", type=str, required=False, location="json")
        )
        args = parser.parse_args()
        ip_address = extract_remote_ip(request)
        if AccountService.is_email_send_ip_limit(ip_address):
            raise EmailSendIpLimitError()
        language = "en-US"
-        if args["language"] in languages:
+        if args.language in languages:
-            language = args["language"]
+            language = args.language
-        if dify_config.BILLING_ENABLED and BillingService.is_email_in_freeze(args["email"]):
+        if dify_config.BILLING_ENABLED and BillingService.is_email_in_freeze(args.email):
            raise AccountInFreezeError()
        with Session(db.engine) as session:
-            account = session.execute(select(Account).filter_by(email=args["email"])).scalar_one_or_none()
+            account = session.execute(select(Account).filter_by(email=args.email)).scalar_one_or_none()
        token = None
-        token = AccountService.send_email_register_email(email=args["email"], account=account, language=language)
+        token = AccountService.send_email_register_email(email=args.email, account=account, language=language)
        return {"result": "success", "data": token}
@@ -61,40 +86,34 @@ class EmailRegisterCheckApi(Resource):
    @email_password_login_enabled
    @email_register_enabled
    def post(self):
-        parser = (
+        args = EmailRegisterValidityPayload.model_validate(console_ns.payload)
            reqparse.RequestParser()
            .add_argument("email", type=str, required=True, location="json")
            .add_argument("code", type=str, required=True, location="json")
            .add_argument("token", type=str, required=True, nullable=False, location="json")
        )
        args = parser.parse_args()
-        user_email = args["email"]
+        user_email = args.email
-        is_email_register_error_rate_limit = AccountService.is_email_register_error_rate_limit(args["email"])
+        is_email_register_error_rate_limit = AccountService.is_email_register_error_rate_limit(args.email)
        if is_email_register_error_rate_limit:
            raise EmailRegisterLimitError()
-        token_data = AccountService.get_email_register_data(args["token"])
+        token_data = AccountService.get_email_register_data(args.token)
        if token_data is None:
            raise InvalidTokenError()
        if user_email != token_data.get("email"):
            raise InvalidEmailError()
-        if args["code"] != token_data.get("code"):
+        if args.code != token_data.get("code"):
-            AccountService.add_email_register_error_rate_limit(args["email"])
+            AccountService.add_email_register_error_rate_limit(args.email)
            raise EmailCodeError()
        # Verified, revoke the first token
-        AccountService.revoke_email_register_token(args["token"])
+        AccountService.revoke_email_register_token(args.token)
        # Refresh token data by generating a new token
        _, new_token = AccountService.generate_email_register_token(
-            user_email, code=args["code"], additional_data={"phase": "register"}
+            user_email, code=args.code, additional_data={"phase": "register"}
        )
-        AccountService.reset_email_register_error_rate_limit(args["email"])
+        AccountService.reset_email_register_error_rate_limit(args.email)
        return {"is_valid": True, "email": token_data.get("email"), "token": new_token}
@@ -104,20 +123,14 @@ class EmailRegisterResetApi(Resource):
    @email_password_login_enabled
    @email_register_enabled
    def post(self):
-        parser = (
+        args = EmailRegisterResetPayload.model_validate(console_ns.payload)
            reqparse.RequestParser()
            .add_argument("token", type=str, required=True, nullable=False, location="json")
            .add_argument("new_password", type=valid_password, required=True, nullable=False, location="json")
            .add_argument("password_confirm", type=valid_password, required=True, nullable=False, location="json")
        )
        args = parser.parse_args()
        # Validate passwords match
-        if args["new_password"] != args["password_confirm"]:
+        if args.new_password != args.password_confirm:
            raise PasswordMismatchError()
        # Validate token and get register data
-        register_data = AccountService.get_email_register_data(args["token"])
+        register_data = AccountService.get_email_register_data(args.token)
        if not register_data:
            raise InvalidTokenError()
        # Must use token in reset phase
@@ -125,7 +138,7 @@ class EmailRegisterResetApi(Resource):
            raise InvalidTokenError()
        # Revoke token to prevent reuse
-        AccountService.revoke_email_register_token(args["token"])
+        AccountService.revoke_email_register_token(args.token)
        email = register_data.get("email", "")
@@ -135,7 +148,7 @@ class EmailRegisterResetApi(Resource):
            if account:
                raise EmailAlreadyInUseError()
            else:
-                account = self._create_new_account(email, args["password_confirm"])
+                account = self._create_new_account(email, args.password_confirm)
                if not account:
                    raise AccountNotFoundError()
                token_pair = AccountService.login(account=account, ip_address=extract_remote_ip(request))
--- a/api/controllers/console/auth/forgot_password.py
+++ b/api/controllers/console/auth/forgot_password.py
@@ -2,7 +2,8 @@ import base64
 import secrets
 from flask import request
-from flask_restx import Resource, fields, reqparse
+from flask_restx import Resource, fields
 from pydantic import BaseModel, Field, field_validator
 from sqlalchemy import select
 from sqlalchemy.orm import Session
@@ -18,26 +19,46 @@ from controllers.console.error import AccountNotFound, EmailSendIpLimitError
 from controllers.console.wraps import email_password_login_enabled, setup_required
 from events.tenant_event import tenant_was_created
 from extensions.ext_database import db
-from libs.helper import email, extract_remote_ip
+from libs.helper import EmailStr, extract_remote_ip
 from libs.password import hash_password, valid_password
 from models import Account
 from services.account_service import AccountService, TenantService
 from services.feature_service import FeatureService
 DEFAULT_REF_TEMPLATE_SWAGGER_2_0 = "#/definitions/{model}"
 class ForgotPasswordSendPayload(BaseModel):
    email: EmailStr = Field(...)
    language: str | None = Field(default=None)
 class ForgotPasswordCheckPayload(BaseModel):
    email: EmailStr = Field(...)
    code: str = Field(...)
    token: str = Field(...)
 class ForgotPasswordResetPayload(BaseModel):
    token: str = Field(...)
    new_password: str = Field(...)
    password_confirm: str = Field(...)
    @field_validator("new_password", "password_confirm")
    @classmethod
    def validate_password(cls, value: str) -> str:
        return valid_password(value)
 for model in (ForgotPasswordSendPayload, ForgotPasswordCheckPayload, ForgotPasswordResetPayload):
    console_ns.schema_model(model.__name__, model.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0))
@console_ns.route("/forgot-password")
 class ForgotPasswordSendEmailApi(Resource):
    @console_ns.doc("send_forgot_password_email")
    @console_ns.doc(description="Send password reset email")
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[ForgotPasswordSendPayload.__name__])
        console_ns.model(
            "ForgotPasswordEmailRequest",
            {
                "email": fields.String(required=True, description="Email address"),
                "language": fields.String(description="Language for email (zh-Hans/en-US)"),
            },
        )
    )
    @console_ns.response(
        200,
        "Email sent successfully",
@@ -54,28 +75,23 @@ class ForgotPasswordSendEmailApi(Resource):
    @setup_required
    @email_password_login_enabled
    def post(self):
-        parser = (
+        args = ForgotPasswordSendPayload.model_validate(console_ns.payload)
            reqparse.RequestParser()
            .add_argument("email", type=email, required=True, location="json")
            .add_argument("language", type=str, required=False, location="json")
        )
        args = parser.parse_args()
        ip_address = extract_remote_ip(request)
        if AccountService.is_email_send_ip_limit(ip_address):
            raise EmailSendIpLimitError()
-        if args["language"] is not None and args["language"] == "zh-Hans":
+        if args.language is not None and args.language == "zh-Hans":
            language = "zh-Hans"
        else:
            language = "en-US"
        with Session(db.engine) as session:
-            account = session.execute(select(Account).filter_by(email=args["email"])).scalar_one_or_none()
+            account = session.execute(select(Account).filter_by(email=args.email)).scalar_one_or_none()
        token = AccountService.send_reset_password_email(
            account=account,
-            email=args["email"],
+            email=args.email,
            language=language,
            is_allow_register=FeatureService.get_system_features().is_allow_register,
        )
@@ -87,16 +103,7 @@ class ForgotPasswordSendEmailApi(Resource):
 class ForgotPasswordCheckApi(Resource):
    @console_ns.doc("check_forgot_password_code")
    @console_ns.doc(description="Verify password reset code")
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[ForgotPasswordCheckPayload.__name__])
        console_ns.model(
            "ForgotPasswordCheckRequest",
            {
                "email": fields.String(required=True, description="Email address"),
                "code": fields.String(required=True, description="Verification code"),
                "token": fields.String(required=True, description="Reset token"),
            },
        )
    )
    @console_ns.response(
        200,
        "Code verified successfully",
@@ -113,40 +120,34 @@ class ForgotPasswordCheckApi(Resource):
    @setup_required
    @email_password_login_enabled
    def post(self):
-        parser = (
+        args = ForgotPasswordCheckPayload.model_validate(console_ns.payload)
            reqparse.RequestParser()
            .add_argument("email", type=str, required=True, location="json")
            .add_argument("code", type=str, required=True, location="json")
            .add_argument("token", type=str, required=True, nullable=False, location="json")
        )
        args = parser.parse_args()
-        user_email = args["email"]
+        user_email = args.email
-        is_forgot_password_error_rate_limit = AccountService.is_forgot_password_error_rate_limit(args["email"])
+        is_forgot_password_error_rate_limit = AccountService.is_forgot_password_error_rate_limit(args.email)
        if is_forgot_password_error_rate_limit:
            raise EmailPasswordResetLimitError()
-        token_data = AccountService.get_reset_password_data(args["token"])
+        token_data = AccountService.get_reset_password_data(args.token)
        if token_data is None:
            raise InvalidTokenError()
        if user_email != token_data.get("email"):
            raise InvalidEmailError()
-        if args["code"] != token_data.get("code"):
+        if args.code != token_data.get("code"):
-            AccountService.add_forgot_password_error_rate_limit(args["email"])
+            AccountService.add_forgot_password_error_rate_limit(args.email)
            raise EmailCodeError()
        # Verified, revoke the first token
-        AccountService.revoke_reset_password_token(args["token"])
+        AccountService.revoke_reset_password_token(args.token)
        # Refresh token data by generating a new token
        _, new_token = AccountService.generate_reset_password_token(
-            user_email, code=args["code"], additional_data={"phase": "reset"}
+            user_email, code=args.code, additional_data={"phase": "reset"}
        )
-        AccountService.reset_forgot_password_error_rate_limit(args["email"])
+        AccountService.reset_forgot_password_error_rate_limit(args.email)
        return {"is_valid": True, "email": token_data.get("email"), "token": new_token}
@@ -154,16 +155,7 @@ class ForgotPasswordCheckApi(Resource):
 class ForgotPasswordResetApi(Resource):
    @console_ns.doc("reset_password")
    @console_ns.doc(description="Reset password with verification token")
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[ForgotPasswordResetPayload.__name__])
        console_ns.model(
            "ForgotPasswordResetRequest",
            {
                "token": fields.String(required=True, description="Verification token"),
                "new_password": fields.String(required=True, description="New password"),
                "password_confirm": fields.String(required=True, description="Password confirmation"),
            },
        )
    )
    @console_ns.response(
        200,
        "Password reset successfully",
@@ -173,20 +165,14 @@ class ForgotPasswordResetApi(Resource):
    @setup_required
    @email_password_login_enabled
    def post(self):
-        parser = (
+        args = ForgotPasswordResetPayload.model_validate(console_ns.payload)
            reqparse.RequestParser()
            .add_argument("token", type=str, required=True, nullable=False, location="json")
            .add_argument("new_password", type=valid_password, required=True, nullable=False, location="json")
            .add_argument("password_confirm", type=valid_password, required=True, nullable=False, location="json")
        )
        args = parser.parse_args()
        # Validate passwords match
-        if args["new_password"] != args["password_confirm"]:
+        if args.new_password != args.password_confirm:
            raise PasswordMismatchError()
        # Validate token and get reset data
-        reset_data = AccountService.get_reset_password_data(args["token"])
+        reset_data = AccountService.get_reset_password_data(args.token)
        if not reset_data:
            raise InvalidTokenError()
        # Must use token in reset phase
@@ -194,11 +180,11 @@ class ForgotPasswordResetApi(Resource):
            raise InvalidTokenError()
        # Revoke token to prevent reuse
-        AccountService.revoke_reset_password_token(args["token"])
+        AccountService.revoke_reset_password_token(args.token)
        # Generate secure salt and hash password
        salt = secrets.token_bytes(16)
-        password_hashed = hash_password(args["new_password"], salt)
+        password_hashed = hash_password(args.new_password, salt)
        email = reset_data.get("email", "")
--- a/api/controllers/console/auth/login.py
+++ b/api/controllers/console/auth/login.py
@@ -1,6 +1,7 @@
 import flask_login
 from flask import make_response, request
-from flask_restx import Resource, reqparse
+from flask_restx import Resource
 from pydantic import BaseModel, Field
 import services
 from configs import dify_config
@@ -23,7 +24,7 @@ from controllers.console.error import (
 )
 from controllers.console.wraps import email_password_login_enabled, setup_required
 from events.tenant_event import tenant_was_created
-from libs.helper import email, extract_remote_ip
+from libs.helper import EmailStr, extract_remote_ip
 from libs.login import current_account_with_tenant
 from libs.token import (
    clear_access_token_from_cookie,
@@ -40,6 +41,36 @@ from services.errors.account import AccountRegisterError
 from services.errors.workspace import WorkSpaceNotAllowedCreateError, WorkspacesLimitExceededError
 from services.feature_service import FeatureService
 DEFAULT_REF_TEMPLATE_SWAGGER_2_0 = "#/definitions/{model}"
 class LoginPayload(BaseModel):
    email: EmailStr = Field(..., description="Email address")
    password: str = Field(..., description="Password")
    remember_me: bool = Field(default=False, description="Remember me flag")
    invite_token: str | None = Field(default=None, description="Invitation token")
 class EmailPayload(BaseModel):
    email: EmailStr = Field(...)
    language: str | None = Field(default=None)
 class EmailCodeLoginPayload(BaseModel):
    email: EmailStr = Field(...)
    code: str = Field(...)
    token: str = Field(...)
    language: str | None = Field(default=None)
 def reg(cls: type[BaseModel]):
    console_ns.schema_model(cls.__name__, cls.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0))
 reg(LoginPayload)
 reg(EmailPayload)
 reg(EmailCodeLoginPayload)
@console_ns.route("/login")
 class LoginApi(Resource):
@@ -47,41 +78,36 @@ class LoginApi(Resource):
    @setup_required
    @email_password_login_enabled
    @console_ns.expect(console_ns.models[LoginPayload.__name__])
    def post(self):
        """Authenticate user and login."""
-        parser = (
+        args = LoginPayload.model_validate(console_ns.payload)
            reqparse.RequestParser()
            .add_argument("email", type=email, required=True, location="json")
            .add_argument("password", type=str, required=True, location="json")
            .add_argument("remember_me", type=bool, required=False, default=False, location="json")
            .add_argument("invite_token", type=str, required=False, default=None, location="json")
        )
        args = parser.parse_args()
-        if dify_config.BILLING_ENABLED and BillingService.is_email_in_freeze(args["email"]):
+        if dify_config.BILLING_ENABLED and BillingService.is_email_in_freeze(args.email):
            raise AccountInFreezeError()
-        is_login_error_rate_limit = AccountService.is_login_error_rate_limit(args["email"])
+        is_login_error_rate_limit = AccountService.is_login_error_rate_limit(args.email)
        if is_login_error_rate_limit:
            raise EmailPasswordLoginLimitError()
-        invitation = args["invite_token"]
+        # TODO: why invitation is re-assigned with different type?
        invitation = args.invite_token  # type: ignore
        if invitation:
-            invitation = RegisterService.get_invitation_if_token_valid(None, args["email"], invitation)
+            invitation = RegisterService.get_invitation_if_token_valid(None, args.email, invitation)  # type: ignore
        try:
            if invitation:
-                data = invitation.get("data", {})
+                data = invitation.get("data", {})  # type: ignore
                invitee_email = data.get("email") if data else None
-                if invitee_email != args["email"]:
+                if invitee_email != args.email:
                    raise InvalidEmailError()
-                account = AccountService.authenticate(args["email"], args["password"], args["invite_token"])
+                account = AccountService.authenticate(args.email, args.password, args.invite_token)
            else:
-                account = AccountService.authenticate(args["email"], args["password"])
+                account = AccountService.authenticate(args.email, args.password)
        except services.errors.account.AccountLoginError:
            raise AccountBannedError()
        except services.errors.account.AccountPasswordError:
-            AccountService.add_login_error_rate_limit(args["email"])
+            AccountService.add_login_error_rate_limit(args.email)
            raise AuthenticationFailedError()
        # SELF_HOSTED only have one workspace
        tenants = TenantService.get_join_tenants(account)
@@ -97,7 +123,7 @@ class LoginApi(Resource):
                }
        token_pair = AccountService.login(account=account, ip_address=extract_remote_ip(request))
-        AccountService.reset_login_error_rate_limit(args["email"])
+        AccountService.reset_login_error_rate_limit(args.email)
        # Create response with cookies instead of returning tokens in body
        response = make_response({"result": "success"})
@@ -134,25 +160,21 @@ class LogoutApi(Resource):
 class ResetPasswordSendEmailApi(Resource):
    @setup_required
    @email_password_login_enabled
    @console_ns.expect(console_ns.models[EmailPayload.__name__])
    def post(self):
-        parser = (
+        args = EmailPayload.model_validate(console_ns.payload)
            reqparse.RequestParser()
            .add_argument("email", type=email, required=True, location="json")
            .add_argument("language", type=str, required=False, location="json")
        )
        args = parser.parse_args()
-        if args["language"] is not None and args["language"] == "zh-Hans":
+        if args.language is not None and args.language == "zh-Hans":
            language = "zh-Hans"
        else:
            language = "en-US"
        try:
-            account = AccountService.get_user_through_email(args["email"])
+            account = AccountService.get_user_through_email(args.email)
        except AccountRegisterError:
            raise AccountInFreezeError()
        token = AccountService.send_reset_password_email(
-            email=args["email"],
+            email=args.email,
            account=account,
            language=language,
            is_allow_register=FeatureService.get_system_features().is_allow_register,
@@ -164,30 +186,26 @@ class ResetPasswordSendEmailApi(Resource):
@console_ns.route("/email-code-login")
 class EmailCodeLoginSendEmailApi(Resource):
    @setup_required
    @console_ns.expect(console_ns.models[EmailPayload.__name__])
    def post(self):
-        parser = (
+        args = EmailPayload.model_validate(console_ns.payload)
            reqparse.RequestParser()
            .add_argument("email", type=email, required=True, location="json")
            .add_argument("language", type=str, required=False, location="json")
        )
        args = parser.parse_args()
        ip_address = extract_remote_ip(request)
        if AccountService.is_email_send_ip_limit(ip_address):
            raise EmailSendIpLimitError()
-        if args["language"] is not None and args["language"] == "zh-Hans":
+        if args.language is not None and args.language == "zh-Hans":
            language = "zh-Hans"
        else:
            language = "en-US"
        try:
-            account = AccountService.get_user_through_email(args["email"])
+            account = AccountService.get_user_through_email(args.email)
        except AccountRegisterError:
            raise AccountInFreezeError()
        if account is None:
            if FeatureService.get_system_features().is_allow_register:
-                token = AccountService.send_email_code_login_email(email=args["email"], language=language)
+                token = AccountService.send_email_code_login_email(email=args.email, language=language)
            else:
                raise AccountNotFound()
        else:
@@ -199,30 +217,24 @@ class EmailCodeLoginSendEmailApi(Resource):
@console_ns.route("/email-code-login/validity")
 class EmailCodeLoginApi(Resource):
    @setup_required
    @console_ns.expect(console_ns.models[EmailCodeLoginPayload.__name__])
    def post(self):
-        parser = (
+        args = EmailCodeLoginPayload.model_validate(console_ns.payload)
            reqparse.RequestParser()
            .add_argument("email", type=str, required=True, location="json")
            .add_argument("code", type=str, required=True, location="json")
            .add_argument("token", type=str, required=True, location="json")
            .add_argument("language", type=str, required=False, location="json")
        )
        args = parser.parse_args()
-        user_email = args["email"]
+        user_email = args.email
-        language = args["language"]
+        language = args.language
-        token_data = AccountService.get_email_code_login_data(args["token"])
+        token_data = AccountService.get_email_code_login_data(args.token)
        if token_data is None:
            raise InvalidTokenError()
-        if token_data["email"] != args["email"]:
+        if token_data["email"] != args.email:
            raise InvalidEmailError()
-        if token_data["code"] != args["code"]:
+        if token_data["code"] != args.code:
            raise EmailCodeError()
-        AccountService.revoke_email_code_login_token(args["token"])
+        AccountService.revoke_email_code_login_token(args.token)
        try:
            account = AccountService.get_user_through_email(user_email)
        except AccountRegisterError:
@@ -255,7 +267,7 @@ class EmailCodeLoginApi(Resource):
            except WorkspacesLimitExceededError:
                raise WorkspacesLimitExceeded()
        token_pair = AccountService.login(account, ip_address=extract_remote_ip(request))
-        AccountService.reset_login_error_rate_limit(args["email"])
+        AccountService.reset_login_error_rate_limit(args.email)
        # Create response with cookies instead of returning tokens in body
        response = make_response({"result": "success"})
--- a/api/controllers/console/auth/oauth_server.py
+++ b/api/controllers/console/auth/oauth_server.py
@@ -3,7 +3,8 @@ from functools import wraps
 from typing import Concatenate, ParamSpec, TypeVar
 from flask import jsonify, request
-from flask_restx import Resource, reqparse
+from flask_restx import Resource
 from pydantic import BaseModel
 from werkzeug.exceptions import BadRequest, NotFound
 from controllers.console.wraps import account_initialization_required, setup_required
@@ -20,15 +21,34 @@ R = TypeVar("R")
 T = TypeVar("T")
 class OAuthClientPayload(BaseModel):
    client_id: str
 class OAuthProviderRequest(BaseModel):
    client_id: str
    redirect_uri: str
 class OAuthTokenRequest(BaseModel):
    client_id: str
    grant_type: str
    code: str | None = None
    client_secret: str | None = None
    redirect_uri: str | None = None
    refresh_token: str | None = None
 def oauth_server_client_id_required(view: Callable[Concatenate[T, OAuthProviderApp, P], R]):
    @wraps(view)
    def decorated(self: T, *args: P.args, **kwargs: P.kwargs):
-        parser = reqparse.RequestParser().add_argument("client_id", type=str, required=True, location="json")
+        json_data = request.get_json()
-        parsed_args = parser.parse_args()
+        if json_data is None:
        client_id = parsed_args.get("client_id")
        if not client_id:
            raise BadRequest("client_id is required")
        payload = OAuthClientPayload.model_validate(json_data)
        client_id = payload.client_id
        oauth_provider_app = OAuthServerService.get_oauth_provider_app(client_id)
        if not oauth_provider_app:
            raise NotFound("client_id is invalid")
@@ -89,9 +109,8 @@ class OAuthServerAppApi(Resource):
    @setup_required
    @oauth_server_client_id_required
    def post(self, oauth_provider_app: OAuthProviderApp):
-        parser = reqparse.RequestParser().add_argument("redirect_uri", type=str, required=True, location="json")
+        payload = OAuthProviderRequest.model_validate(request.get_json())
-        parsed_args = parser.parse_args()
+        redirect_uri = payload.redirect_uri
        redirect_uri = parsed_args.get("redirect_uri")
        # check if redirect_uri is valid
        if redirect_uri not in oauth_provider_app.redirect_uris:
@@ -130,33 +149,25 @@ class OAuthServerUserTokenApi(Resource):
    @setup_required
    @oauth_server_client_id_required
    def post(self, oauth_provider_app: OAuthProviderApp):
-        parser = (
+        payload = OAuthTokenRequest.model_validate(request.get_json())
            reqparse.RequestParser()
            .add_argument("grant_type", type=str, required=True, location="json")
            .add_argument("code", type=str, required=False, location="json")
            .add_argument("client_secret", type=str, required=False, location="json")
            .add_argument("redirect_uri", type=str, required=False, location="json")
            .add_argument("refresh_token", type=str, required=False, location="json")
        )
        parsed_args = parser.parse_args()
        try:
-            grant_type = OAuthGrantType(parsed_args["grant_type"])
+            grant_type = OAuthGrantType(payload.grant_type)
        except ValueError:
            raise BadRequest("invalid grant_type")
        if grant_type == OAuthGrantType.AUTHORIZATION_CODE:
-            if not parsed_args["code"]:
+            if not payload.code:
                raise BadRequest("code is required")
-            if parsed_args["client_secret"] != oauth_provider_app.client_secret:
+            if payload.client_secret != oauth_provider_app.client_secret:
                raise BadRequest("client_secret is invalid")
-            if parsed_args["redirect_uri"] not in oauth_provider_app.redirect_uris:
+            if payload.redirect_uri not in oauth_provider_app.redirect_uris:
                raise BadRequest("redirect_uri is invalid")
            access_token, refresh_token = OAuthServerService.sign_oauth_access_token(
-                grant_type, code=parsed_args["code"], client_id=oauth_provider_app.client_id
+                grant_type, code=payload.code, client_id=oauth_provider_app.client_id
            )
            return jsonable_encoder(
                {
@@ -167,11 +178,11 @@ class OAuthServerUserTokenApi(Resource):
                }
            )
        elif grant_type == OAuthGrantType.REFRESH_TOKEN:
-            if not parsed_args["refresh_token"]:
+            if not payload.refresh_token:
                raise BadRequest("refresh_token is required")
            access_token, refresh_token = OAuthServerService.sign_oauth_access_token(
-                grant_type, refresh_token=parsed_args["refresh_token"], client_id=oauth_provider_app.client_id
+                grant_type, refresh_token=payload.refresh_token, client_id=oauth_provider_app.client_id
            )
            return jsonable_encoder(
                {
--- a/api/controllers/console/billing/billing.py
+++ b/api/controllers/console/billing/billing.py
@@ -1,6 +1,8 @@
 import base64
-from flask_restx import Resource, fields, reqparse
+from flask import request
 from flask_restx import Resource, fields
 from pydantic import BaseModel, Field, field_validator
 from werkzeug.exceptions import BadRequest
 from controllers.console import console_ns
@@ -9,6 +11,35 @@ from enums.cloud_plan import CloudPlan
 from libs.login import current_account_with_tenant, login_required
 from services.billing_service import BillingService
 DEFAULT_REF_TEMPLATE_SWAGGER_2_0 = "#/definitions/{model}"
 class SubscriptionQuery(BaseModel):
    plan: str = Field(..., description="Subscription plan")
    interval: str = Field(..., description="Billing interval")
    @field_validator("plan")
    @classmethod
    def validate_plan(cls, value: str) -> str:
        if value not in [CloudPlan.PROFESSIONAL, CloudPlan.TEAM]:
            raise ValueError("Invalid plan")
        return value
    @field_validator("interval")
    @classmethod
    def validate_interval(cls, value: str) -> str:
        if value not in {"month", "year"}:
            raise ValueError("Invalid interval")
        return value
 class PartnerTenantsPayload(BaseModel):
    click_id: str = Field(..., description="Click Id from partner referral link")
 for model in (SubscriptionQuery, PartnerTenantsPayload):
    console_ns.schema_model(model.__name__, model.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0))
@console_ns.route("/billing/subscription")
 class Subscription(Resource):
@@ -18,20 +49,9 @@ class Subscription(Resource):
    @only_edition_cloud
    def get(self):
        current_user, current_tenant_id = current_account_with_tenant()
-        parser = (
+        args = SubscriptionQuery.model_validate(request.args.to_dict(flat=True))  # type: ignore
            reqparse.RequestParser()
            .add_argument(
                "plan",
                type=str,
                required=True,
                location="args",
                choices=[CloudPlan.PROFESSIONAL, CloudPlan.TEAM],
            )
            .add_argument("interval", type=str, required=True, location="args", choices=["month", "year"])
        )
        args = parser.parse_args()
        BillingService.is_tenant_owner_or_admin(current_user)
-        return BillingService.get_subscription(args["plan"], args["interval"], current_user.email, current_tenant_id)
+        return BillingService.get_subscription(args.plan, args.interval, current_user.email, current_tenant_id)
@console_ns.route("/billing/invoices")
@@ -65,11 +85,10 @@ class PartnerTenants(Resource):
    @only_edition_cloud
    def put(self, partner_key: str):
        current_user, _ = current_account_with_tenant()
        parser = reqparse.RequestParser().add_argument("click_id", required=True, type=str, location="json")
        args = parser.parse_args()
        try:
-            click_id = args["click_id"]
+            args = PartnerTenantsPayload.model_validate(console_ns.payload or {})
            click_id = args.click_id
            decoded_partner_key = base64.b64decode(partner_key).decode("utf-8")
        except Exception:
            raise BadRequest("Invalid partner_key")
--- a/api/controllers/console/billing/compliance.py
+++ b/api/controllers/console/billing/compliance.py
@@ -1,5 +1,6 @@
 from flask import request
-from flask_restx import Resource, reqparse
+from flask_restx import Resource
 from pydantic import BaseModel, Field
 from libs.helper import extract_remote_ip
 from libs.login import current_account_with_tenant, login_required
@@ -9,16 +10,28 @@ from .. import console_ns
 from ..wraps import account_initialization_required, only_edition_cloud, setup_required
 class ComplianceDownloadQuery(BaseModel):
    doc_name: str = Field(..., description="Compliance document name")
 console_ns.schema_model(
    ComplianceDownloadQuery.__name__,
    ComplianceDownloadQuery.model_json_schema(ref_template="#/definitions/{model}"),
 )
@console_ns.route("/compliance/download")
 class ComplianceApi(Resource):
    @console_ns.expect(console_ns.models[ComplianceDownloadQuery.__name__])
    @console_ns.doc("download_compliance_document")
    @console_ns.doc(description="Get compliance document download link")
    @setup_required
    @login_required
    @account_initialization_required
    @only_edition_cloud
    def get(self):
        current_user, current_tenant_id = current_account_with_tenant()
-        parser = reqparse.RequestParser().add_argument("doc_name", type=str, required=True, location="args")
+        args = ComplianceDownloadQuery.model_validate(request.args.to_dict(flat=True))  # type: ignore
        args = parser.parse_args()
        ip_address = extract_remote_ip(request)
        device_info = request.headers.get("User-Agent", "Unknown device")
--- a/api/controllers/console/datasets/data_source.py
+++ b/api/controllers/console/datasets/data_source.py
@@ -1,15 +1,15 @@
 import json
 from collections.abc import Generator
-from typing import cast
+from typing import Any, cast
 from flask import request
-from flask_restx import Resource, marshal_with, reqparse
+from flask_restx import Resource, marshal_with
 from pydantic import BaseModel, Field
 from sqlalchemy import select
 from sqlalchemy.orm import Session
 from werkzeug.exceptions import NotFound
-from controllers.console import console_ns
+from controllers.common.schema import register_schema_model
 from controllers.console.wraps import account_initialization_required, setup_required
 from core.datasource.entities.datasource_entities import DatasourceProviderType, OnlineDocumentPagesMessage
 from core.datasource.online_document.online_document_plugin import OnlineDocumentDatasourcePlugin
 from core.indexing_runner import IndexingRunner
@@ -25,6 +25,19 @@ from services.dataset_service import DatasetService, DocumentService
 from services.datasource_provider_service import DatasourceProviderService
 from tasks.document_indexing_sync_task import document_indexing_sync_task
 from .. import console_ns
 from ..wraps import account_initialization_required, setup_required
 class NotionEstimatePayload(BaseModel):
    notion_info_list: list[dict[str, Any]]
    process_rule: dict[str, Any]
    doc_form: str = Field(default="text_model")
    doc_language: str = Field(default="English")
 register_schema_model(console_ns, NotionEstimatePayload)
@console_ns.route(
    "/data-source/integrates",
@@ -243,20 +256,15 @@ class DataSourceNotionApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
    @console_ns.expect(console_ns.models[NotionEstimatePayload.__name__])
    def post(self):
        _, current_tenant_id = current_account_with_tenant()
-        parser = (
+        payload = NotionEstimatePayload.model_validate(console_ns.payload or {})
-            reqparse.RequestParser()
+        args = payload.model_dump()
            .add_argument("notion_info_list", type=list, required=True, nullable=True, location="json")
            .add_argument("process_rule", type=dict, required=True, nullable=True, location="json")
            .add_argument("doc_form", type=str, default="text_model", required=False, nullable=False, location="json")
            .add_argument("doc_language", type=str, default="English", required=False, nullable=False, location="json")
        )
        args = parser.parse_args()
        # validate args
        DocumentService.estimate_args_validate(args)
-        notion_info_list = args["notion_info_list"]
+        notion_info_list = payload.notion_info_list
        extract_settings = []
        for notion_info in notion_info_list:
            workspace_id = notion_info["workspace_id"]
--- a/api/controllers/console/datasets/datasets.py
+++ b/api/controllers/console/datasets/datasets.py
@@ -1,12 +1,14 @@
 from typing import Any, cast
 from flask import request
-from flask_restx import Resource, fields, marshal, marshal_with, reqparse
+from flask_restx import Resource, fields, marshal, marshal_with
 from pydantic import BaseModel, Field, field_validator
 from sqlalchemy import select
 from werkzeug.exceptions import Forbidden, NotFound
 import services
 from configs import dify_config
 from controllers.common.schema import register_schema_models
 from controllers.console import console_ns
 from controllers.console.apikey import (
    api_key_item_model,
@@ -48,7 +50,6 @@ from fields.dataset_fields import (
 )
 from fields.document_fields import document_status_fields
 from libs.login import current_account_with_tenant, login_required
 from libs.validators import validate_description_length
 from models import ApiToken, Dataset, Document, DocumentSegment, UploadFile
 from models.dataset import DatasetPermissionEnum
 from models.provider_ids import ModelProviderID
@@ -107,10 +108,75 @@ related_app_list_copy["data"] = fields.List(fields.Nested(app_detail_kernel_mode
 related_app_list_model = _get_or_create_model("RelatedAppList", related_app_list_copy)
-def _validate_name(name: str) -> str:
+def _validate_indexing_technique(value: str | None) -> str | None:
-    if not name or len(name) < 1 or len(name) > 40:
+    if value is None:
-        raise ValueError("Name must be between 1 to 40 characters.")
+        return value
-    return name
+    if value not in Dataset.INDEXING_TECHNIQUE_LIST:
        raise ValueError("Invalid indexing technique.")
    return value
 class DatasetCreatePayload(BaseModel):
    name: str = Field(..., min_length=1, max_length=40)
    description: str = Field("", max_length=400)
    indexing_technique: str | None = None
    permission: DatasetPermissionEnum | None = DatasetPermissionEnum.ONLY_ME
    provider: str = "vendor"
    external_knowledge_api_id: str | None = None
    external_knowledge_id: str | None = None
    @field_validator("indexing_technique")
    @classmethod
    def validate_indexing(cls, value: str | None) -> str | None:
        return _validate_indexing_technique(value)
    @field_validator("provider")
    @classmethod
    def validate_provider(cls, value: str) -> str:
        if value not in Dataset.PROVIDER_LIST:
            raise ValueError("Invalid provider.")
        return value
 class DatasetUpdatePayload(BaseModel):
    name: str | None = Field(None, min_length=1, max_length=40)
    description: str | None = Field(None, max_length=400)
    permission: DatasetPermissionEnum | None = None
    indexing_technique: str | None = None
    embedding_model: str | None = None
    embedding_model_provider: str | None = None
    retrieval_model: dict[str, Any] | None = None
    partial_member_list: list[str] | None = None
    external_retrieval_model: dict[str, Any] | None = None
    external_knowledge_id: str | None = None
    external_knowledge_api_id: str | None = None
    icon_info: dict[str, Any] | None = None
    is_multimodal: bool | None = False
    @field_validator("indexing_technique")
    @classmethod
    def validate_indexing(cls, value: str | None) -> str | None:
        return _validate_indexing_technique(value)
 class IndexingEstimatePayload(BaseModel):
    info_list: dict[str, Any]
    process_rule: dict[str, Any]
    indexing_technique: str
    doc_form: str = "text_model"
    dataset_id: str | None = None
    doc_language: str = "English"
    @field_validator("indexing_technique")
    @classmethod
    def validate_indexing(cls, value: str) -> str:
        result = _validate_indexing_technique(value)
        if result is None:
            raise ValueError("indexing_technique is required.")
        return result
 register_schema_models(console_ns, DatasetCreatePayload, DatasetUpdatePayload, IndexingEstimatePayload)
 def _get_retrieval_methods_by_vector_type(vector_type: str | None, is_mock: bool = False) -> dict[str, list[str]]:
@@ -157,6 +223,7 @@ def _get_retrieval_methods_by_vector_type(vector_type: str | None, is_mock: bool
        VectorType.COUCHBASE,
        VectorType.OPENGAUSS,
        VectorType.OCEANBASE,
        VectorType.SEEKDB,
        VectorType.TABLESTORE,
        VectorType.HUAWEI_CLOUD,
        VectorType.TENCENT,
@@ -164,6 +231,7 @@ def _get_retrieval_methods_by_vector_type(vector_type: str | None, is_mock: bool
        VectorType.CLICKZETTA,
        VectorType.BAIDU,
        VectorType.ALIBABACLOUD_MYSQL,
        VectorType.IRIS,
    }
    semantic_methods = {"retrieval_method": [RetrievalMethod.SEMANTIC_SEARCH.value]}
@@ -255,20 +323,7 @@ class DatasetListApi(Resource):
    @console_ns.doc("create_dataset")
    @console_ns.doc(description="Create a new dataset")
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[DatasetCreatePayload.__name__])
        console_ns.model(
            "CreateDatasetRequest",
            {
                "name": fields.String(required=True, description="Dataset name (1-40 characters)"),
                "description": fields.String(description="Dataset description (max 400 characters)"),
                "indexing_technique": fields.String(description="Indexing technique"),
                "permission": fields.String(description="Dataset permission"),
                "provider": fields.String(description="Provider"),
                "external_knowledge_api_id": fields.String(description="External knowledge API ID"),
                "external_knowledge_id": fields.String(description="External knowledge ID"),
            },
        )
    )
    @console_ns.response(201, "Dataset created successfully")
    @console_ns.response(400, "Invalid request parameters")
    @setup_required
@@ -276,52 +331,7 @@ class DatasetListApi(Resource):
    @account_initialization_required
    @cloud_edition_billing_rate_limit_check("knowledge")
    def post(self):
-        parser = (
+        payload = DatasetCreatePayload.model_validate(console_ns.payload or {})
            reqparse.RequestParser()
            .add_argument(
                "name",
                nullable=False,
                required=True,
                help="type is required. Name must be between 1 to 40 characters.",
                type=_validate_name,
            )
            .add_argument(
                "description",
                type=validate_description_length,
                nullable=True,
                required=False,
                default="",
            )
            .add_argument(
                "indexing_technique",
                type=str,
                location="json",
                choices=Dataset.INDEXING_TECHNIQUE_LIST,
                nullable=True,
                help="Invalid indexing technique.",
            )
            .add_argument(
                "external_knowledge_api_id",
                type=str,
                nullable=True,
                required=False,
            )
            .add_argument(
                "provider",
                type=str,
                nullable=True,
                choices=Dataset.PROVIDER_LIST,
                required=False,
                default="vendor",
            )
            .add_argument(
                "external_knowledge_id",
                type=str,
                nullable=True,
                required=False,
            )
        )
        args = parser.parse_args()
        current_user, current_tenant_id = current_account_with_tenant()
        # The role of the current user in the ta table must be admin, owner, or editor, or dataset_operator
@@ -331,14 +341,14 @@ class DatasetListApi(Resource):
        try:
            dataset = DatasetService.create_empty_dataset(
                tenant_id=current_tenant_id,
-                name=args["name"],
+                name=payload.name,
-                description=args["description"],
+                description=payload.description,
-                indexing_technique=args["indexing_technique"],
+                indexing_technique=payload.indexing_technique,
                account=current_user,
-                permission=DatasetPermissionEnum.ONLY_ME,
+                permission=payload.permission or DatasetPermissionEnum.ONLY_ME,
-                provider=args["provider"],
+                provider=payload.provider,
-                external_knowledge_api_id=args["external_knowledge_api_id"],
+                external_knowledge_api_id=payload.external_knowledge_api_id,
-                external_knowledge_id=args["external_knowledge_id"],
+                external_knowledge_id=payload.external_knowledge_id,
            )
        except services.errors.dataset.DatasetNameDuplicateError:
            raise DatasetNameDuplicateError()
@@ -399,18 +409,7 @@ class DatasetApi(Resource):
    @console_ns.doc("update_dataset")
    @console_ns.doc(description="Update dataset details")
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[DatasetUpdatePayload.__name__])
        console_ns.model(
            "UpdateDatasetRequest",
            {
                "name": fields.String(description="Dataset name"),
                "description": fields.String(description="Dataset description"),
                "permission": fields.String(description="Dataset permission"),
                "indexing_technique": fields.String(description="Indexing technique"),
                "external_retrieval_model": fields.Raw(description="External retrieval model settings"),
            },
        )
    )
    @console_ns.response(200, "Dataset updated successfully", dataset_detail_model)
    @console_ns.response(404, "Dataset not found")
    @console_ns.response(403, "Permission denied")
@@ -424,93 +423,25 @@ class DatasetApi(Resource):
        if dataset is None:
            raise NotFound("Dataset not found.")
-        parser = (
+        payload = DatasetUpdatePayload.model_validate(console_ns.payload or {})
            reqparse.RequestParser()
            .add_argument(
                "name",
                nullable=False,
                help="type is required. Name must be between 1 to 40 characters.",
                type=_validate_name,
            )
            .add_argument("description", location="json", store_missing=False, type=validate_description_length)
            .add_argument(
                "indexing_technique",
                type=str,
                location="json",
                choices=Dataset.INDEXING_TECHNIQUE_LIST,
                nullable=True,
                help="Invalid indexing technique.",
            )
            .add_argument(
                "permission",
                type=str,
                location="json",
                choices=(
                    DatasetPermissionEnum.ONLY_ME,
                    DatasetPermissionEnum.ALL_TEAM,
                    DatasetPermissionEnum.PARTIAL_TEAM,
                ),
                help="Invalid permission.",
            )
            .add_argument("embedding_model", type=str, location="json", help="Invalid embedding model.")
            .add_argument(
                "embedding_model_provider", type=str, location="json", help="Invalid embedding model provider."
            )
            .add_argument("retrieval_model", type=dict, location="json", help="Invalid retrieval model.")
            .add_argument("partial_member_list", type=list, location="json", help="Invalid parent user list.")
            .add_argument(
                "external_retrieval_model",
                type=dict,
                required=False,
                nullable=True,
                location="json",
                help="Invalid external retrieval model.",
            )
            .add_argument(
                "external_knowledge_id",
                type=str,
                required=False,
                nullable=True,
                location="json",
                help="Invalid external knowledge id.",
            )
            .add_argument(
                "external_knowledge_api_id",
                type=str,
                required=False,
                nullable=True,
                location="json",
                help="Invalid external knowledge api id.",
            )
            .add_argument(
                "icon_info",
                type=dict,
                required=False,
                nullable=True,
                location="json",
                help="Invalid icon info.",
            )
        )
        args = parser.parse_args()
        data = request.get_json()
        current_user, current_tenant_id = current_account_with_tenant()
        # check embedding model setting
        if (
-            data.get("indexing_technique") == "high_quality"
+            payload.indexing_technique == "high_quality"
-            and data.get("embedding_model_provider") is not None
+            and payload.embedding_model_provider is not None
-            and data.get("embedding_model") is not None
+            and payload.embedding_model is not None
        ):
-            DatasetService.check_embedding_model_setting(
+            is_multimodal = DatasetService.check_is_multimodal_model(
-                dataset.tenant_id, data.get("embedding_model_provider"), data.get("embedding_model")
+                dataset.tenant_id, payload.embedding_model_provider, payload.embedding_model
            )
-
+            payload.is_multimodal = is_multimodal
        payload_data = payload.model_dump(exclude_unset=True)
        # The role of the current user in the ta table must be admin, owner, editor, or dataset_operator
        DatasetPermissionService.check_permission(
-            current_user, dataset, data.get("permission"), data.get("partial_member_list")
+            current_user, dataset, payload.permission, payload.partial_member_list
        )
-        dataset = DatasetService.update_dataset(dataset_id_str, args, current_user)
+        dataset = DatasetService.update_dataset(dataset_id_str, payload_data, current_user)
        if dataset is None:
            raise NotFound("Dataset not found.")
@@ -518,15 +449,10 @@ class DatasetApi(Resource):
        result_data = cast(dict[str, Any], marshal(dataset, dataset_detail_fields))
        tenant_id = current_tenant_id
-        if data.get("partial_member_list") and data.get("permission") == "partial_members":
+        if payload.partial_member_list is not None and payload.permission == DatasetPermissionEnum.PARTIAL_TEAM:
-            DatasetPermissionService.update_partial_member_list(
+            DatasetPermissionService.update_partial_member_list(tenant_id, dataset_id_str, payload.partial_member_list)
                tenant_id, dataset_id_str, data.get("partial_member_list")
            )
        # clear partial member list when permission is only_me or all_team_members
-        elif (
+        elif payload.permission in {DatasetPermissionEnum.ONLY_ME, DatasetPermissionEnum.ALL_TEAM}:
            data.get("permission") == DatasetPermissionEnum.ONLY_ME
            or data.get("permission") == DatasetPermissionEnum.ALL_TEAM
        ):
            DatasetPermissionService.clear_partial_member_list(dataset_id_str)
        partial_member_list = DatasetPermissionService.get_dataset_partial_member_list(dataset_id_str)
@@ -615,24 +541,10 @@ class DatasetIndexingEstimateApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
    @console_ns.expect(console_ns.models[IndexingEstimatePayload.__name__])
    def post(self):
-        parser = (
+        payload = IndexingEstimatePayload.model_validate(console_ns.payload or {})
-            reqparse.RequestParser()
+        args = payload.model_dump()
            .add_argument("info_list", type=dict, required=True, nullable=True, location="json")
            .add_argument("process_rule", type=dict, required=True, nullable=True, location="json")
            .add_argument(
                "indexing_technique",
                type=str,
                required=True,
                choices=Dataset.INDEXING_TECHNIQUE_LIST,
                nullable=True,
                location="json",
            )
            .add_argument("doc_form", type=str, default="text_model", required=False, nullable=False, location="json")
            .add_argument("dataset_id", type=str, required=False, nullable=False, location="json")
            .add_argument("doc_language", type=str, default="English", required=False, nullable=False, location="json")
        )
        args = parser.parse_args()
        _, current_tenant_id = current_account_with_tenant()
        # validate args
        DocumentService.estimate_args_validate(args)
--- a/api/controllers/console/datasets/datasets_document.py
+++ b/api/controllers/console/datasets/datasets_document.py
@@ -6,31 +6,14 @@ from typing import Literal, cast
 import sqlalchemy as sa
 from flask import request
-from flask_restx import Resource, fields, marshal, marshal_with, reqparse
+from flask_restx import Resource, fields, marshal, marshal_with
 from pydantic import BaseModel
 from sqlalchemy import asc, desc, select
 from werkzeug.exceptions import Forbidden, NotFound
 import services
 from controllers.common.schema import register_schema_models
 from controllers.console import console_ns
 from controllers.console.app.error import (
    ProviderModelCurrentlyNotSupportError,
    ProviderNotInitializeError,
    ProviderQuotaExceededError,
 )
 from controllers.console.datasets.error import (
    ArchivedDocumentImmutableError,
    DocumentAlreadyFinishedError,
    DocumentIndexingError,
    IndexingEstimateError,
    InvalidActionError,
    InvalidMetadataError,
 )
 from controllers.console.wraps import (
    account_initialization_required,
    cloud_edition_billing_rate_limit_check,
    cloud_edition_billing_resource_check,
    setup_required,
 )
 from core.errors.error import (
    LLMBadRequestError,
    ModelCurrentlyNotSupportError,
@@ -55,10 +38,30 @@ from fields.document_fields import (
 )
 from libs.datetime_utils import naive_utc_now
 from libs.login import current_account_with_tenant, login_required
-from models import Dataset, DatasetProcessRule, Document, DocumentSegment, UploadFile
+from models import DatasetProcessRule, Document, DocumentSegment, UploadFile
 from models.dataset import DocumentPipelineExecutionLog
 from services.dataset_service import DatasetService, DocumentService
-from services.entities.knowledge_entities.knowledge_entities import KnowledgeConfig
+from services.entities.knowledge_entities.knowledge_entities import KnowledgeConfig, ProcessRule, RetrievalModel
 from ..app.error import (
    ProviderModelCurrentlyNotSupportError,
    ProviderNotInitializeError,
    ProviderQuotaExceededError,
 )
 from ..datasets.error import (
    ArchivedDocumentImmutableError,
    DocumentAlreadyFinishedError,
    DocumentIndexingError,
    IndexingEstimateError,
    InvalidActionError,
    InvalidMetadataError,
 )
 from ..wraps import (
    account_initialization_required,
    cloud_edition_billing_rate_limit_check,
    cloud_edition_billing_resource_check,
    setup_required,
 )
 logger = logging.getLogger(__name__)
@@ -93,6 +96,24 @@ dataset_and_document_fields_copy["documents"] = fields.List(fields.Nested(docume
 dataset_and_document_model = _get_or_create_model("DatasetAndDocument", dataset_and_document_fields_copy)
 class DocumentRetryPayload(BaseModel):
    document_ids: list[str]
 class DocumentRenamePayload(BaseModel):
    name: str
 register_schema_models(
    console_ns,
    KnowledgeConfig,
    ProcessRule,
    RetrievalModel,
    DocumentRetryPayload,
    DocumentRenamePayload,
 )
 class DocumentResource(Resource):
    def get_document(self, dataset_id: str, document_id: str) -> Document:
        current_user, current_tenant_id = current_account_with_tenant()
@@ -201,8 +222,9 @@ class DatasetDocumentListApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
-    def get(self, dataset_id: str):
+    def get(self, dataset_id):
        current_user, current_tenant_id = current_account_with_tenant()
        dataset_id = str(dataset_id)
        page = request.args.get("page", default=1, type=int)
        limit = request.args.get("limit", default=20, type=int)
        search = request.args.get("keyword", default=None, type=str)
@@ -310,6 +332,7 @@ class DatasetDocumentListApi(Resource):
    @marshal_with(dataset_and_document_model)
    @cloud_edition_billing_resource_check("vector_space")
    @cloud_edition_billing_rate_limit_check("knowledge")
    @console_ns.expect(console_ns.models[KnowledgeConfig.__name__])
    def post(self, dataset_id):
        current_user, _ = current_account_with_tenant()
        dataset_id = str(dataset_id)
@@ -328,23 +351,7 @@ class DatasetDocumentListApi(Resource):
        except services.errors.account.NoPermissionError as e:
            raise Forbidden(str(e))
-        parser = (
+        knowledge_config = KnowledgeConfig.model_validate(console_ns.payload or {})
            reqparse.RequestParser()
            .add_argument(
                "indexing_technique", type=str, choices=Dataset.INDEXING_TECHNIQUE_LIST, nullable=False, location="json"
            )
            .add_argument("data_source", type=dict, required=False, location="json")
            .add_argument("process_rule", type=dict, required=False, location="json")
            .add_argument("duplicate", type=bool, default=True, nullable=False, location="json")
            .add_argument("original_document_id", type=str, required=False, location="json")
            .add_argument("doc_form", type=str, default="text_model", required=False, nullable=False, location="json")
            .add_argument("retrieval_model", type=dict, required=False, nullable=False, location="json")
            .add_argument("embedding_model", type=str, required=False, nullable=True, location="json")
            .add_argument("embedding_model_provider", type=str, required=False, nullable=True, location="json")
            .add_argument("doc_language", type=str, default="English", required=False, nullable=False, location="json")
        )
        args = parser.parse_args()
        knowledge_config = KnowledgeConfig.model_validate(args)
        if not dataset.indexing_technique and not knowledge_config.indexing_technique:
            raise ValueError("indexing_technique is required.")
@@ -390,17 +397,7 @@ class DatasetDocumentListApi(Resource):
 class DatasetInitApi(Resource):
    @console_ns.doc("init_dataset")
    @console_ns.doc(description="Initialize dataset with documents")
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[KnowledgeConfig.__name__])
        console_ns.model(
            "DatasetInitRequest",
            {
                "upload_file_id": fields.String(required=True, description="Upload file ID"),
                "indexing_technique": fields.String(description="Indexing technique"),
                "process_rule": fields.Raw(description="Processing rules"),
                "data_source": fields.Raw(description="Data source configuration"),
            },
        )
    )
    @console_ns.response(201, "Dataset initialized successfully", dataset_and_document_model)
    @console_ns.response(400, "Invalid request parameters")
    @setup_required
@@ -415,27 +412,7 @@ class DatasetInitApi(Resource):
        if not current_user.is_dataset_editor:
            raise Forbidden()
-        parser = (
+        knowledge_config = KnowledgeConfig.model_validate(console_ns.payload or {})
            reqparse.RequestParser()
            .add_argument(
                "indexing_technique",
                type=str,
                choices=Dataset.INDEXING_TECHNIQUE_LIST,
                required=True,
                nullable=False,
                location="json",
            )
            .add_argument("data_source", type=dict, required=True, nullable=True, location="json")
            .add_argument("process_rule", type=dict, required=True, nullable=True, location="json")
            .add_argument("doc_form", type=str, default="text_model", required=False, nullable=False, location="json")
            .add_argument("doc_language", type=str, default="English", required=False, nullable=False, location="json")
            .add_argument("retrieval_model", type=dict, required=False, nullable=False, location="json")
            .add_argument("embedding_model", type=str, required=False, nullable=True, location="json")
            .add_argument("embedding_model_provider", type=str, required=False, nullable=True, location="json")
        )
        args = parser.parse_args()
        knowledge_config = KnowledgeConfig.model_validate(args)
        if knowledge_config.indexing_technique == "high_quality":
            if knowledge_config.embedding_model is None or knowledge_config.embedding_model_provider is None:
                raise ValueError("embedding model and embedding model provider are required for high quality indexing.")
@@ -443,10 +420,14 @@ class DatasetInitApi(Resource):
                model_manager = ModelManager()
                model_manager.get_model_instance(
                    tenant_id=current_tenant_id,
-                    provider=args["embedding_model_provider"],
+                    provider=knowledge_config.embedding_model_provider,
                    model_type=ModelType.TEXT_EMBEDDING,
-                    model=args["embedding_model"],
+                    model=knowledge_config.embedding_model,
                )
                is_multimodal = DatasetService.check_is_multimodal_model(
                    current_tenant_id, knowledge_config.embedding_model_provider, knowledge_config.embedding_model
                )
                knowledge_config.is_multimodal = is_multimodal
            except InvokeAuthorizationError:
                raise ProviderNotInitializeError(
                    "No Embedding Model available. Please configure a valid provider in the Settings -> Model Provider."
@@ -1076,19 +1057,16 @@ class DocumentRetryApi(DocumentResource):
    @login_required
    @account_initialization_required
    @cloud_edition_billing_rate_limit_check("knowledge")
    @console_ns.expect(console_ns.models[DocumentRetryPayload.__name__])
    def post(self, dataset_id):
        """retry document."""
-
+        payload = DocumentRetryPayload.model_validate(console_ns.payload or {})
        parser = reqparse.RequestParser().add_argument(
            "document_ids", type=list, required=True, nullable=False, location="json"
        )
        args = parser.parse_args()
        dataset_id = str(dataset_id)
        dataset = DatasetService.get_dataset(dataset_id)
        retry_documents = []
        if not dataset:
            raise NotFound("Dataset not found.")
-        for document_id in args["document_ids"]:
+        for document_id in payload.document_ids:
            try:
                document_id = str(document_id)
@@ -1121,6 +1099,7 @@ class DocumentRenameApi(DocumentResource):
    @login_required
    @account_initialization_required
    @marshal_with(document_fields)
    @console_ns.expect(console_ns.models[DocumentRenamePayload.__name__])
    def post(self, dataset_id, document_id):
        # The role of the current user in the ta table must be admin, owner, editor, or dataset_operator
        current_user, _ = current_account_with_tenant()
@@ -1130,11 +1109,10 @@ class DocumentRenameApi(DocumentResource):
        if not dataset:
            raise NotFound("Dataset not found.")
        DatasetService.check_dataset_operator_permission(current_user, dataset)
-        parser = reqparse.RequestParser().add_argument("name", type=str, required=True, nullable=False, location="json")
+        payload = DocumentRenamePayload.model_validate(console_ns.payload or {})
        args = parser.parse_args()
        try:
-            document = DocumentService.rename_document(dataset_id, document_id, args["name"])
+            document = DocumentService.rename_document(dataset_id, document_id, payload.name)
        except services.errors.document.DocumentIndexingError:
            raise DocumentIndexingError("Cannot delete document during indexing.")
--- a/api/controllers/console/datasets/datasets_segments.py
+++ b/api/controllers/console/datasets/datasets_segments.py
@@ -1,11 +1,13 @@
 import uuid
 from flask import request
-from flask_restx import Resource, marshal, reqparse
+from flask_restx import Resource, marshal
 from pydantic import BaseModel, Field
 from sqlalchemy import select
 from werkzeug.exceptions import Forbidden, NotFound
 import services
 from controllers.common.schema import register_schema_models
 from controllers.console import console_ns
 from controllers.console.app.error import ProviderNotInitializeError
 from controllers.console.datasets.error import (
@@ -36,6 +38,58 @@ from services.errors.chunk import ChildChunkIndexingError as ChildChunkIndexingS
 from tasks.batch_create_segment_to_index_task import batch_create_segment_to_index_task
 class SegmentListQuery(BaseModel):
    limit: int = Field(default=20, ge=1, le=100)
    status: list[str] = Field(default_factory=list)
    hit_count_gte: int | None = None
    enabled: str = Field(default="all")
    keyword: str | None = None
    page: int = Field(default=1, ge=1)
 class SegmentCreatePayload(BaseModel):
    content: str
    answer: str | None = None
    keywords: list[str] | None = None
    attachment_ids: list[str] | None = None
 class SegmentUpdatePayload(BaseModel):
    content: str
    answer: str | None = None
    keywords: list[str] | None = None
    regenerate_child_chunks: bool = False
    attachment_ids: list[str] | None = None
 class BatchImportPayload(BaseModel):
    upload_file_id: str
 class ChildChunkCreatePayload(BaseModel):
    content: str
 class ChildChunkUpdatePayload(BaseModel):
    content: str
 class ChildChunkBatchUpdatePayload(BaseModel):
    chunks: list[ChildChunkUpdateArgs]
 register_schema_models(
    console_ns,
    SegmentListQuery,
    SegmentCreatePayload,
    SegmentUpdatePayload,
    BatchImportPayload,
    ChildChunkCreatePayload,
    ChildChunkUpdatePayload,
    ChildChunkBatchUpdatePayload,
 )
@console_ns.route("/datasets/<uuid:dataset_id>/documents/<uuid:document_id>/segments")
 class DatasetDocumentSegmentListApi(Resource):
    @setup_required
@@ -60,23 +114,18 @@ class DatasetDocumentSegmentListApi(Resource):
        if not document:
            raise NotFound("Document not found.")
-        parser = (
+        args = SegmentListQuery.model_validate(
-            reqparse.RequestParser()
+            {
-            .add_argument("limit", type=int, default=20, location="args")
+                **request.args.to_dict(),
-            .add_argument("status", type=str, action="append", default=[], location="args")
+                "status": request.args.getlist("status"),
-            .add_argument("hit_count_gte", type=int, default=None, location="args")
+            }
            .add_argument("enabled", type=str, default="all", location="args")
            .add_argument("keyword", type=str, default=None, location="args")
            .add_argument("page", type=int, default=1, location="args")
        )
-        args = parser.parse_args()
+        page = args.page
-
+        limit = min(args.limit, 100)
-        page = args["page"]
+        status_list = args.status
-        limit = min(args["limit"], 100)
+        hit_count_gte = args.hit_count_gte
-        status_list = args["status"]
+        keyword = args.keyword
        hit_count_gte = args["hit_count_gte"]
        keyword = args["keyword"]
        query = (
            select(DocumentSegment)
@@ -96,10 +145,10 @@ class DatasetDocumentSegmentListApi(Resource):
        if keyword:
            query = query.where(DocumentSegment.content.ilike(f"%{keyword}%"))
-        if args["enabled"].lower() != "all":
+        if args.enabled.lower() != "all":
-            if args["enabled"].lower() == "true":
+            if args.enabled.lower() == "true":
                query = query.where(DocumentSegment.enabled == True)
-            elif args["enabled"].lower() == "false":
+            elif args.enabled.lower() == "false":
                query = query.where(DocumentSegment.enabled == False)
        segments = db.paginate(select=query, page=page, per_page=limit, max_per_page=100, error_out=False)
@@ -210,6 +259,7 @@ class DatasetDocumentSegmentAddApi(Resource):
    @cloud_edition_billing_resource_check("vector_space")
    @cloud_edition_billing_knowledge_limit_check("add_segment")
    @cloud_edition_billing_rate_limit_check("knowledge")
    @console_ns.expect(console_ns.models[SegmentCreatePayload.__name__])
    def post(self, dataset_id, document_id):
        current_user, current_tenant_id = current_account_with_tenant()
@@ -246,15 +296,10 @@ class DatasetDocumentSegmentAddApi(Resource):
        except services.errors.account.NoPermissionError as e:
            raise Forbidden(str(e))
        # validate args
-        parser = (
+        payload = SegmentCreatePayload.model_validate(console_ns.payload or {})
-            reqparse.RequestParser()
+        payload_dict = payload.model_dump(exclude_none=True)
-            .add_argument("content", type=str, required=True, nullable=False, location="json")
+        SegmentService.segment_create_args_validate(payload_dict, document)
-            .add_argument("answer", type=str, required=False, nullable=True, location="json")
+        segment = SegmentService.create_segment(payload_dict, document, dataset)
            .add_argument("keywords", type=list, required=False, nullable=True, location="json")
        )
        args = parser.parse_args()
        SegmentService.segment_create_args_validate(args, document)
        segment = SegmentService.create_segment(args, document, dataset)
        return {"data": marshal(segment, segment_fields), "doc_form": document.doc_form}, 200
@@ -265,6 +310,7 @@ class DatasetDocumentSegmentUpdateApi(Resource):
    @account_initialization_required
    @cloud_edition_billing_resource_check("vector_space")
    @cloud_edition_billing_rate_limit_check("knowledge")
    @console_ns.expect(console_ns.models[SegmentUpdatePayload.__name__])
    def patch(self, dataset_id, document_id, segment_id):
        current_user, current_tenant_id = current_account_with_tenant()
@@ -313,18 +359,12 @@ class DatasetDocumentSegmentUpdateApi(Resource):
        except services.errors.account.NoPermissionError as e:
            raise Forbidden(str(e))
        # validate args
-        parser = (
+        payload = SegmentUpdatePayload.model_validate(console_ns.payload or {})
-            reqparse.RequestParser()
+        payload_dict = payload.model_dump(exclude_none=True)
-            .add_argument("content", type=str, required=True, nullable=False, location="json")
+        SegmentService.segment_create_args_validate(payload_dict, document)
-            .add_argument("answer", type=str, required=False, nullable=True, location="json")
+        segment = SegmentService.update_segment(
-            .add_argument("keywords", type=list, required=False, nullable=True, location="json")
+            SegmentUpdateArgs.model_validate(payload.model_dump(exclude_none=True)), segment, document, dataset
            .add_argument(
                "regenerate_child_chunks", type=bool, required=False, nullable=True, default=False, location="json"
            )
        )
        args = parser.parse_args()
        SegmentService.segment_create_args_validate(args, document)
        segment = SegmentService.update_segment(SegmentUpdateArgs.model_validate(args), segment, document, dataset)
        return {"data": marshal(segment, segment_fields), "doc_form": document.doc_form}, 200
    @setup_required
@@ -377,6 +417,7 @@ class DatasetDocumentSegmentBatchImportApi(Resource):
    @cloud_edition_billing_resource_check("vector_space")
    @cloud_edition_billing_knowledge_limit_check("add_segment")
    @cloud_edition_billing_rate_limit_check("knowledge")
    @console_ns.expect(console_ns.models[BatchImportPayload.__name__])
    def post(self, dataset_id, document_id):
        current_user, current_tenant_id = current_account_with_tenant()
@@ -391,11 +432,8 @@ class DatasetDocumentSegmentBatchImportApi(Resource):
        if not document:
            raise NotFound("Document not found.")
-        parser = reqparse.RequestParser().add_argument(
+        payload = BatchImportPayload.model_validate(console_ns.payload or {})
-            "upload_file_id", type=str, required=True, nullable=False, location="json"
+        upload_file_id = payload.upload_file_id
        )
        args = parser.parse_args()
        upload_file_id = args["upload_file_id"]
        upload_file = db.session.query(UploadFile).where(UploadFile.id == upload_file_id).first()
        if not upload_file:
@@ -446,6 +484,7 @@ class ChildChunkAddApi(Resource):
    @cloud_edition_billing_resource_check("vector_space")
    @cloud_edition_billing_knowledge_limit_check("add_segment")
    @cloud_edition_billing_rate_limit_check("knowledge")
    @console_ns.expect(console_ns.models[ChildChunkCreatePayload.__name__])
    def post(self, dataset_id, document_id, segment_id):
        current_user, current_tenant_id = current_account_with_tenant()
@@ -491,13 +530,9 @@ class ChildChunkAddApi(Resource):
        except services.errors.account.NoPermissionError as e:
            raise Forbidden(str(e))
        # validate args
        parser = reqparse.RequestParser().add_argument(
            "content", type=str, required=True, nullable=False, location="json"
        )
        args = parser.parse_args()
        try:
-            content = args["content"]
+            payload = ChildChunkCreatePayload.model_validate(console_ns.payload or {})
-            child_chunk = SegmentService.create_child_chunk(content, segment, document, dataset)
+            child_chunk = SegmentService.create_child_chunk(payload.content, segment, document, dataset)
        except ChildChunkIndexingServiceError as e:
            raise ChildChunkIndexingError(str(e))
        return {"data": marshal(child_chunk, child_chunk_fields)}, 200
@@ -529,18 +564,17 @@ class ChildChunkAddApi(Resource):
        )
        if not segment:
            raise NotFound("Segment not found.")
-        parser = (
+        args = SegmentListQuery.model_validate(
-            reqparse.RequestParser()
+            {
-            .add_argument("limit", type=int, default=20, location="args")
+                "limit": request.args.get("limit", default=20, type=int),
-            .add_argument("keyword", type=str, default=None, location="args")
+                "keyword": request.args.get("keyword"),
-            .add_argument("page", type=int, default=1, location="args")
+                "page": request.args.get("page", default=1, type=int),
            }
        )
-        args = parser.parse_args()
+        page = args.page
-
+        limit = min(args.limit, 100)
-        page = args["page"]
+        keyword = args.keyword
        limit = min(args["limit"], 100)
        keyword = args["keyword"]
        child_chunks = SegmentService.get_child_chunks(segment_id, document_id, dataset_id, page, limit, keyword)
        return {
@@ -588,14 +622,9 @@ class ChildChunkAddApi(Resource):
        except services.errors.account.NoPermissionError as e:
            raise Forbidden(str(e))
        # validate args
-        parser = reqparse.RequestParser().add_argument(
+        payload = ChildChunkBatchUpdatePayload.model_validate(console_ns.payload or {})
            "chunks", type=list, required=True, nullable=False, location="json"
        )
        args = parser.parse_args()
        try:
-            chunks_data = args["chunks"]
+            child_chunks = SegmentService.update_child_chunks(payload.chunks, segment, document, dataset)
            chunks = [ChildChunkUpdateArgs.model_validate(chunk) for chunk in chunks_data]
            child_chunks = SegmentService.update_child_chunks(chunks, segment, document, dataset)
        except ChildChunkIndexingServiceError as e:
            raise ChildChunkIndexingError(str(e))
        return {"data": marshal(child_chunks, child_chunk_fields)}, 200
@@ -665,6 +694,7 @@ class ChildChunkUpdateApi(Resource):
    @account_initialization_required
    @cloud_edition_billing_resource_check("vector_space")
    @cloud_edition_billing_rate_limit_check("knowledge")
    @console_ns.expect(console_ns.models[ChildChunkUpdatePayload.__name__])
    def patch(self, dataset_id, document_id, segment_id, child_chunk_id):
        current_user, current_tenant_id = current_account_with_tenant()
@@ -711,13 +741,9 @@ class ChildChunkUpdateApi(Resource):
        except services.errors.account.NoPermissionError as e:
            raise Forbidden(str(e))
        # validate args
        parser = reqparse.RequestParser().add_argument(
            "content", type=str, required=True, nullable=False, location="json"
        )
        args = parser.parse_args()
        try:
-            content = args["content"]
+            payload = ChildChunkUpdatePayload.model_validate(console_ns.payload or {})
-            child_chunk = SegmentService.update_child_chunk(content, child_chunk, segment, document, dataset)
+            child_chunk = SegmentService.update_child_chunk(payload.content, child_chunk, segment, document, dataset)
        except ChildChunkIndexingServiceError as e:
            raise ChildChunkIndexingError(str(e))
        return {"data": marshal(child_chunk, child_chunk_fields)}, 200
--- a/api/controllers/console/datasets/external.py
+++ b/api/controllers/console/datasets/external.py
@@ -1,8 +1,10 @@
 from flask import request
-from flask_restx import Resource, fields, marshal, reqparse
+from flask_restx import Resource, fields, marshal
 from pydantic import BaseModel, Field
 from werkzeug.exceptions import Forbidden, InternalServerError, NotFound
 import services
 from controllers.common.schema import register_schema_models
 from controllers.console import console_ns
 from controllers.console.datasets.error import DatasetNameDuplicateError
 from controllers.console.wraps import account_initialization_required, edit_permission_required, setup_required
@@ -71,10 +73,38 @@ except KeyError:
    dataset_detail_model = _build_dataset_detail_model()
-def _validate_name(name: str) -> str:
+class ExternalKnowledgeApiPayload(BaseModel):
-    if not name or len(name) < 1 or len(name) > 100:
+    name: str = Field(..., min_length=1, max_length=40)
-        raise ValueError("Name must be between 1 to 100 characters.")
+    settings: dict[str, object]
-    return name
+
 class ExternalDatasetCreatePayload(BaseModel):
    external_knowledge_api_id: str
    external_knowledge_id: str
    name: str = Field(..., min_length=1, max_length=40)
    description: str | None = Field(None, max_length=400)
    external_retrieval_model: dict[str, object] | None = None
 class ExternalHitTestingPayload(BaseModel):
    query: str
    external_retrieval_model: dict[str, object] | None = None
    metadata_filtering_conditions: dict[str, object] | None = None
 class BedrockRetrievalPayload(BaseModel):
    retrieval_setting: dict[str, object]
    query: str
    knowledge_id: str
 register_schema_models(
    console_ns,
    ExternalKnowledgeApiPayload,
    ExternalDatasetCreatePayload,
    ExternalHitTestingPayload,
    BedrockRetrievalPayload,
 )
@console_ns.route("/datasets/external-knowledge-api")
@@ -113,28 +143,12 @@ class ExternalApiTemplateListApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
    @console_ns.expect(console_ns.models[ExternalKnowledgeApiPayload.__name__])
    def post(self):
        current_user, current_tenant_id = current_account_with_tenant()
-        parser = (
+        payload = ExternalKnowledgeApiPayload.model_validate(console_ns.payload or {})
            reqparse.RequestParser()
            .add_argument(
                "name",
                nullable=False,
                required=True,
                help="Name is required. Name must be between 1 to 100 characters.",
                type=_validate_name,
            )
            .add_argument(
                "settings",
                type=dict,
                location="json",
                nullable=False,
                required=True,
            )
        )
        args = parser.parse_args()
-        ExternalDatasetService.validate_api_list(args["settings"])
+        ExternalDatasetService.validate_api_list(payload.settings)
        # The role of the current user in the ta table must be admin, owner, or editor, or dataset_operator
        if not current_user.is_dataset_editor:
@@ -142,7 +156,7 @@ class ExternalApiTemplateListApi(Resource):
        try:
            external_knowledge_api = ExternalDatasetService.create_external_knowledge_api(
-                tenant_id=current_tenant_id, user_id=current_user.id, args=args
+                tenant_id=current_tenant_id, user_id=current_user.id, args=payload.model_dump()
            )
        except services.errors.dataset.DatasetNameDuplicateError:
            raise DatasetNameDuplicateError()
@@ -171,35 +185,19 @@ class ExternalApiTemplateApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
    @console_ns.expect(console_ns.models[ExternalKnowledgeApiPayload.__name__])
    def patch(self, external_knowledge_api_id):
        current_user, current_tenant_id = current_account_with_tenant()
        external_knowledge_api_id = str(external_knowledge_api_id)
-        parser = (
+        payload = ExternalKnowledgeApiPayload.model_validate(console_ns.payload or {})
-            reqparse.RequestParser()
+        ExternalDatasetService.validate_api_list(payload.settings)
            .add_argument(
                "name",
                nullable=False,
                required=True,
                help="type is required. Name must be between 1 to 100 characters.",
                type=_validate_name,
            )
            .add_argument(
                "settings",
                type=dict,
                location="json",
                nullable=False,
                required=True,
            )
        )
        args = parser.parse_args()
        ExternalDatasetService.validate_api_list(args["settings"])
        external_knowledge_api = ExternalDatasetService.update_external_knowledge_api(
            tenant_id=current_tenant_id,
            user_id=current_user.id,
            external_knowledge_api_id=external_knowledge_api_id,
-            args=args,
+            args=payload.model_dump(),
        )
        return external_knowledge_api.to_dict(), 200
@@ -240,17 +238,7 @@ class ExternalApiUseCheckApi(Resource):
 class ExternalDatasetCreateApi(Resource):
    @console_ns.doc("create_external_dataset")
    @console_ns.doc(description="Create external knowledge dataset")
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[ExternalDatasetCreatePayload.__name__])
        console_ns.model(
            "CreateExternalDatasetRequest",
            {
                "external_knowledge_api_id": fields.String(required=True, description="External knowledge API ID"),
                "external_knowledge_id": fields.String(required=True, description="External knowledge ID"),
                "name": fields.String(required=True, description="Dataset name"),
                "description": fields.String(description="Dataset description"),
            },
        )
    )
    @console_ns.response(201, "External dataset created successfully", dataset_detail_model)
    @console_ns.response(400, "Invalid parameters")
    @console_ns.response(403, "Permission denied")
@@ -261,22 +249,8 @@ class ExternalDatasetCreateApi(Resource):
    def post(self):
        # The role of the current user in the ta table must be admin, owner, or editor
        current_user, current_tenant_id = current_account_with_tenant()
-        parser = (
+        payload = ExternalDatasetCreatePayload.model_validate(console_ns.payload or {})
-            reqparse.RequestParser()
+        args = payload.model_dump(exclude_none=True)
            .add_argument("external_knowledge_api_id", type=str, required=True, nullable=False, location="json")
            .add_argument("external_knowledge_id", type=str, required=True, nullable=False, location="json")
            .add_argument(
                "name",
                nullable=False,
                required=True,
                help="name is required. Name must be between 1 to 100 characters.",
                type=_validate_name,
            )
            .add_argument("description", type=str, required=False, nullable=True, location="json")
            .add_argument("external_retrieval_model", type=dict, required=False, location="json")
        )
        args = parser.parse_args()
        # The role of the current user in the ta table must be admin, owner, or editor, or dataset_operator
        if not current_user.is_dataset_editor:
@@ -299,16 +273,7 @@ class ExternalKnowledgeHitTestingApi(Resource):
    @console_ns.doc("test_external_knowledge_retrieval")
    @console_ns.doc(description="Test external knowledge retrieval for dataset")
    @console_ns.doc(params={"dataset_id": "Dataset ID"})
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[ExternalHitTestingPayload.__name__])
        console_ns.model(
            "ExternalHitTestingRequest",
            {
                "query": fields.String(required=True, description="Query text for testing"),
                "retrieval_model": fields.Raw(description="Retrieval model configuration"),
                "external_retrieval_model": fields.Raw(description="External retrieval model configuration"),
            },
        )
    )
    @console_ns.response(200, "External hit testing completed successfully")
    @console_ns.response(404, "Dataset not found")
    @console_ns.response(400, "Invalid parameters")
@@ -327,23 +292,16 @@ class ExternalKnowledgeHitTestingApi(Resource):
        except services.errors.account.NoPermissionError as e:
            raise Forbidden(str(e))
-        parser = (
+        payload = ExternalHitTestingPayload.model_validate(console_ns.payload or {})
-            reqparse.RequestParser()
+        HitTestingService.hit_testing_args_check(payload.model_dump())
            .add_argument("query", type=str, location="json")
            .add_argument("external_retrieval_model", type=dict, required=False, location="json")
            .add_argument("metadata_filtering_conditions", type=dict, required=False, location="json")
        )
        args = parser.parse_args()
        HitTestingService.hit_testing_args_check(args)
        try:
            response = HitTestingService.external_retrieve(
                dataset=dataset,
-                query=args["query"],
+                query=payload.query,
                account=current_user,
-                external_retrieval_model=args["external_retrieval_model"],
+                external_retrieval_model=payload.external_retrieval_model,
-                metadata_filtering_conditions=args["metadata_filtering_conditions"],
+                metadata_filtering_conditions=payload.metadata_filtering_conditions,
            )
            return response
@@ -356,33 +314,13 @@ class BedrockRetrievalApi(Resource):
    # this api is only for internal testing
    @console_ns.doc("bedrock_retrieval_test")
    @console_ns.doc(description="Bedrock retrieval test (internal use only)")
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[BedrockRetrievalPayload.__name__])
        console_ns.model(
            "BedrockRetrievalTestRequest",
            {
                "retrieval_setting": fields.Raw(required=True, description="Retrieval settings"),
                "query": fields.String(required=True, description="Query text"),
                "knowledge_id": fields.String(required=True, description="Knowledge ID"),
            },
        )
    )
    @console_ns.response(200, "Bedrock retrieval test completed")
    def post(self):
-        parser = (
+        payload = BedrockRetrievalPayload.model_validate(console_ns.payload or {})
            reqparse.RequestParser()
            .add_argument("retrieval_setting", nullable=False, required=True, type=dict, location="json")
            .add_argument(
                "query",
                nullable=False,
                required=True,
                type=str,
            )
            .add_argument("knowledge_id", nullable=False, required=True, type=str)
        )
        args = parser.parse_args()
        # Call the knowledge retrieval service
        result = ExternalDatasetTestService.knowledge_retrieval(
-            args["retrieval_setting"], args["query"], args["knowledge_id"]
+            payload.retrieval_setting, payload.query, payload.knowledge_id
        )
        return result, 200
--- a/api/controllers/console/datasets/hit_testing.py
+++ b/api/controllers/console/datasets/hit_testing.py
@@ -1,13 +1,17 @@
-from flask_restx import Resource, fields
+from flask_restx import Resource
-from controllers.console import console_ns
+from controllers.common.schema import register_schema_model
-from controllers.console.datasets.hit_testing_base import DatasetsHitTestingBase
+from libs.login import login_required
-from controllers.console.wraps import (
+
 from .. import console_ns
 from ..datasets.hit_testing_base import DatasetsHitTestingBase, HitTestingPayload
 from ..wraps import (
    account_initialization_required,
    cloud_edition_billing_rate_limit_check,
    setup_required,
 )
-from libs.login import login_required
+
 register_schema_model(console_ns, HitTestingPayload)
@console_ns.route("/datasets/<uuid:dataset_id>/hit-testing")
@@ -15,17 +19,7 @@ class HitTestingApi(Resource, DatasetsHitTestingBase):
    @console_ns.doc("test_dataset_retrieval")
    @console_ns.doc(description="Test dataset knowledge retrieval")
    @console_ns.doc(params={"dataset_id": "Dataset ID"})
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[HitTestingPayload.__name__])
        console_ns.model(
            "HitTestingRequest",
            {
                "query": fields.String(required=True, description="Query text for testing"),
                "retrieval_model": fields.Raw(description="Retrieval model configuration"),
                "top_k": fields.Integer(description="Number of top results to return"),
                "score_threshold": fields.Float(description="Score threshold for filtering results"),
            },
        )
    )
    @console_ns.response(200, "Hit testing completed successfully")
    @console_ns.response(404, "Dataset not found")
    @console_ns.response(400, "Invalid parameters")
@@ -37,7 +31,8 @@ class HitTestingApi(Resource, DatasetsHitTestingBase):
        dataset_id_str = str(dataset_id)
        dataset = self.get_and_validate_dataset(dataset_id_str)
-        args = self.parse_args()
+        payload = HitTestingPayload.model_validate(console_ns.payload or {})
        args = payload.model_dump(exclude_none=True)
        self.hit_testing_args_check(args)
        return self.perform_hit_testing(dataset, args)
--- a/api/controllers/console/datasets/hit_testing_base.py
+++ b/api/controllers/console/datasets/hit_testing_base.py
@@ -1,6 +1,8 @@
 import logging
 from typing import Any
 from flask_restx import marshal, reqparse
 from pydantic import BaseModel, Field
 from werkzeug.exceptions import Forbidden, InternalServerError, NotFound
 import services
@@ -27,6 +29,13 @@ from services.hit_testing_service import HitTestingService
 logger = logging.getLogger(__name__)
 class HitTestingPayload(BaseModel):
    query: str = Field(max_length=250)
    retrieval_model: dict[str, Any] | None = None
    external_retrieval_model: dict[str, Any] | None = None
    attachment_ids: list[str] | None = None
 class DatasetsHitTestingBase:
    @staticmethod
    def get_and_validate_dataset(dataset_id: str):
@@ -43,14 +52,15 @@ class DatasetsHitTestingBase:
        return dataset
    @staticmethod
-    def hit_testing_args_check(args):
+    def hit_testing_args_check(args: dict[str, Any]):
        HitTestingService.hit_testing_args_check(args)
    @staticmethod
    def parse_args():
        parser = (
            reqparse.RequestParser()
-            .add_argument("query", type=str, location="json")
+            .add_argument("query", type=str, required=False, location="json")
            .add_argument("attachment_ids", type=list, required=False, location="json")
            .add_argument("retrieval_model", type=dict, required=False, location="json")
            .add_argument("external_retrieval_model", type=dict, required=False, location="json")
        )
@@ -62,10 +72,11 @@ class DatasetsHitTestingBase:
        try:
            response = HitTestingService.retrieve(
                dataset=dataset,
-                query=args["query"],
+                query=args.get("query"),
                account=current_user,
-                retrieval_model=args["retrieval_model"],
+                retrieval_model=args.get("retrieval_model"),
-                external_retrieval_model=args["external_retrieval_model"],
+                external_retrieval_model=args.get("external_retrieval_model"),
                attachment_ids=args.get("attachment_ids"),
                limit=10,
            )
            return {"query": response["query"], "records": marshal(response["records"], hit_testing_record_fields)}
--- a/api/controllers/console/datasets/metadata.py
+++ b/api/controllers/console/datasets/metadata.py
@@ -1,8 +1,10 @@
 from typing import Literal
-from flask_restx import Resource, marshal_with, reqparse
+from flask_restx import Resource, marshal_with
 from pydantic import BaseModel
 from werkzeug.exceptions import NotFound
 from controllers.common.schema import register_schema_model, register_schema_models
 from controllers.console import console_ns
 from controllers.console.wraps import account_initialization_required, enterprise_license_required, setup_required
 from fields.dataset_fields import dataset_metadata_fields
@@ -15,6 +17,14 @@ from services.entities.knowledge_entities.knowledge_entities import (
 from services.metadata_service import MetadataService
 class MetadataUpdatePayload(BaseModel):
    name: str
 register_schema_models(console_ns, MetadataArgs, MetadataOperationData)
 register_schema_model(console_ns, MetadataUpdatePayload)
@console_ns.route("/datasets/<uuid:dataset_id>/metadata")
 class DatasetMetadataCreateApi(Resource):
    @setup_required
@@ -22,15 +32,10 @@ class DatasetMetadataCreateApi(Resource):
    @account_initialization_required
    @enterprise_license_required
    @marshal_with(dataset_metadata_fields)
    @console_ns.expect(console_ns.models[MetadataArgs.__name__])
    def post(self, dataset_id):
        current_user, _ = current_account_with_tenant()
-        parser = (
+        metadata_args = MetadataArgs.model_validate(console_ns.payload or {})
            reqparse.RequestParser()
            .add_argument("type", type=str, required=True, nullable=False, location="json")
            .add_argument("name", type=str, required=True, nullable=False, location="json")
        )
        args = parser.parse_args()
        metadata_args = MetadataArgs.model_validate(args)
        dataset_id_str = str(dataset_id)
        dataset = DatasetService.get_dataset(dataset_id_str)
@@ -60,11 +65,11 @@ class DatasetMetadataApi(Resource):
    @account_initialization_required
    @enterprise_license_required
    @marshal_with(dataset_metadata_fields)
    @console_ns.expect(console_ns.models[MetadataUpdatePayload.__name__])
    def patch(self, dataset_id, metadata_id):
        current_user, _ = current_account_with_tenant()
-        parser = reqparse.RequestParser().add_argument("name", type=str, required=True, nullable=False, location="json")
+        payload = MetadataUpdatePayload.model_validate(console_ns.payload or {})
-        args = parser.parse_args()
+        name = payload.name
        name = args["name"]
        dataset_id_str = str(dataset_id)
        metadata_id_str = str(metadata_id)
@@ -131,6 +136,7 @@ class DocumentMetadataEditApi(Resource):
    @login_required
    @account_initialization_required
    @enterprise_license_required
    @console_ns.expect(console_ns.models[MetadataOperationData.__name__])
    def post(self, dataset_id):
        current_user, _ = current_account_with_tenant()
        dataset_id_str = str(dataset_id)
@@ -139,11 +145,7 @@ class DocumentMetadataEditApi(Resource):
            raise NotFound("Dataset not found.")
        DatasetService.check_dataset_permission(dataset, current_user)
-        parser = reqparse.RequestParser().add_argument(
+        metadata_args = MetadataOperationData.model_validate(console_ns.payload or {})
            "operation_data", type=list, required=True, nullable=False, location="json"
        )
        args = parser.parse_args()
        metadata_args = MetadataOperationData.model_validate(args)
        MetadataService.update_documents_metadata(dataset, metadata_args)
--- a/api/controllers/console/datasets/rag_pipeline/datasource_auth.py
+++ b/api/controllers/console/datasets/rag_pipeline/datasource_auth.py
@@ -1,20 +1,63 @@
 from typing import Any
 from flask import make_response, redirect, request
-from flask_restx import Resource, reqparse
+from flask_restx import Resource
 from pydantic import BaseModel, Field
 from werkzeug.exceptions import Forbidden, NotFound
 from configs import dify_config
 from controllers.common.schema import register_schema_models
 from controllers.console import console_ns
 from controllers.console.wraps import account_initialization_required, edit_permission_required, setup_required
 from core.model_runtime.errors.validate import CredentialsValidateFailedError
 from core.model_runtime.utils.encoders import jsonable_encoder
 from core.plugin.impl.oauth import OAuthHandler
 from libs.helper import StrLen
 from libs.login import current_account_with_tenant, login_required
 from models.provider_ids import DatasourceProviderID
 from services.datasource_provider_service import DatasourceProviderService
 from services.plugin.oauth_service import OAuthProxyService
 class DatasourceCredentialPayload(BaseModel):
    name: str | None = Field(default=None, max_length=100)
    credentials: dict[str, Any]
 class DatasourceCredentialDeletePayload(BaseModel):
    credential_id: str
 class DatasourceCredentialUpdatePayload(BaseModel):
    credential_id: str
    name: str | None = Field(default=None, max_length=100)
    credentials: dict[str, Any] | None = None
 class DatasourceCustomClientPayload(BaseModel):
    client_params: dict[str, Any] | None = None
    enable_oauth_custom_client: bool | None = None
 class DatasourceDefaultPayload(BaseModel):
    id: str
 class DatasourceUpdateNamePayload(BaseModel):
    credential_id: str
    name: str = Field(max_length=100)
 register_schema_models(
    console_ns,
    DatasourceCredentialPayload,
    DatasourceCredentialDeletePayload,
    DatasourceCredentialUpdatePayload,
    DatasourceCustomClientPayload,
    DatasourceDefaultPayload,
    DatasourceUpdateNamePayload,
 )
@console_ns.route("/oauth/plugin/<path:provider_id>/datasource/get-authorization-url")
 class DatasourcePluginOAuthAuthorizationUrl(Resource):
    @setup_required
@@ -121,16 +164,9 @@ class DatasourceOAuthCallback(Resource):
        return redirect(f"{dify_config.CONSOLE_WEB_URL}/oauth-callback")
 parser_datasource = (
    reqparse.RequestParser()
    .add_argument("name", type=StrLen(max_length=100), required=False, nullable=True, location="json", default=None)
    .add_argument("credentials", type=dict, required=True, nullable=False, location="json")
 )
@console_ns.route("/auth/plugin/datasource/<path:provider_id>")
 class DatasourceAuth(Resource):
-    @console_ns.expect(parser_datasource)
+    @console_ns.expect(console_ns.models[DatasourceCredentialPayload.__name__])
    @setup_required
    @login_required
    @account_initialization_required
@@ -138,7 +174,7 @@ class DatasourceAuth(Resource):
    def post(self, provider_id: str):
        _, current_tenant_id = current_account_with_tenant()
-        args = parser_datasource.parse_args()
+        payload = DatasourceCredentialPayload.model_validate(console_ns.payload or {})
        datasource_provider_id = DatasourceProviderID(provider_id)
        datasource_provider_service = DatasourceProviderService()
@@ -146,8 +182,8 @@ class DatasourceAuth(Resource):
            datasource_provider_service.add_datasource_api_key_provider(
                tenant_id=current_tenant_id,
                provider_id=datasource_provider_id,
-                credentials=args["credentials"],
+                credentials=payload.credentials,
-                name=args["name"],
+                name=payload.name,
            )
        except CredentialsValidateFailedError as ex:
            raise ValueError(str(ex))
@@ -169,14 +205,9 @@ class DatasourceAuth(Resource):
        return {"result": datasources}, 200
 parser_datasource_delete = reqparse.RequestParser().add_argument(
    "credential_id", type=str, required=True, nullable=False, location="json"
 )
@console_ns.route("/auth/plugin/datasource/<path:provider_id>/delete")
 class DatasourceAuthDeleteApi(Resource):
-    @console_ns.expect(parser_datasource_delete)
+    @console_ns.expect(console_ns.models[DatasourceCredentialDeletePayload.__name__])
    @setup_required
    @login_required
    @account_initialization_required
@@ -188,28 +219,20 @@ class DatasourceAuthDeleteApi(Resource):
        plugin_id = datasource_provider_id.plugin_id
        provider_name = datasource_provider_id.provider_name
-        args = parser_datasource_delete.parse_args()
+        payload = DatasourceCredentialDeletePayload.model_validate(console_ns.payload or {})
        datasource_provider_service = DatasourceProviderService()
        datasource_provider_service.remove_datasource_credentials(
            tenant_id=current_tenant_id,
-            auth_id=args["credential_id"],
+            auth_id=payload.credential_id,
            provider=provider_name,
            plugin_id=plugin_id,
        )
        return {"result": "success"}, 200
 parser_datasource_update = (
    reqparse.RequestParser()
    .add_argument("credentials", type=dict, required=False, nullable=True, location="json")
    .add_argument("name", type=StrLen(max_length=100), required=False, nullable=True, location="json")
    .add_argument("credential_id", type=str, required=True, nullable=False, location="json")
 )
@console_ns.route("/auth/plugin/datasource/<path:provider_id>/update")
 class DatasourceAuthUpdateApi(Resource):
-    @console_ns.expect(parser_datasource_update)
+    @console_ns.expect(console_ns.models[DatasourceCredentialUpdatePayload.__name__])
    @setup_required
    @login_required
    @account_initialization_required
@@ -218,16 +241,16 @@ class DatasourceAuthUpdateApi(Resource):
        _, current_tenant_id = current_account_with_tenant()
        datasource_provider_id = DatasourceProviderID(provider_id)
-        args = parser_datasource_update.parse_args()
+        payload = DatasourceCredentialUpdatePayload.model_validate(console_ns.payload or {})
        datasource_provider_service = DatasourceProviderService()
        datasource_provider_service.update_datasource_credentials(
            tenant_id=current_tenant_id,
-            auth_id=args["credential_id"],
+            auth_id=payload.credential_id,
            provider=datasource_provider_id.provider_name,
            plugin_id=datasource_provider_id.plugin_id,
-            credentials=args.get("credentials", {}),
+            credentials=payload.credentials or {},
-            name=args.get("name", None),
+            name=payload.name,
        )
        return {"result": "success"}, 201
@@ -258,16 +281,9 @@ class DatasourceHardCodeAuthListApi(Resource):
        return {"result": jsonable_encoder(datasources)}, 200
 parser_datasource_custom = (
    reqparse.RequestParser()
    .add_argument("client_params", type=dict, required=False, nullable=True, location="json")
    .add_argument("enable_oauth_custom_client", type=bool, required=False, nullable=True, location="json")
 )
@console_ns.route("/auth/plugin/datasource/<path:provider_id>/custom-client")
 class DatasourceAuthOauthCustomClient(Resource):
-    @console_ns.expect(parser_datasource_custom)
+    @console_ns.expect(console_ns.models[DatasourceCustomClientPayload.__name__])
    @setup_required
    @login_required
    @account_initialization_required
@@ -275,14 +291,14 @@ class DatasourceAuthOauthCustomClient(Resource):
    def post(self, provider_id: str):
        _, current_tenant_id = current_account_with_tenant()
-        args = parser_datasource_custom.parse_args()
+        payload = DatasourceCustomClientPayload.model_validate(console_ns.payload or {})
        datasource_provider_id = DatasourceProviderID(provider_id)
        datasource_provider_service = DatasourceProviderService()
        datasource_provider_service.setup_oauth_custom_client_params(
            tenant_id=current_tenant_id,
            datasource_provider_id=datasource_provider_id,
-            client_params=args.get("client_params", {}),
+            client_params=payload.client_params or {},
-            enabled=args.get("enable_oauth_custom_client", False),
+            enabled=payload.enable_oauth_custom_client or False,
        )
        return {"result": "success"}, 200
@@ -301,12 +317,9 @@ class DatasourceAuthOauthCustomClient(Resource):
        return {"result": "success"}, 200
 parser_default = reqparse.RequestParser().add_argument("id", type=str, required=True, nullable=False, location="json")
@console_ns.route("/auth/plugin/datasource/<path:provider_id>/default")
 class DatasourceAuthDefaultApi(Resource):
-    @console_ns.expect(parser_default)
+    @console_ns.expect(console_ns.models[DatasourceDefaultPayload.__name__])
    @setup_required
    @login_required
    @account_initialization_required
@@ -314,27 +327,20 @@ class DatasourceAuthDefaultApi(Resource):
    def post(self, provider_id: str):
        _, current_tenant_id = current_account_with_tenant()
-        args = parser_default.parse_args()
+        payload = DatasourceDefaultPayload.model_validate(console_ns.payload or {})
        datasource_provider_id = DatasourceProviderID(provider_id)
        datasource_provider_service = DatasourceProviderService()
        datasource_provider_service.set_default_datasource_provider(
            tenant_id=current_tenant_id,
            datasource_provider_id=datasource_provider_id,
-            credential_id=args["id"],
+            credential_id=payload.id,
        )
        return {"result": "success"}, 200
 parser_update_name = (
    reqparse.RequestParser()
    .add_argument("name", type=StrLen(max_length=100), required=True, nullable=False, location="json")
    .add_argument("credential_id", type=str, required=True, nullable=False, location="json")
 )
@console_ns.route("/auth/plugin/datasource/<path:provider_id>/update-name")
 class DatasourceUpdateProviderNameApi(Resource):
-    @console_ns.expect(parser_update_name)
+    @console_ns.expect(console_ns.models[DatasourceUpdateNamePayload.__name__])
    @setup_required
    @login_required
    @account_initialization_required
@@ -342,13 +348,13 @@ class DatasourceUpdateProviderNameApi(Resource):
    def post(self, provider_id: str):
        _, current_tenant_id = current_account_with_tenant()
-        args = parser_update_name.parse_args()
+        payload = DatasourceUpdateNamePayload.model_validate(console_ns.payload or {})
        datasource_provider_id = DatasourceProviderID(provider_id)
        datasource_provider_service = DatasourceProviderService()
        datasource_provider_service.update_datasource_provider_name(
            tenant_id=current_tenant_id,
            datasource_provider_id=datasource_provider_id,
-            name=args["name"],
+            name=payload.name,
-            credential_id=args["credential_id"],
+            credential_id=payload.credential_id,
        )
        return {"result": "success"}, 200
--- a/api/controllers/console/datasets/rag_pipeline/datasource_content_preview.py
+++ b/api/controllers/console/datasets/rag_pipeline/datasource_content_preview.py
@@ -26,7 +26,7 @@ console_ns.schema_model(Parser.__name__, Parser.model_json_schema(ref_template=D
@console_ns.route("/rag/pipelines/<uuid:pipeline_id>/workflows/published/datasource/nodes/<string:node_id>/preview")
 class DataSourceContentPreviewApi(Resource):
-    @console_ns.expect(console_ns.models[Parser.__name__], validate=True)
+    @console_ns.expect(console_ns.models[Parser.__name__])
    @setup_required
    @login_required
    @account_initialization_required
--- a/api/controllers/console/datasets/rag_pipeline/rag_pipeline.py
+++ b/api/controllers/console/datasets/rag_pipeline/rag_pipeline.py
@@ -1,9 +1,11 @@
 import logging
 from flask import request
-from flask_restx import Resource, reqparse
+from flask_restx import Resource
 from pydantic import BaseModel, Field
 from sqlalchemy.orm import Session
 from controllers.common.schema import register_schema_models
 from controllers.console import console_ns
 from controllers.console.wraps import (
    account_initialization_required,
@@ -20,18 +22,6 @@ from services.rag_pipeline.rag_pipeline import RagPipelineService
 logger = logging.getLogger(__name__)
 def _validate_name(name: str) -> str:
    if not name or len(name) < 1 or len(name) > 40:
        raise ValueError("Name must be between 1 to 40 characters.")
    return name
 def _validate_description_length(description: str) -> str:
    if len(description) > 400:
        raise ValueError("Description cannot exceed 400 characters.")
    return description
@console_ns.route("/rag/pipeline/templates")
 class PipelineTemplateListApi(Resource):
    @setup_required
@@ -59,6 +49,15 @@ class PipelineTemplateDetailApi(Resource):
        return pipeline_template, 200
 class Payload(BaseModel):
    name: str = Field(..., min_length=1, max_length=40)
    description: str = Field(default="", max_length=400)
    icon_info: dict[str, object] | None = None
 register_schema_models(console_ns, Payload)
@console_ns.route("/rag/pipeline/customized/templates/<string:template_id>")
 class CustomizedPipelineTemplateApi(Resource):
    @setup_required
@@ -66,31 +65,8 @@ class CustomizedPipelineTemplateApi(Resource):
    @account_initialization_required
    @enterprise_license_required
    def patch(self, template_id: str):
-        parser = (
+        payload = Payload.model_validate(console_ns.payload or {})
-            reqparse.RequestParser()
+        pipeline_template_info = PipelineTemplateInfoEntity.model_validate(payload.model_dump())
            .add_argument(
                "name",
                nullable=False,
                required=True,
                help="Name must be between 1 to 40 characters.",
                type=_validate_name,
            )
            .add_argument(
                "description",
                type=_validate_description_length,
                nullable=True,
                required=False,
                default="",
            )
            .add_argument(
                "icon_info",
                type=dict,
                location="json",
                nullable=True,
            )
        )
        args = parser.parse_args()
        pipeline_template_info = PipelineTemplateInfoEntity.model_validate(args)
        RagPipelineService.update_customized_pipeline_template(template_id, pipeline_template_info)
        return 200
@@ -119,36 +95,14 @@ class CustomizedPipelineTemplateApi(Resource):
@console_ns.route("/rag/pipelines/<string:pipeline_id>/customized/publish")
 class PublishCustomizedPipelineTemplateApi(Resource):
    @console_ns.expect(console_ns.models[Payload.__name__])
    @setup_required
    @login_required
    @account_initialization_required
    @enterprise_license_required
    @knowledge_pipeline_publish_enabled
    def post(self, pipeline_id: str):
-        parser = (
+        payload = Payload.model_validate(console_ns.payload or {})
            reqparse.RequestParser()
            .add_argument(
                "name",
                nullable=False,
                required=True,
                help="Name must be between 1 to 40 characters.",
                type=_validate_name,
            )
            .add_argument(
                "description",
                type=_validate_description_length,
                nullable=True,
                required=False,
                default="",
            )
            .add_argument(
                "icon_info",
                type=dict,
                location="json",
                nullable=True,
            )
        )
        args = parser.parse_args()
        rag_pipeline_service = RagPipelineService()
-        rag_pipeline_service.publish_customized_pipeline_template(pipeline_id, args)
+        rag_pipeline_service.publish_customized_pipeline_template(pipeline_id, payload.model_dump())
        return {"result": "success"}
--- a/api/controllers/console/datasets/rag_pipeline/rag_pipeline_datasets.py
+++ b/api/controllers/console/datasets/rag_pipeline/rag_pipeline_datasets.py
@@ -1,8 +1,10 @@
-from flask_restx import Resource, marshal, reqparse
+from flask_restx import Resource, marshal
 from pydantic import BaseModel
 from sqlalchemy.orm import Session
 from werkzeug.exceptions import Forbidden
 import services
 from controllers.common.schema import register_schema_model
 from controllers.console import console_ns
 from controllers.console.datasets.error import DatasetNameDuplicateError
 from controllers.console.wraps import (
@@ -19,22 +21,22 @@ from services.entities.knowledge_entities.rag_pipeline_entities import IconInfo,
 from services.rag_pipeline.rag_pipeline_dsl_service import RagPipelineDslService
 class RagPipelineDatasetImportPayload(BaseModel):
    yaml_content: str
 register_schema_model(console_ns, RagPipelineDatasetImportPayload)
@console_ns.route("/rag/pipeline/dataset")
 class CreateRagPipelineDatasetApi(Resource):
    @console_ns.expect(console_ns.models[RagPipelineDatasetImportPayload.__name__])
    @setup_required
    @login_required
    @account_initialization_required
    @cloud_edition_billing_rate_limit_check("knowledge")
    def post(self):
-        parser = reqparse.RequestParser().add_argument(
+        payload = RagPipelineDatasetImportPayload.model_validate(console_ns.payload or {})
            "yaml_content",
            type=str,
            nullable=False,
            required=True,
            help="yaml_content is required.",
        )
        args = parser.parse_args()
        current_user, current_tenant_id = current_account_with_tenant()
        # The role of the current user in the ta table must be admin, owner, or editor, or dataset_operator
        if not current_user.is_dataset_editor:
@@ -49,7 +51,7 @@ class CreateRagPipelineDatasetApi(Resource):
            ),
            permission=DatasetPermissionEnum.ONLY_ME,
            partial_member_list=None,
-            yaml_content=args["yaml_content"],
+            yaml_content=payload.yaml_content,
        )
        try:
            with Session(db.engine) as session:
--- a/api/controllers/console/datasets/rag_pipeline/rag_pipeline_draft_variable.py
+++ b/api/controllers/console/datasets/rag_pipeline/rag_pipeline_draft_variable.py
@@ -1,11 +1,13 @@
 import logging
-from typing import NoReturn
+from typing import Any, NoReturn
-from flask import Response
+from flask import Response, request
-from flask_restx import Resource, fields, inputs, marshal, marshal_with, reqparse
+from flask_restx import Resource, fields, marshal, marshal_with
 from pydantic import BaseModel, Field
 from sqlalchemy.orm import Session
 from werkzeug.exceptions import Forbidden
 from controllers.common.schema import register_schema_models
 from controllers.console import console_ns
 from controllers.console.app.error import (
    DraftWorkflowNotExist,
@@ -33,19 +35,21 @@ logger = logging.getLogger(__name__)
 def _create_pagination_parser():
-    parser = (
+    class PaginationQuery(BaseModel):
-        reqparse.RequestParser()
+        page: int = Field(default=1, ge=1, le=100_000)
-        .add_argument(
+        limit: int = Field(default=20, ge=1, le=100)
-            "page",
+
-            type=inputs.int_range(1, 100_000),
+    register_schema_models(console_ns, PaginationQuery)
-            required=False,
+
-            default=1,
+    return PaginationQuery
-            location="args",
+
-            help="the page of data requested",
+
-        )
+class WorkflowDraftVariablePatchPayload(BaseModel):
-        .add_argument("limit", type=inputs.int_range(1, 100), required=False, default=20, location="args")
+    name: str | None = None
-    )
+    value: Any | None = None
-    return parser
+
 register_schema_models(console_ns, WorkflowDraftVariablePatchPayload)
 def _get_items(var_list: WorkflowDraftVariableList) -> list[WorkflowDraftVariable]:
@@ -93,8 +97,8 @@ class RagPipelineVariableCollectionApi(Resource):
        """
        Get draft workflow
        """
-        parser = _create_pagination_parser()
+        pagination = _create_pagination_parser()
-        args = parser.parse_args()
+        query = pagination.model_validate(request.args.to_dict())
        # fetch draft workflow by app_model
        rag_pipeline_service = RagPipelineService()
@@ -109,8 +113,8 @@ class RagPipelineVariableCollectionApi(Resource):
            )
        workflow_vars = draft_var_srv.list_variables_without_values(
            app_id=pipeline.id,
-            page=args.page,
+            page=query.page,
-            limit=args.limit,
+            limit=query.limit,
        )
        return workflow_vars
@@ -186,6 +190,7 @@ class RagPipelineVariableApi(Resource):
    @_api_prerequisite
    @marshal_with(_WORKFLOW_DRAFT_VARIABLE_FIELDS)
    @console_ns.expect(console_ns.models[WorkflowDraftVariablePatchPayload.__name__])
    def patch(self, pipeline: Pipeline, variable_id: str):
        # Request payload for file types:
        #
@@ -208,16 +213,11 @@ class RagPipelineVariableApi(Resource):
        #         "upload_file_id": "1602650a-4fe4-423c-85a2-af76c083e3c4"
        #     }
        parser = (
            reqparse.RequestParser()
            .add_argument(self._PATCH_NAME_FIELD, type=str, required=False, nullable=True, location="json")
            .add_argument(self._PATCH_VALUE_FIELD, type=lambda x: x, required=False, nullable=True, location="json")
        )
        draft_var_srv = WorkflowDraftVariableService(
            session=db.session(),
        )
-        args = parser.parse_args(strict=True)
+        payload = WorkflowDraftVariablePatchPayload.model_validate(console_ns.payload or {})
        args = payload.model_dump(exclude_none=True)
        variable = draft_var_srv.get_variable(variable_id=variable_id)
        if variable is None:
--- a/api/controllers/console/datasets/rag_pipeline/rag_pipeline_import.py
+++ b/api/controllers/console/datasets/rag_pipeline/rag_pipeline_import.py
@@ -1,6 +1,9 @@
-from flask_restx import Resource, marshal_with, reqparse  # type: ignore
+from flask import request
 from flask_restx import Resource, marshal_with  # type: ignore
 from pydantic import BaseModel, Field
 from sqlalchemy.orm import Session
 from controllers.common.schema import register_schema_models
 from controllers.console import console_ns
 from controllers.console.datasets.wraps import get_rag_pipeline
 from controllers.console.wraps import (
@@ -16,6 +19,25 @@ from services.app_dsl_service import ImportStatus
 from services.rag_pipeline.rag_pipeline_dsl_service import RagPipelineDslService
 class RagPipelineImportPayload(BaseModel):
    mode: str
    yaml_content: str | None = None
    yaml_url: str | None = None
    name: str | None = None
    description: str | None = None
    icon_type: str | None = None
    icon: str | None = None
    icon_background: str | None = None
    pipeline_id: str | None = None
 class IncludeSecretQuery(BaseModel):
    include_secret: str = Field(default="false")
 register_schema_models(console_ns, RagPipelineImportPayload, IncludeSecretQuery)
@console_ns.route("/rag/pipelines/imports")
 class RagPipelineImportApi(Resource):
    @setup_required
@@ -23,23 +45,11 @@ class RagPipelineImportApi(Resource):
    @account_initialization_required
    @edit_permission_required
    @marshal_with(pipeline_import_fields)
    @console_ns.expect(console_ns.models[RagPipelineImportPayload.__name__])
    def post(self):
        # Check user role first
        current_user, _ = current_account_with_tenant()
-
+        payload = RagPipelineImportPayload.model_validate(console_ns.payload or {})
        parser = (
            reqparse.RequestParser()
            .add_argument("mode", type=str, required=True, location="json")
            .add_argument("yaml_content", type=str, location="json")
            .add_argument("yaml_url", type=str, location="json")
            .add_argument("name", type=str, location="json")
            .add_argument("description", type=str, location="json")
            .add_argument("icon_type", type=str, location="json")
            .add_argument("icon", type=str, location="json")
            .add_argument("icon_background", type=str, location="json")
            .add_argument("pipeline_id", type=str, location="json")
        )
        args = parser.parse_args()
        # Create service with session
        with Session(db.engine) as session:
@@ -48,11 +58,11 @@ class RagPipelineImportApi(Resource):
            account = current_user
            result = import_service.import_rag_pipeline(
                account=account,
-                import_mode=args["mode"],
+                import_mode=payload.mode,
-                yaml_content=args.get("yaml_content"),
+                yaml_content=payload.yaml_content,
-                yaml_url=args.get("yaml_url"),
+                yaml_url=payload.yaml_url,
-                pipeline_id=args.get("pipeline_id"),
+                pipeline_id=payload.pipeline_id,
-                dataset_name=args.get("name"),
+                dataset_name=payload.name,
            )
            session.commit()
@@ -114,13 +124,12 @@ class RagPipelineExportApi(Resource):
    @edit_permission_required
    def get(self, pipeline: Pipeline):
        # Add include_secret params
-        parser = reqparse.RequestParser().add_argument("include_secret", type=str, default="false", location="args")
+        query = IncludeSecretQuery.model_validate(request.args.to_dict())
        args = parser.parse_args()
        with Session(db.engine) as session:
            export_service = RagPipelineDslService(session)
            result = export_service.export_rag_pipeline_dsl(
-                pipeline=pipeline, include_secret=args["include_secret"] == "true"
+                pipeline=pipeline, include_secret=query.include_secret == "true"
            )
        return {"data": result}, 200
--- a/api/controllers/console/datasets/rag_pipeline/rag_pipeline_workflow.py
+++ b/api/controllers/console/datasets/rag_pipeline/rag_pipeline_workflow.py
@@ -1,14 +1,16 @@
 import json
 import logging
-from typing import cast
+from typing import Any, Literal, cast
 from uuid import UUID
 from flask import abort, request
-from flask_restx import Resource, inputs, marshal_with, reqparse  # type: ignore  # type: ignore
+from flask_restx import Resource, marshal_with  # type: ignore
-from flask_restx.inputs import int_range  # type: ignore
+from pydantic import BaseModel, Field
 from sqlalchemy.orm import Session
 from werkzeug.exceptions import Forbidden, InternalServerError, NotFound
 import services
 from controllers.common.schema import register_schema_models
 from controllers.console import console_ns
 from controllers.console.app.error import (
    ConversationCompletedError,
@@ -36,7 +38,7 @@ from fields.workflow_run_fields import (
    workflow_run_pagination_fields,
 )
 from libs import helper
-from libs.helper import TimestampField, uuid_value
+from libs.helper import TimestampField
 from libs.login import current_account_with_tenant, current_user, login_required
 from models import Account
 from models.dataset import Pipeline
@@ -51,6 +53,91 @@ from services.rag_pipeline.rag_pipeline_transform_service import RagPipelineTran
 logger = logging.getLogger(__name__)
 class DraftWorkflowSyncPayload(BaseModel):
    graph: dict[str, Any]
    hash: str | None = None
    environment_variables: list[dict[str, Any]] | None = None
    conversation_variables: list[dict[str, Any]] | None = None
    rag_pipeline_variables: list[dict[str, Any]] | None = None
    features: dict[str, Any] | None = None
 class NodeRunPayload(BaseModel):
    inputs: dict[str, Any] | None = None
 class NodeRunRequiredPayload(BaseModel):
    inputs: dict[str, Any]
 class DatasourceNodeRunPayload(BaseModel):
    inputs: dict[str, Any]
    datasource_type: str
    credential_id: str | None = None
 class DraftWorkflowRunPayload(BaseModel):
    inputs: dict[str, Any]
    datasource_type: str
    datasource_info_list: list[dict[str, Any]]
    start_node_id: str
 class PublishedWorkflowRunPayload(DraftWorkflowRunPayload):
    is_preview: bool = False
    response_mode: Literal["streaming", "blocking"] = "streaming"
    original_document_id: str | None = None
 class DefaultBlockConfigQuery(BaseModel):
    q: str | None = None
 class WorkflowListQuery(BaseModel):
    page: int = Field(default=1, ge=1, le=99999)
    limit: int = Field(default=10, ge=1, le=100)
    user_id: str | None = None
    named_only: bool = False
 class WorkflowUpdatePayload(BaseModel):
    marked_name: str | None = Field(default=None, max_length=20)
    marked_comment: str | None = Field(default=None, max_length=100)
 class NodeIdQuery(BaseModel):
    node_id: str
 class WorkflowRunQuery(BaseModel):
    last_id: UUID | None = None
    limit: int = Field(default=20, ge=1, le=100)
 class DatasourceVariablesPayload(BaseModel):
    datasource_type: str
    datasource_info: dict[str, Any]
    start_node_id: str
    start_node_title: str
 register_schema_models(
    console_ns,
    DraftWorkflowSyncPayload,
    NodeRunPayload,
    NodeRunRequiredPayload,
    DatasourceNodeRunPayload,
    DraftWorkflowRunPayload,
    PublishedWorkflowRunPayload,
    DefaultBlockConfigQuery,
    WorkflowListQuery,
    WorkflowUpdatePayload,
    NodeIdQuery,
    WorkflowRunQuery,
    DatasourceVariablesPayload,
 )
@console_ns.route("/rag/pipelines/<uuid:pipeline_id>/workflows/draft")
 class DraftRagPipelineApi(Resource):
    @setup_required
@@ -88,15 +175,7 @@ class DraftRagPipelineApi(Resource):
        content_type = request.headers.get("Content-Type", "")
        if "application/json" in content_type:
-            parser = (
+            payload_dict = console_ns.payload or {}
                reqparse.RequestParser()
                .add_argument("graph", type=dict, required=True, nullable=False, location="json")
                .add_argument("hash", type=str, required=False, location="json")
                .add_argument("environment_variables", type=list, required=False, location="json")
                .add_argument("conversation_variables", type=list, required=False, location="json")
                .add_argument("rag_pipeline_variables", type=list, required=False, location="json")
            )
            args = parser.parse_args()
        elif "text/plain" in content_type:
            try:
                data = json.loads(request.data.decode("utf-8"))
@@ -106,7 +185,7 @@ class DraftRagPipelineApi(Resource):
                if not isinstance(data.get("graph"), dict):
                    raise ValueError("graph is not a dict")
-                args = {
+                payload_dict = {
                    "graph": data.get("graph"),
                    "features": data.get("features"),
                    "hash": data.get("hash"),
@@ -119,24 +198,26 @@ class DraftRagPipelineApi(Resource):
        else:
            abort(415)
        payload = DraftWorkflowSyncPayload.model_validate(payload_dict)
        try:
-            environment_variables_list = args.get("environment_variables") or []
+            environment_variables_list = payload.environment_variables or []
            environment_variables = [
                variable_factory.build_environment_variable_from_mapping(obj) for obj in environment_variables_list
            ]
-            conversation_variables_list = args.get("conversation_variables") or []
+            conversation_variables_list = payload.conversation_variables or []
            conversation_variables = [
                variable_factory.build_conversation_variable_from_mapping(obj) for obj in conversation_variables_list
            ]
            rag_pipeline_service = RagPipelineService()
            workflow = rag_pipeline_service.sync_draft_workflow(
                pipeline=pipeline,
-                graph=args["graph"],
+                graph=payload.graph,
-                unique_hash=args.get("hash"),
+                unique_hash=payload.hash,
                account=current_user,
                environment_variables=environment_variables,
                conversation_variables=conversation_variables,
-                rag_pipeline_variables=args.get("rag_pipeline_variables") or [],
+                rag_pipeline_variables=payload.rag_pipeline_variables or [],
            )
        except WorkflowHashNotEqualError:
            raise DraftWorkflowNotSync()
@@ -148,12 +229,9 @@ class DraftRagPipelineApi(Resource):
        }
 parser_run = reqparse.RequestParser().add_argument("inputs", type=dict, location="json")
@console_ns.route("/rag/pipelines/<uuid:pipeline_id>/workflows/draft/iteration/nodes/<string:node_id>/run")
 class RagPipelineDraftRunIterationNodeApi(Resource):
-    @console_ns.expect(parser_run)
+    @console_ns.expect(console_ns.models[NodeRunPayload.__name__])
    @setup_required
    @login_required
    @account_initialization_required
@@ -166,7 +244,8 @@ class RagPipelineDraftRunIterationNodeApi(Resource):
        # The role of the current user in the ta table must be admin, owner, or editor
        current_user, _ = current_account_with_tenant()
-        args = parser_run.parse_args()
+        payload = NodeRunPayload.model_validate(console_ns.payload or {})
        args = payload.model_dump(exclude_none=True)
        try:
            response = PipelineGenerateService.generate_single_iteration(
@@ -187,7 +266,7 @@ class RagPipelineDraftRunIterationNodeApi(Resource):
@console_ns.route("/rag/pipelines/<uuid:pipeline_id>/workflows/draft/loop/nodes/<string:node_id>/run")
 class RagPipelineDraftRunLoopNodeApi(Resource):
-    @console_ns.expect(parser_run)
+    @console_ns.expect(console_ns.models[NodeRunPayload.__name__])
    @setup_required
    @login_required
    @account_initialization_required
@@ -200,7 +279,8 @@ class RagPipelineDraftRunLoopNodeApi(Resource):
        # The role of the current user in the ta table must be admin, owner, or editor
        current_user, _ = current_account_with_tenant()
-        args = parser_run.parse_args()
+        payload = NodeRunPayload.model_validate(console_ns.payload or {})
        args = payload.model_dump(exclude_none=True)
        try:
            response = PipelineGenerateService.generate_single_loop(
@@ -219,18 +299,9 @@ class RagPipelineDraftRunLoopNodeApi(Resource):
            raise InternalServerError()
 parser_draft_run = (
    reqparse.RequestParser()
    .add_argument("inputs", type=dict, required=True, nullable=False, location="json")
    .add_argument("datasource_type", type=str, required=True, location="json")
    .add_argument("datasource_info_list", type=list, required=True, location="json")
    .add_argument("start_node_id", type=str, required=True, location="json")
 )
@console_ns.route("/rag/pipelines/<uuid:pipeline_id>/workflows/draft/run")
 class DraftRagPipelineRunApi(Resource):
-    @console_ns.expect(parser_draft_run)
+    @console_ns.expect(console_ns.models[DraftWorkflowRunPayload.__name__])
    @setup_required
    @login_required
    @account_initialization_required
@@ -243,7 +314,8 @@ class DraftRagPipelineRunApi(Resource):
        # The role of the current user in the ta table must be admin, owner, or editor
        current_user, _ = current_account_with_tenant()
-        args = parser_draft_run.parse_args()
+        payload = DraftWorkflowRunPayload.model_validate(console_ns.payload or {})
        args = payload.model_dump()
        try:
            response = PipelineGenerateService.generate(
@@ -259,21 +331,9 @@ class DraftRagPipelineRunApi(Resource):
            raise InvokeRateLimitHttpError(ex.description)
 parser_published_run = (
    reqparse.RequestParser()
    .add_argument("inputs", type=dict, required=True, nullable=False, location="json")
    .add_argument("datasource_type", type=str, required=True, location="json")
    .add_argument("datasource_info_list", type=list, required=True, location="json")
    .add_argument("start_node_id", type=str, required=True, location="json")
    .add_argument("is_preview", type=bool, required=True, location="json", default=False)
    .add_argument("response_mode", type=str, required=True, location="json", default="streaming")
    .add_argument("original_document_id", type=str, required=False, location="json")
 )
@console_ns.route("/rag/pipelines/<uuid:pipeline_id>/workflows/published/run")
 class PublishedRagPipelineRunApi(Resource):
-    @console_ns.expect(parser_published_run)
+    @console_ns.expect(console_ns.models[PublishedWorkflowRunPayload.__name__])
    @setup_required
    @login_required
    @account_initialization_required
@@ -286,16 +346,16 @@ class PublishedRagPipelineRunApi(Resource):
        # The role of the current user in the ta table must be admin, owner, or editor
        current_user, _ = current_account_with_tenant()
-        args = parser_published_run.parse_args()
+        payload = PublishedWorkflowRunPayload.model_validate(console_ns.payload or {})
-
+        args = payload.model_dump(exclude_none=True)
-        streaming = args["response_mode"] == "streaming"
+        streaming = payload.response_mode == "streaming"
        try:
            response = PipelineGenerateService.generate(
                pipeline=pipeline,
                user=current_user,
                args=args,
-                invoke_from=InvokeFrom.DEBUGGER if args.get("is_preview") else InvokeFrom.PUBLISHED,
+                invoke_from=InvokeFrom.DEBUGGER if payload.is_preview else InvokeFrom.PUBLISHED,
                streaming=streaming,
            )
@@ -387,17 +447,9 @@ class PublishedRagPipelineRunApi(Resource):
 #
 #         return result
 #
 parser_rag_run = (
    reqparse.RequestParser()
    .add_argument("inputs", type=dict, required=True, nullable=False, location="json")
    .add_argument("datasource_type", type=str, required=True, location="json")
    .add_argument("credential_id", type=str, required=False, location="json")
 )
@console_ns.route("/rag/pipelines/<uuid:pipeline_id>/workflows/published/datasource/nodes/<string:node_id>/run")
 class RagPipelinePublishedDatasourceNodeRunApi(Resource):
-    @console_ns.expect(parser_rag_run)
+    @console_ns.expect(console_ns.models[DatasourceNodeRunPayload.__name__])
    @setup_required
    @login_required
    @account_initialization_required
@@ -410,14 +462,7 @@ class RagPipelinePublishedDatasourceNodeRunApi(Resource):
        # The role of the current user in the ta table must be admin, owner, or editor
        current_user, _ = current_account_with_tenant()
-        args = parser_rag_run.parse_args()
+        payload = DatasourceNodeRunPayload.model_validate(console_ns.payload or {})
        inputs = args.get("inputs")
        if inputs is None:
            raise ValueError("missing inputs")
        datasource_type = args.get("datasource_type")
        if datasource_type is None:
            raise ValueError("missing datasource_type")
        rag_pipeline_service = RagPipelineService()
        return helper.compact_generate_response(
@@ -425,11 +470,11 @@ class RagPipelinePublishedDatasourceNodeRunApi(Resource):
                rag_pipeline_service.run_datasource_workflow_node(
                    pipeline=pipeline,
                    node_id=node_id,
-                    user_inputs=inputs,
+                    user_inputs=payload.inputs,
                    account=current_user,
-                    datasource_type=datasource_type,
+                    datasource_type=payload.datasource_type,
                    is_published=False,
-                    credential_id=args.get("credential_id"),
+                    credential_id=payload.credential_id,
                )
            )
        )
@@ -437,7 +482,7 @@ class RagPipelinePublishedDatasourceNodeRunApi(Resource):
@console_ns.route("/rag/pipelines/<uuid:pipeline_id>/workflows/draft/datasource/nodes/<string:node_id>/run")
 class RagPipelineDraftDatasourceNodeRunApi(Resource):
-    @console_ns.expect(parser_rag_run)
+    @console_ns.expect(console_ns.models[DatasourceNodeRunPayload.__name__])
    @setup_required
    @login_required
    @edit_permission_required
@@ -450,14 +495,7 @@ class RagPipelineDraftDatasourceNodeRunApi(Resource):
        # The role of the current user in the ta table must be admin, owner, or editor
        current_user, _ = current_account_with_tenant()
-        args = parser_rag_run.parse_args()
+        payload = DatasourceNodeRunPayload.model_validate(console_ns.payload or {})
        inputs = args.get("inputs")
        if inputs is None:
            raise ValueError("missing inputs")
        datasource_type = args.get("datasource_type")
        if datasource_type is None:
            raise ValueError("missing datasource_type")
        rag_pipeline_service = RagPipelineService()
        return helper.compact_generate_response(
@@ -465,24 +503,19 @@ class RagPipelineDraftDatasourceNodeRunApi(Resource):
                rag_pipeline_service.run_datasource_workflow_node(
                    pipeline=pipeline,
                    node_id=node_id,
-                    user_inputs=inputs,
+                    user_inputs=payload.inputs,
                    account=current_user,
-                    datasource_type=datasource_type,
+                    datasource_type=payload.datasource_type,
                    is_published=False,
-                    credential_id=args.get("credential_id"),
+                    credential_id=payload.credential_id,
                )
            )
        )
 parser_run_api = reqparse.RequestParser().add_argument(
    "inputs", type=dict, required=True, nullable=False, location="json"
 )
@console_ns.route("/rag/pipelines/<uuid:pipeline_id>/workflows/draft/nodes/<string:node_id>/run")
 class RagPipelineDraftNodeRunApi(Resource):
-    @console_ns.expect(parser_run_api)
+    @console_ns.expect(console_ns.models[NodeRunRequiredPayload.__name__])
    @setup_required
    @login_required
    @edit_permission_required
@@ -496,11 +529,8 @@ class RagPipelineDraftNodeRunApi(Resource):
        # The role of the current user in the ta table must be admin, owner, or editor
        current_user, _ = current_account_with_tenant()
-        args = parser_run_api.parse_args()
+        payload = NodeRunRequiredPayload.model_validate(console_ns.payload or {})
-
+        inputs = payload.inputs
        inputs = args.get("inputs")
        if inputs == None:
            raise ValueError("missing inputs")
        rag_pipeline_service = RagPipelineService()
        workflow_node_execution = rag_pipeline_service.run_draft_workflow_node(
@@ -602,12 +632,8 @@ class DefaultRagPipelineBlockConfigsApi(Resource):
        return rag_pipeline_service.get_default_block_configs()
 parser_default = reqparse.RequestParser().add_argument("q", type=str, location="args")
@console_ns.route("/rag/pipelines/<uuid:pipeline_id>/workflows/default-workflow-block-configs/<string:block_type>")
 class DefaultRagPipelineBlockConfigApi(Resource):
    @console_ns.expect(parser_default)
    @setup_required
    @login_required
    @account_initialization_required
@@ -617,14 +643,12 @@ class DefaultRagPipelineBlockConfigApi(Resource):
        """
        Get default block config
        """
-        args = parser_default.parse_args()
+        query = DefaultBlockConfigQuery.model_validate(request.args.to_dict())
        q = args.get("q")
        filters = None
-        if q:
+        if query.q:
            try:
-                filters = json.loads(args.get("q", ""))
+                filters = json.loads(query.q)
            except json.JSONDecodeError:
                raise ValueError("Invalid filters")
@@ -633,18 +657,8 @@ class DefaultRagPipelineBlockConfigApi(Resource):
        return rag_pipeline_service.get_default_block_config(node_type=block_type, filters=filters)
 parser_wf = (
    reqparse.RequestParser()
    .add_argument("page", type=inputs.int_range(1, 99999), required=False, default=1, location="args")
    .add_argument("limit", type=inputs.int_range(1, 100), required=False, default=10, location="args")
    .add_argument("user_id", type=str, required=False, location="args")
    .add_argument("named_only", type=inputs.boolean, required=False, default=False, location="args")
 )
@console_ns.route("/rag/pipelines/<uuid:pipeline_id>/workflows")
 class PublishedAllRagPipelineApi(Resource):
    @console_ns.expect(parser_wf)
    @setup_required
    @login_required
    @account_initialization_required
@@ -657,16 +671,16 @@ class PublishedAllRagPipelineApi(Resource):
        """
        current_user, _ = current_account_with_tenant()
-        args = parser_wf.parse_args()
+        query = WorkflowListQuery.model_validate(request.args.to_dict())
-        page = args["page"]
+
-        limit = args["limit"]
+        page = query.page
-        user_id = args.get("user_id")
+        limit = query.limit
-        named_only = args.get("named_only", False)
+        user_id = query.user_id
        named_only = query.named_only
        if user_id:
            if user_id != current_user.id:
                raise Forbidden()
            user_id = cast(str, user_id)
        rag_pipeline_service = RagPipelineService()
        with Session(db.engine) as session:
@@ -687,16 +701,8 @@ class PublishedAllRagPipelineApi(Resource):
            }
 parser_wf_id = (
    reqparse.RequestParser()
    .add_argument("marked_name", type=str, required=False, location="json")
    .add_argument("marked_comment", type=str, required=False, location="json")
 )
@console_ns.route("/rag/pipelines/<uuid:pipeline_id>/workflows/<string:workflow_id>")
 class RagPipelineByIdApi(Resource):
    @console_ns.expect(parser_wf_id)
    @setup_required
    @login_required
    @account_initialization_required
@@ -710,20 +716,8 @@ class RagPipelineByIdApi(Resource):
        # Check permission
        current_user, _ = current_account_with_tenant()
-        args = parser_wf_id.parse_args()
+        payload = WorkflowUpdatePayload.model_validate(console_ns.payload or {})
-
+        update_data = payload.model_dump(exclude_unset=True)
        # Validate name and comment length
        if args.marked_name and len(args.marked_name) > 20:
            raise ValueError("Marked name cannot exceed 20 characters")
        if args.marked_comment and len(args.marked_comment) > 100:
            raise ValueError("Marked comment cannot exceed 100 characters")
        # Prepare update data
        update_data = {}
        if args.get("marked_name") is not None:
            update_data["marked_name"] = args["marked_name"]
        if args.get("marked_comment") is not None:
            update_data["marked_comment"] = args["marked_comment"]
        if not update_data:
            return {"message": "No valid fields to update"}, 400
@@ -749,12 +743,8 @@ class RagPipelineByIdApi(Resource):
        return workflow
 parser_parameters = reqparse.RequestParser().add_argument("node_id", type=str, required=True, location="args")
@console_ns.route("/rag/pipelines/<uuid:pipeline_id>/workflows/published/processing/parameters")
 class PublishedRagPipelineSecondStepApi(Resource):
    @console_ns.expect(parser_parameters)
    @setup_required
    @login_required
    @account_initialization_required
@@ -764,10 +754,8 @@ class PublishedRagPipelineSecondStepApi(Resource):
        """
        Get second step parameters of rag pipeline
        """
-        args = parser_parameters.parse_args()
+        query = NodeIdQuery.model_validate(request.args.to_dict())
-        node_id = args.get("node_id")
+        node_id = query.node_id
        if not node_id:
            raise ValueError("Node ID is required")
        rag_pipeline_service = RagPipelineService()
        variables = rag_pipeline_service.get_second_step_parameters(pipeline=pipeline, node_id=node_id, is_draft=False)
        return {
@@ -777,7 +765,6 @@ class PublishedRagPipelineSecondStepApi(Resource):
@console_ns.route("/rag/pipelines/<uuid:pipeline_id>/workflows/published/pre-processing/parameters")
 class PublishedRagPipelineFirstStepApi(Resource):
    @console_ns.expect(parser_parameters)
    @setup_required
    @login_required
    @account_initialization_required
@@ -787,10 +774,8 @@ class PublishedRagPipelineFirstStepApi(Resource):
        """
        Get first step parameters of rag pipeline
        """
-        args = parser_parameters.parse_args()
+        query = NodeIdQuery.model_validate(request.args.to_dict())
-        node_id = args.get("node_id")
+        node_id = query.node_id
        if not node_id:
            raise ValueError("Node ID is required")
        rag_pipeline_service = RagPipelineService()
        variables = rag_pipeline_service.get_first_step_parameters(pipeline=pipeline, node_id=node_id, is_draft=False)
        return {
@@ -800,7 +785,6 @@ class PublishedRagPipelineFirstStepApi(Resource):
@console_ns.route("/rag/pipelines/<uuid:pipeline_id>/workflows/draft/pre-processing/parameters")
 class DraftRagPipelineFirstStepApi(Resource):
    @console_ns.expect(parser_parameters)
    @setup_required
    @login_required
    @account_initialization_required
@@ -810,10 +794,8 @@ class DraftRagPipelineFirstStepApi(Resource):
        """
        Get first step parameters of rag pipeline
        """
-        args = parser_parameters.parse_args()
+        query = NodeIdQuery.model_validate(request.args.to_dict())
-        node_id = args.get("node_id")
+        node_id = query.node_id
        if not node_id:
            raise ValueError("Node ID is required")
        rag_pipeline_service = RagPipelineService()
        variables = rag_pipeline_service.get_first_step_parameters(pipeline=pipeline, node_id=node_id, is_draft=True)
        return {
@@ -823,7 +805,6 @@ class DraftRagPipelineFirstStepApi(Resource):
@console_ns.route("/rag/pipelines/<uuid:pipeline_id>/workflows/draft/processing/parameters")
 class DraftRagPipelineSecondStepApi(Resource):
    @console_ns.expect(parser_parameters)
    @setup_required
    @login_required
    @account_initialization_required
@@ -833,10 +814,8 @@ class DraftRagPipelineSecondStepApi(Resource):
        """
        Get second step parameters of rag pipeline
        """
-        args = parser_parameters.parse_args()
+        query = NodeIdQuery.model_validate(request.args.to_dict())
-        node_id = args.get("node_id")
+        node_id = query.node_id
        if not node_id:
            raise ValueError("Node ID is required")
        rag_pipeline_service = RagPipelineService()
        variables = rag_pipeline_service.get_second_step_parameters(pipeline=pipeline, node_id=node_id, is_draft=True)
@@ -845,16 +824,8 @@ class DraftRagPipelineSecondStepApi(Resource):
        }
 parser_wf_run = (
    reqparse.RequestParser()
    .add_argument("last_id", type=uuid_value, location="args")
    .add_argument("limit", type=int_range(1, 100), required=False, default=20, location="args")
 )
@console_ns.route("/rag/pipelines/<uuid:pipeline_id>/workflow-runs")
 class RagPipelineWorkflowRunListApi(Resource):
    @console_ns.expect(parser_wf_run)
    @setup_required
    @login_required
    @account_initialization_required
@@ -864,7 +835,16 @@ class RagPipelineWorkflowRunListApi(Resource):
        """
        Get workflow run list
        """
-        args = parser_wf_run.parse_args()
+        query = WorkflowRunQuery.model_validate(
            {
                "last_id": request.args.get("last_id"),
                "limit": request.args.get("limit", type=int, default=20),
            }
        )
        args = {
            "last_id": str(query.last_id) if query.last_id else None,
            "limit": query.limit,
        }
        rag_pipeline_service = RagPipelineService()
        result = rag_pipeline_service.get_rag_pipeline_paginate_workflow_runs(pipeline=pipeline, args=args)
@@ -964,18 +944,9 @@ class RagPipelineTransformApi(Resource):
        return result
 parser_var = (
    reqparse.RequestParser()
    .add_argument("datasource_type", type=str, required=True, location="json")
    .add_argument("datasource_info", type=dict, required=True, location="json")
    .add_argument("start_node_id", type=str, required=True, location="json")
    .add_argument("start_node_title", type=str, required=True, location="json")
 )
@console_ns.route("/rag/pipelines/<uuid:pipeline_id>/workflows/draft/datasource/variables-inspect")
 class RagPipelineDatasourceVariableApi(Resource):
-    @console_ns.expect(parser_var)
+    @console_ns.expect(console_ns.models[DatasourceVariablesPayload.__name__])
    @setup_required
    @login_required
    @account_initialization_required
@@ -987,7 +958,7 @@ class RagPipelineDatasourceVariableApi(Resource):
        Set datasource variables
        """
        current_user, _ = current_account_with_tenant()
-        args = parser_var.parse_args()
+        args = DatasourceVariablesPayload.model_validate(console_ns.payload or {}).model_dump()
        rag_pipeline_service = RagPipelineService()
        workflow_node_execution = rag_pipeline_service.set_datasource_variables(
--- a/api/controllers/console/datasets/website.py
+++ b/api/controllers/console/datasets/website.py
@@ -1,5 +1,10 @@
-from flask_restx import Resource, fields, reqparse
+from typing import Literal
 from flask import request
 from flask_restx import Resource
 from pydantic import BaseModel
 from controllers.common.schema import register_schema_models
 from controllers.console import console_ns
 from controllers.console.datasets.error import WebsiteCrawlError
 from controllers.console.wraps import account_initialization_required, setup_required
@@ -7,48 +12,35 @@ from libs.login import login_required
 from services.website_service import WebsiteCrawlApiRequest, WebsiteCrawlStatusApiRequest, WebsiteService
 class WebsiteCrawlPayload(BaseModel):
    provider: Literal["firecrawl", "watercrawl", "jinareader"]
    url: str
    options: dict[str, object]
 class WebsiteCrawlStatusQuery(BaseModel):
    provider: Literal["firecrawl", "watercrawl", "jinareader"]
 register_schema_models(console_ns, WebsiteCrawlPayload, WebsiteCrawlStatusQuery)
@console_ns.route("/website/crawl")
 class WebsiteCrawlApi(Resource):
    @console_ns.doc("crawl_website")
    @console_ns.doc(description="Crawl website content")
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[WebsiteCrawlPayload.__name__])
        console_ns.model(
            "WebsiteCrawlRequest",
            {
                "provider": fields.String(
                    required=True,
                    description="Crawl provider (firecrawl/watercrawl/jinareader)",
                    enum=["firecrawl", "watercrawl", "jinareader"],
                ),
                "url": fields.String(required=True, description="URL to crawl"),
                "options": fields.Raw(required=True, description="Crawl options"),
            },
        )
    )
    @console_ns.response(200, "Website crawl initiated successfully")
    @console_ns.response(400, "Invalid crawl parameters")
    @setup_required
    @login_required
    @account_initialization_required
    def post(self):
-        parser = (
+        payload = WebsiteCrawlPayload.model_validate(console_ns.payload or {})
            reqparse.RequestParser()
            .add_argument(
                "provider",
                type=str,
                choices=["firecrawl", "watercrawl", "jinareader"],
                required=True,
                nullable=True,
                location="json",
            )
            .add_argument("url", type=str, required=True, nullable=True, location="json")
            .add_argument("options", type=dict, required=True, nullable=True, location="json")
        )
        args = parser.parse_args()
        # Create typed request and validate
        try:
-            api_request = WebsiteCrawlApiRequest.from_args(args)
+            api_request = WebsiteCrawlApiRequest.from_args(payload.model_dump())
        except ValueError as e:
            raise WebsiteCrawlError(str(e))
@@ -65,6 +57,7 @@ class WebsiteCrawlStatusApi(Resource):
    @console_ns.doc("get_crawl_status")
    @console_ns.doc(description="Get website crawl status")
    @console_ns.doc(params={"job_id": "Crawl job ID", "provider": "Crawl provider (firecrawl/watercrawl/jinareader)"})
    @console_ns.expect(console_ns.models[WebsiteCrawlStatusQuery.__name__])
    @console_ns.response(200, "Crawl status retrieved successfully")
    @console_ns.response(404, "Crawl job not found")
    @console_ns.response(400, "Invalid provider")
@@ -72,14 +65,11 @@ class WebsiteCrawlStatusApi(Resource):
    @login_required
    @account_initialization_required
    def get(self, job_id: str):
-        parser = reqparse.RequestParser().add_argument(
+        args = WebsiteCrawlStatusQuery.model_validate(request.args.to_dict())
            "provider", type=str, choices=["firecrawl", "watercrawl", "jinareader"], required=True, location="args"
        )
        args = parser.parse_args()
        # Create typed request and validate
        try:
-            api_request = WebsiteCrawlStatusApiRequest.from_args(args, job_id)
+            api_request = WebsiteCrawlStatusApiRequest.from_args(args.model_dump(), job_id)
        except ValueError as e:
            raise WebsiteCrawlError(str(e))
--- a/api/controllers/console/explore/audio.py
+++ b/api/controllers/console/explore/audio.py
@@ -1,9 +1,11 @@
 import logging
 from flask import request
 from pydantic import BaseModel, Field
 from werkzeug.exceptions import InternalServerError
 import services
 from controllers.common.schema import register_schema_model
 from controllers.console.app.error import (
    AppUnavailableError,
    AudioTooLargeError,
@@ -31,6 +33,16 @@ from .. import console_ns
 logger = logging.getLogger(__name__)
 class TextToAudioPayload(BaseModel):
    message_id: str | None = None
    voice: str | None = None
    text: str | None = None
    streaming: bool | None = Field(default=None, description="Enable streaming response")
 register_schema_model(console_ns, TextToAudioPayload)
@console_ns.route(
    "/installed-apps/<uuid:installed_app_id>/audio-to-text",
    endpoint="installed_app_audio",
@@ -76,23 +88,15 @@ class ChatAudioApi(InstalledAppResource):
    endpoint="installed_app_text",
 )
 class ChatTextApi(InstalledAppResource):
    @console_ns.expect(console_ns.models[TextToAudioPayload.__name__])
    def post(self, installed_app):
        from flask_restx import reqparse
        app_model = installed_app.app
        try:
-            parser = (
+            payload = TextToAudioPayload.model_validate(console_ns.payload or {})
                reqparse.RequestParser()
                .add_argument("message_id", type=str, required=False, location="json")
                .add_argument("voice", type=str, location="json")
                .add_argument("text", type=str, location="json")
                .add_argument("streaming", type=bool, location="json")
            )
            args = parser.parse_args()
-            message_id = args.get("message_id", None)
+            message_id = payload.message_id
-            text = args.get("text", None)
+            text = payload.text
-            voice = args.get("voice", None)
+            voice = payload.voice
            response = AudioService.transcript_tts(app_model=app_model, text=text, voice=voice, message_id=message_id)
            return response
--- a/api/controllers/console/explore/completion.py
+++ b/api/controllers/console/explore/completion.py
@@ -1,9 +1,12 @@
 import logging
 from typing import Any, Literal
 from uuid import UUID
-from flask_restx import reqparse
+from pydantic import BaseModel, Field, field_validator
 from werkzeug.exceptions import InternalServerError, NotFound
 import services
 from controllers.common.schema import register_schema_models
 from controllers.console.app.error import (
    AppUnavailableError,
    CompletionRequestError,
@@ -25,7 +28,6 @@ from core.model_runtime.errors.invoke import InvokeError
 from extensions.ext_database import db
 from libs import helper
 from libs.datetime_utils import naive_utc_now
 from libs.helper import uuid_value
 from libs.login import current_user
 from models import Account
 from models.model import AppMode
@@ -38,28 +40,56 @@ from .. import console_ns
 logger = logging.getLogger(__name__)
 class CompletionMessagePayload(BaseModel):
    inputs: dict[str, Any]
    query: str = ""
    files: list[dict[str, Any]] | None = None
    response_mode: Literal["blocking", "streaming"] | None = None
    retriever_from: str = Field(default="explore_app")
 class ChatMessagePayload(BaseModel):
    inputs: dict[str, Any]
    query: str
    files: list[dict[str, Any]] | None = None
    conversation_id: str | None = None
    parent_message_id: str | None = None
    retriever_from: str = Field(default="explore_app")
    @field_validator("conversation_id", "parent_message_id", mode="before")
    @classmethod
    def normalize_uuid(cls, value: str | UUID | None) -> str | None:
        """
        Accept blank IDs and validate UUID format when provided.
        """
        if not value:
            return None
        try:
            return helper.uuid_value(value)
        except ValueError as exc:
            raise ValueError("must be a valid UUID") from exc
 register_schema_models(console_ns, CompletionMessagePayload, ChatMessagePayload)
 # define completion api for user
@console_ns.route(
    "/installed-apps/<uuid:installed_app_id>/completion-messages",
    endpoint="installed_app_completion",
 )
 class CompletionApi(InstalledAppResource):
    @console_ns.expect(console_ns.models[CompletionMessagePayload.__name__])
    def post(self, installed_app):
        app_model = installed_app.app
        if app_model.mode != AppMode.COMPLETION:
            raise NotCompletionAppError()
-        parser = (
+        payload = CompletionMessagePayload.model_validate(console_ns.payload or {})
-            reqparse.RequestParser()
+        args = payload.model_dump(exclude_none=True)
            .add_argument("inputs", type=dict, required=True, location="json")
            .add_argument("query", type=str, location="json", default="")
            .add_argument("files", type=list, required=False, location="json")
            .add_argument("response_mode", type=str, choices=["blocking", "streaming"], location="json")
            .add_argument("retriever_from", type=str, required=False, default="explore_app", location="json")
        )
        args = parser.parse_args()
-        streaming = args["response_mode"] == "streaming"
+        streaming = payload.response_mode == "streaming"
        args["auto_generate_name"] = False
        installed_app.last_used_at = naive_utc_now()
@@ -123,22 +153,15 @@ class CompletionStopApi(InstalledAppResource):
    endpoint="installed_app_chat_completion",
 )
 class ChatApi(InstalledAppResource):
    @console_ns.expect(console_ns.models[ChatMessagePayload.__name__])
    def post(self, installed_app):
        app_model = installed_app.app
        app_mode = AppMode.value_of(app_model.mode)
        if app_mode not in {AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT}:
            raise NotChatAppError()
-        parser = (
+        payload = ChatMessagePayload.model_validate(console_ns.payload or {})
-            reqparse.RequestParser()
+        args = payload.model_dump(exclude_none=True)
            .add_argument("inputs", type=dict, required=True, location="json")
            .add_argument("query", type=str, required=True, location="json")
            .add_argument("files", type=list, required=False, location="json")
            .add_argument("conversation_id", type=uuid_value, location="json")
            .add_argument("parent_message_id", type=uuid_value, required=False, location="json")
            .add_argument("retriever_from", type=str, required=False, default="explore_app", location="json")
        )
        args = parser.parse_args()
        args["auto_generate_name"] = False
--- a/api/controllers/console/explore/conversation.py
+++ b/api/controllers/console/explore/conversation.py
@@ -1,14 +1,18 @@
-from flask_restx import marshal_with, reqparse
+from typing import Any
-from flask_restx.inputs import int_range
+from uuid import UUID
 from flask import request
 from flask_restx import marshal_with
 from pydantic import BaseModel, Field, model_validator
 from sqlalchemy.orm import Session
 from werkzeug.exceptions import NotFound
 from controllers.common.schema import register_schema_models
 from controllers.console.explore.error import NotChatAppError
 from controllers.console.explore.wraps import InstalledAppResource
 from core.app.entities.app_invoke_entities import InvokeFrom
 from extensions.ext_database import db
 from fields.conversation_fields import conversation_infinite_scroll_pagination_fields, simple_conversation_fields
 from libs.helper import uuid_value
 from libs.login import current_user
 from models import Account
 from models.model import AppMode
@@ -19,29 +23,51 @@ from services.web_conversation_service import WebConversationService
 from .. import console_ns
 class ConversationListQuery(BaseModel):
    last_id: UUID | None = None
    limit: int = Field(default=20, ge=1, le=100)
    pinned: bool | None = None
 class ConversationRenamePayload(BaseModel):
    name: str | None = None
    auto_generate: bool = False
    @model_validator(mode="after")
    def validate_name_requirement(self):
        if not self.auto_generate:
            if self.name is None or not self.name.strip():
                raise ValueError("name is required when auto_generate is false")
        return self
 register_schema_models(console_ns, ConversationListQuery, ConversationRenamePayload)
@console_ns.route(
    "/installed-apps/<uuid:installed_app_id>/conversations",
    endpoint="installed_app_conversations",
 )
 class ConversationListApi(InstalledAppResource):
    @marshal_with(conversation_infinite_scroll_pagination_fields)
    @console_ns.expect(console_ns.models[ConversationListQuery.__name__])
    def get(self, installed_app):
        app_model = installed_app.app
        app_mode = AppMode.value_of(app_model.mode)
        if app_mode not in {AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT}:
            raise NotChatAppError()
-        parser = (
+        raw_args: dict[str, Any] = {
-            reqparse.RequestParser()
+            "last_id": request.args.get("last_id"),
-            .add_argument("last_id", type=uuid_value, location="args")
+            "limit": request.args.get("limit", default=20, type=int),
-            .add_argument("limit", type=int_range(1, 100), required=False, default=20, location="args")
+            "pinned": request.args.get("pinned"),
-            .add_argument("pinned", type=str, choices=["true", "false", None], location="args")
+        }
-        )
+        if raw_args["last_id"] is None:
-        args = parser.parse_args()
+            raw_args["last_id"] = None
-
+        pinned_value = raw_args["pinned"]
-        pinned = None
+        if isinstance(pinned_value, str):
-        if "pinned" in args and args["pinned"] is not None:
+            raw_args["pinned"] = pinned_value == "true"
-            pinned = args["pinned"] == "true"
+        args = ConversationListQuery.model_validate(raw_args)
        try:
            if not isinstance(current_user, Account):
@@ -51,10 +77,10 @@ class ConversationListApi(InstalledAppResource):
                    session=session,
                    app_model=app_model,
                    user=current_user,
-                    last_id=args["last_id"],
+                    last_id=str(args.last_id) if args.last_id else None,
-                    limit=args["limit"],
+                    limit=args.limit,
                    invoke_from=InvokeFrom.EXPLORE,
-                    pinned=pinned,
+                    pinned=args.pinned,
                )
        except LastConversationNotExistsError:
            raise NotFound("Last Conversation Not Exists.")
@@ -88,6 +114,7 @@ class ConversationApi(InstalledAppResource):
 )
 class ConversationRenameApi(InstalledAppResource):
    @marshal_with(simple_conversation_fields)
    @console_ns.expect(console_ns.models[ConversationRenamePayload.__name__])
    def post(self, installed_app, c_id):
        app_model = installed_app.app
        app_mode = AppMode.value_of(app_model.mode)
@@ -96,18 +123,13 @@ class ConversationRenameApi(InstalledAppResource):
        conversation_id = str(c_id)
-        parser = (
+        payload = ConversationRenamePayload.model_validate(console_ns.payload or {})
            reqparse.RequestParser()
            .add_argument("name", type=str, required=False, location="json")
            .add_argument("auto_generate", type=bool, required=False, default=False, location="json")
        )
        args = parser.parse_args()
        try:
            if not isinstance(current_user, Account):
                raise ValueError("current_user must be an Account instance")
            return ConversationService.rename(
-                app_model, conversation_id, current_user, args["name"], args["auto_generate"]
+                app_model, conversation_id, current_user, payload.name, payload.auto_generate
            )
        except ConversationNotExistsError:
            raise NotFound("Conversation Not Exists.")
--- a/api/controllers/console/explore/message.py
+++ b/api/controllers/console/explore/message.py
@@ -1,9 +1,13 @@
 import logging
 from typing import Literal
 from uuid import UUID
-from flask_restx import marshal_with, reqparse
+from flask import request
-from flask_restx.inputs import int_range
+from flask_restx import marshal_with
 from pydantic import BaseModel, Field
 from werkzeug.exceptions import InternalServerError, NotFound
 from controllers.common.schema import register_schema_models
 from controllers.console.app.error import (
    AppMoreLikeThisDisabledError,
    CompletionRequestError,
@@ -22,7 +26,6 @@ from core.errors.error import ModelCurrentlyNotSupportError, ProviderTokenNotIni
 from core.model_runtime.errors.invoke import InvokeError
 from fields.message_fields import message_infinite_scroll_pagination_fields
 from libs import helper
 from libs.helper import uuid_value
 from libs.login import current_account_with_tenant
 from models.model import AppMode
 from services.app_generate_service import AppGenerateService
@@ -40,12 +43,31 @@ from .. import console_ns
 logger = logging.getLogger(__name__)
 class MessageListQuery(BaseModel):
    conversation_id: UUID
    first_id: UUID | None = None
    limit: int = Field(default=20, ge=1, le=100)
 class MessageFeedbackPayload(BaseModel):
    rating: Literal["like", "dislike"] | None = None
    content: str | None = None
 class MoreLikeThisQuery(BaseModel):
    response_mode: Literal["blocking", "streaming"]
 register_schema_models(console_ns, MessageListQuery, MessageFeedbackPayload, MoreLikeThisQuery)
@console_ns.route(
    "/installed-apps/<uuid:installed_app_id>/messages",
    endpoint="installed_app_messages",
 )
 class MessageListApi(InstalledAppResource):
    @marshal_with(message_infinite_scroll_pagination_fields)
    @console_ns.expect(console_ns.models[MessageListQuery.__name__])
    def get(self, installed_app):
        current_user, _ = current_account_with_tenant()
        app_model = installed_app.app
@@ -53,18 +75,15 @@ class MessageListApi(InstalledAppResource):
        app_mode = AppMode.value_of(app_model.mode)
        if app_mode not in {AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT}:
            raise NotChatAppError()
-
+        args = MessageListQuery.model_validate(request.args.to_dict())
        parser = (
            reqparse.RequestParser()
            .add_argument("conversation_id", required=True, type=uuid_value, location="args")
            .add_argument("first_id", type=uuid_value, location="args")
            .add_argument("limit", type=int_range(1, 100), required=False, default=20, location="args")
        )
        args = parser.parse_args()
        try:
            return MessageService.pagination_by_first_id(
-                app_model, current_user, args["conversation_id"], args["first_id"], args["limit"]
+                app_model,
                current_user,
                str(args.conversation_id),
                str(args.first_id) if args.first_id else None,
                args.limit,
            )
        except ConversationNotExistsError:
            raise NotFound("Conversation Not Exists.")
@@ -77,26 +96,22 @@ class MessageListApi(InstalledAppResource):
    endpoint="installed_app_message_feedback",
 )
 class MessageFeedbackApi(InstalledAppResource):
    @console_ns.expect(console_ns.models[MessageFeedbackPayload.__name__])
    def post(self, installed_app, message_id):
        current_user, _ = current_account_with_tenant()
        app_model = installed_app.app
        message_id = str(message_id)
-        parser = (
+        payload = MessageFeedbackPayload.model_validate(console_ns.payload or {})
            reqparse.RequestParser()
            .add_argument("rating", type=str, choices=["like", "dislike", None], location="json")
            .add_argument("content", type=str, location="json")
        )
        args = parser.parse_args()
        try:
            MessageService.create_feedback(
                app_model=app_model,
                message_id=message_id,
                user=current_user,
-                rating=args.get("rating"),
+                rating=payload.rating,
-                content=args.get("content"),
+                content=payload.content,
            )
        except MessageNotExistsError:
            raise NotFound("Message Not Exists.")
@@ -109,6 +124,7 @@ class MessageFeedbackApi(InstalledAppResource):
    endpoint="installed_app_more_like_this",
 )
 class MessageMoreLikeThisApi(InstalledAppResource):
    @console_ns.expect(console_ns.models[MoreLikeThisQuery.__name__])
    def get(self, installed_app, message_id):
        current_user, _ = current_account_with_tenant()
        app_model = installed_app.app
@@ -117,12 +133,9 @@ class MessageMoreLikeThisApi(InstalledAppResource):
        message_id = str(message_id)
-        parser = reqparse.RequestParser().add_argument(
+        args = MoreLikeThisQuery.model_validate(request.args.to_dict())
            "response_mode", type=str, required=True, choices=["blocking", "streaming"], location="args"
        )
        args = parser.parse_args()
-        streaming = args["response_mode"] == "streaming"
+        streaming = args.response_mode == "streaming"
        try:
            response = AppGenerateService.generate_more_like_this(
--- a/api/controllers/console/explore/recommended_app.py
+++ b/api/controllers/console/explore/recommended_app.py
@@ -1,4 +1,6 @@
-from flask_restx import Resource, fields, marshal_with, reqparse
+from flask import request
 from flask_restx import Resource, fields, marshal_with
 from pydantic import BaseModel, Field
 from constants.languages import languages
 from controllers.console import console_ns
@@ -35,20 +37,26 @@ recommended_app_list_fields = {
 }
-parser_apps = reqparse.RequestParser().add_argument("language", type=str, location="args")
+class RecommendedAppsQuery(BaseModel):
    language: str | None = Field(default=None)
 console_ns.schema_model(
    RecommendedAppsQuery.__name__,
    RecommendedAppsQuery.model_json_schema(ref_template="#/definitions/{model}"),
 )
@console_ns.route("/explore/apps")
 class RecommendedAppListApi(Resource):
-    @console_ns.expect(parser_apps)
+    @console_ns.expect(console_ns.models[RecommendedAppsQuery.__name__])
    @login_required
    @account_initialization_required
    @marshal_with(recommended_app_list_fields)
    def get(self):
        # language args
-        args = parser_apps.parse_args()
+        args = RecommendedAppsQuery.model_validate(request.args.to_dict(flat=True))  # type: ignore
-
+        language = args.language
        language = args.get("language")
        if language and language in languages:
            language_prefix = language
        elif current_user and current_user.interface_language:
--- a/api/controllers/console/explore/saved_message.py
+++ b/api/controllers/console/explore/saved_message.py
@@ -1,16 +1,33 @@
-from flask_restx import fields, marshal_with, reqparse
+from uuid import UUID
-from flask_restx.inputs import int_range
+
 from flask import request
 from flask_restx import fields, marshal_with
 from pydantic import BaseModel, Field
 from werkzeug.exceptions import NotFound
 from controllers.common.schema import register_schema_models
 from controllers.console import console_ns
 from controllers.console.explore.error import NotCompletionAppError
 from controllers.console.explore.wraps import InstalledAppResource
 from fields.conversation_fields import message_file_fields
-from libs.helper import TimestampField, uuid_value
+from libs.helper import TimestampField
 from libs.login import current_account_with_tenant
 from services.errors.message import MessageNotExistsError
 from services.saved_message_service import SavedMessageService
 class SavedMessageListQuery(BaseModel):
    last_id: UUID | None = None
    limit: int = Field(default=20, ge=1, le=100)
 class SavedMessageCreatePayload(BaseModel):
    message_id: UUID
 register_schema_models(console_ns, SavedMessageListQuery, SavedMessageCreatePayload)
 feedback_fields = {"rating": fields.String}
 message_fields = {
@@ -33,32 +50,33 @@ class SavedMessageListApi(InstalledAppResource):
    }
    @marshal_with(saved_message_infinite_scroll_pagination_fields)
    @console_ns.expect(console_ns.models[SavedMessageListQuery.__name__])
    def get(self, installed_app):
        current_user, _ = current_account_with_tenant()
        app_model = installed_app.app
        if app_model.mode != "completion":
            raise NotCompletionAppError()
-        parser = (
+        args = SavedMessageListQuery.model_validate(request.args.to_dict())
-            reqparse.RequestParser()
+
-            .add_argument("last_id", type=uuid_value, location="args")
+        return SavedMessageService.pagination_by_last_id(
-            .add_argument("limit", type=int_range(1, 100), required=False, default=20, location="args")
+            app_model,
            current_user,
            str(args.last_id) if args.last_id else None,
            args.limit,
        )
        args = parser.parse_args()
        return SavedMessageService.pagination_by_last_id(app_model, current_user, args["last_id"], args["limit"])
    @console_ns.expect(console_ns.models[SavedMessageCreatePayload.__name__])
    def post(self, installed_app):
        current_user, _ = current_account_with_tenant()
        app_model = installed_app.app
        if app_model.mode != "completion":
            raise NotCompletionAppError()
-        parser = reqparse.RequestParser().add_argument("message_id", type=uuid_value, required=True, location="json")
+        payload = SavedMessageCreatePayload.model_validate(console_ns.payload or {})
        args = parser.parse_args()
        try:
-            SavedMessageService.save(app_model, current_user, args["message_id"])
+            SavedMessageService.save(app_model, current_user, str(payload.message_id))
        except MessageNotExistsError:
            raise NotFound("Message Not Exists.")
--- a/api/controllers/console/explore/workflow.py
+++ b/api/controllers/console/explore/workflow.py
@@ -1,8 +1,10 @@
 import logging
 from typing import Any
-from flask_restx import reqparse
+from pydantic import BaseModel
 from werkzeug.exceptions import InternalServerError
 from controllers.common.schema import register_schema_model
 from controllers.console.app.error import (
    CompletionRequestError,
    ProviderModelCurrentlyNotSupportError,
@@ -32,8 +34,17 @@ from .. import console_ns
 logger = logging.getLogger(__name__)
 class WorkflowRunPayload(BaseModel):
    inputs: dict[str, Any]
    files: list[dict[str, Any]] | None = None
 register_schema_model(console_ns, WorkflowRunPayload)
@console_ns.route("/installed-apps/<uuid:installed_app_id>/workflows/run")
 class InstalledAppWorkflowRunApi(InstalledAppResource):
    @console_ns.expect(console_ns.models[WorkflowRunPayload.__name__])
    def post(self, installed_app: InstalledApp):
        """
        Run workflow
@@ -46,12 +57,8 @@ class InstalledAppWorkflowRunApi(InstalledAppResource):
        if app_mode != AppMode.WORKFLOW:
            raise NotWorkflowAppError()
-        parser = (
+        payload = WorkflowRunPayload.model_validate(console_ns.payload or {})
-            reqparse.RequestParser()
+        args = payload.model_dump(exclude_none=True)
            .add_argument("inputs", type=dict, required=True, nullable=False, location="json")
            .add_argument("files", type=list, required=False, location="json")
        )
        args = parser.parse_args()
        try:
            response = AppGenerateService.generate(
                app_model=app_model, user=current_user, args=args, invoke_from=InvokeFrom.EXPLORE, streaming=True
--- a/api/controllers/console/files.py
+++ b/api/controllers/console/files.py
@@ -45,6 +45,9 @@ class FileApi(Resource):
            "video_file_size_limit": dify_config.UPLOAD_VIDEO_FILE_SIZE_LIMIT,
            "audio_file_size_limit": dify_config.UPLOAD_AUDIO_FILE_SIZE_LIMIT,
            "workflow_file_upload_limit": dify_config.WORKFLOW_FILE_UPLOAD_LIMIT,
            "image_file_batch_limit": dify_config.IMAGE_FILE_BATCH_LIMIT,
            "single_chunk_attachment_limit": dify_config.SINGLE_CHUNK_ATTACHMENT_LIMIT,
            "attachment_image_file_size_limit": dify_config.ATTACHMENT_IMAGE_FILE_SIZE_LIMIT,
        }, 200
    @setup_required
--- a/api/controllers/console/init_validate.py
+++ b/api/controllers/console/init_validate.py
@@ -1,13 +1,13 @@
 import os
 from flask import session
-from flask_restx import Resource, fields, reqparse
+from flask_restx import Resource, fields
 from pydantic import BaseModel, Field
 from sqlalchemy import select
 from sqlalchemy.orm import Session
 from configs import dify_config
 from extensions.ext_database import db
 from libs.helper import StrLen
 from models.model import DifySetup
 from services.account_service import TenantService
@@ -15,6 +15,18 @@ from . import console_ns
 from .error import AlreadySetupError, InitValidateFailedError
 from .wraps import only_edition_self_hosted
 DEFAULT_REF_TEMPLATE_SWAGGER_2_0 = "#/definitions/{model}"
 class InitValidatePayload(BaseModel):
    password: str = Field(..., max_length=30)
 console_ns.schema_model(
    InitValidatePayload.__name__,
    InitValidatePayload.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0),
 )
@console_ns.route("/init")
 class InitValidateAPI(Resource):
@@ -37,12 +49,7 @@ class InitValidateAPI(Resource):
    @console_ns.doc("validate_init_password")
    @console_ns.doc(description="Validate initialization password for self-hosted edition")
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[InitValidatePayload.__name__])
        console_ns.model(
            "InitValidateRequest",
            {"password": fields.String(required=True, description="Initialization password", max_length=30)},
        )
    )
    @console_ns.response(
        201,
        "Success",
@@ -57,8 +64,8 @@ class InitValidateAPI(Resource):
        if tenant_count > 0:
            raise AlreadySetupError()
-        parser = reqparse.RequestParser().add_argument("password", type=StrLen(30), required=True, location="json")
+        payload = InitValidatePayload.model_validate(console_ns.payload)
-        input_password = parser.parse_args()["password"]
+        input_password = payload.password
        if input_password != os.environ.get("INIT_PASSWORD"):
            session["is_init_validated"] = False
--- a/api/controllers/console/remote_files.py
+++ b/api/controllers/console/remote_files.py
@@ -1,7 +1,8 @@
 import urllib.parse
 import httpx
-from flask_restx import Resource, marshal_with, reqparse
+from flask_restx import Resource, marshal_with
 from pydantic import BaseModel, Field
 import services
 from controllers.common import helpers
@@ -36,17 +37,23 @@ class RemoteFileInfoApi(Resource):
        }
-parser_upload = reqparse.RequestParser().add_argument("url", type=str, required=True, help="URL is required")
+class RemoteFileUploadPayload(BaseModel):
    url: str = Field(..., description="URL to fetch")
 console_ns.schema_model(
    RemoteFileUploadPayload.__name__,
    RemoteFileUploadPayload.model_json_schema(ref_template="#/definitions/{model}"),
 )
@console_ns.route("/remote-files/upload")
 class RemoteFileUploadApi(Resource):
-    @console_ns.expect(parser_upload)
+    @console_ns.expect(console_ns.models[RemoteFileUploadPayload.__name__])
    @marshal_with(file_fields_with_signed_url)
    def post(self):
-        args = parser_upload.parse_args()
+        args = RemoteFileUploadPayload.model_validate(console_ns.payload)
-
+        url = args.url
        url = args["url"]
        try:
            resp = ssrf_proxy.head(url=url)
--- a/api/controllers/console/setup.py
+++ b/api/controllers/console/setup.py
@@ -1,8 +1,9 @@
 from flask import request
-from flask_restx import Resource, fields, reqparse
+from flask_restx import Resource, fields
 from pydantic import BaseModel, Field, field_validator
 from configs import dify_config
-from libs.helper import StrLen, email, extract_remote_ip
+from libs.helper import EmailStr, extract_remote_ip
 from libs.password import valid_password
 from models.model import DifySetup, db
 from services.account_service import RegisterService, TenantService
@@ -12,6 +13,26 @@ from .error import AlreadySetupError, NotInitValidateError
 from .init_validate import get_init_validate_status
 from .wraps import only_edition_self_hosted
 DEFAULT_REF_TEMPLATE_SWAGGER_2_0 = "#/definitions/{model}"
 class SetupRequestPayload(BaseModel):
    email: EmailStr = Field(..., description="Admin email address")
    name: str = Field(..., max_length=30, description="Admin name (max 30 characters)")
    password: str = Field(..., description="Admin password")
    language: str | None = Field(default=None, description="Admin language")
    @field_validator("password")
    @classmethod
    def validate_password(cls, value: str) -> str:
        return valid_password(value)
 console_ns.schema_model(
    SetupRequestPayload.__name__,
    SetupRequestPayload.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0),
 )
@console_ns.route("/setup")
 class SetupApi(Resource):
@@ -42,17 +63,7 @@ class SetupApi(Resource):
    @console_ns.doc("setup_system")
    @console_ns.doc(description="Initialize system setup with admin account")
-    @console_ns.expect(
+    @console_ns.expect(console_ns.models[SetupRequestPayload.__name__])
        console_ns.model(
            "SetupRequest",
            {
                "email": fields.String(required=True, description="Admin email address"),
                "name": fields.String(required=True, description="Admin name (max 30 characters)"),
                "password": fields.String(required=True, description="Admin password"),
                "language": fields.String(required=False, description="Admin language"),
            },
        )
    )
    @console_ns.response(
        201, "Success", console_ns.model("SetupResponse", {"result": fields.String(description="Setup result")})
    )
@@ -72,22 +83,15 @@ class SetupApi(Resource):
        if not get_init_validate_status():
            raise NotInitValidateError()
-        parser = (
+        args = SetupRequestPayload.model_validate(console_ns.payload)
            reqparse.RequestParser()
            .add_argument("email", type=email, required=True, location="json")
            .add_argument("name", type=StrLen(30), required=True, location="json")
            .add_argument("password", type=valid_password, required=True, location="json")
            .add_argument("language", type=str, required=False, location="json")
        )
        args = parser.parse_args()
        # setup
        RegisterService.setup(
-            email=args["email"],
+            email=args.email,
-            name=args["name"],
+            name=args.name,
-            password=args["password"],
+            password=args.password,
            ip_address=extract_remote_ip(request),
-            language=args["language"],
+            language=args.language,
        )
        return {"result": "success"}, 201
--- a/api/controllers/console/version.py
+++ b/api/controllers/console/version.py
@@ -2,8 +2,10 @@ import json
 import logging
 import httpx
-from flask_restx import Resource, fields, reqparse
+from flask import request
 from flask_restx import Resource, fields
 from packaging import version
 from pydantic import BaseModel, Field
 from configs import dify_config
@@ -11,8 +13,14 @@ from . import console_ns
 logger = logging.getLogger(__name__)
-parser = reqparse.RequestParser().add_argument(
+
-    "current_version", type=str, required=True, location="args", help="Current application version"
+class VersionQuery(BaseModel):
    current_version: str = Field(..., description="Current application version")
 console_ns.schema_model(
    VersionQuery.__name__,
    VersionQuery.model_json_schema(ref_template="#/definitions/{model}"),
 )
@@ -20,7 +28,7 @@ parser = reqparse.RequestParser().add_argument(
 class VersionApi(Resource):
    @console_ns.doc("check_version_update")
    @console_ns.doc(description="Check for application version updates")
-    @console_ns.expect(parser)
+    @console_ns.expect(console_ns.models[VersionQuery.__name__])
    @console_ns.response(
        200,
        "Success",
@@ -37,7 +45,7 @@ class VersionApi(Resource):
    )
    def get(self):
        """Check for application version updates"""
-        args = parser.parse_args()
+        args = VersionQuery.model_validate(request.args.to_dict(flat=True))  # type: ignore
        check_update_url = dify_config.CHECK_UPDATE_URL
        result = {
@@ -57,16 +65,16 @@ class VersionApi(Resource):
        try:
            response = httpx.get(
                check_update_url,
-                params={"current_version": args["current_version"]},
+                params={"current_version": args.current_version},
                timeout=httpx.Timeout(timeout=10.0, connect=3.0),
            )
        except Exception as error:
            logger.warning("Check update version error: %s.", str(error))
-            result["version"] = args["current_version"]
+            result["version"] = args.current_version
            return result
        content = json.loads(response.content)
-        if _has_new_version(latest_version=content["version"], current_version=f"{args['current_version']}"):
+        if _has_new_version(latest_version=content["version"], current_version=f"{args.current_version}"):
            result["version"] = content["version"]
            result["release_date"] = content["releaseDate"]
            result["release_notes"] = content["releaseNotes"]
--- a/api/controllers/console/workspace/account.py
+++ b/api/controllers/console/workspace/account.py
@@ -37,7 +37,7 @@ from controllers.console.wraps import (
 from extensions.ext_database import db
 from fields.member_fields import account_fields
 from libs.datetime_utils import naive_utc_now
-from libs.helper import TimestampField, email, extract_remote_ip, timezone
+from libs.helper import EmailStr, TimestampField, extract_remote_ip, timezone
 from libs.login import current_account_with_tenant, login_required
 from models import Account, AccountIntegrate, InvitationCode
 from services.account_service import AccountService
@@ -111,14 +111,9 @@ class AccountDeletePayload(BaseModel):
 class AccountDeletionFeedbackPayload(BaseModel):
-    email: str
+    email: EmailStr
    feedback: str
    @field_validator("email")
    @classmethod
    def validate_email(cls, value: str) -> str:
        return email(value)
 class EducationActivatePayload(BaseModel):
    token: str
@@ -133,45 +128,25 @@ class EducationAutocompleteQuery(BaseModel):
 class ChangeEmailSendPayload(BaseModel):
-    email: str
+    email: EmailStr
    language: str | None = None
    phase: str | None = None
    token: str | None = None
    @field_validator("email")
    @classmethod
    def validate_email(cls, value: str) -> str:
        return email(value)
 class ChangeEmailValidityPayload(BaseModel):
-    email: str
+    email: EmailStr
    code: str
    token: str
    @field_validator("email")
    @classmethod
    def validate_email(cls, value: str) -> str:
        return email(value)
 class ChangeEmailResetPayload(BaseModel):
-    new_email: str
+    new_email: EmailStr
    token: str
    @field_validator("new_email")
    @classmethod
    def validate_email(cls, value: str) -> str:
        return email(value)
 class CheckEmailUniquePayload(BaseModel):
-    email: str
+    email: EmailStr
    @field_validator("email")
    @classmethod
    def validate_email(cls, value: str) -> str:
        return email(value)
 def reg(cls: type[BaseModel]):
--- a/api/controllers/console/workspace/models.py
+++ b/api/controllers/console/workspace/models.py
@@ -230,7 +230,7 @@ class ModelProviderModelApi(Resource):
        return {"result": "success"}, 200
-    @console_ns.expect(console_ns.models[ParserDeleteModels.__name__], validate=True)
+    @console_ns.expect(console_ns.models[ParserDeleteModels.__name__])
    @setup_required
    @login_required
    @is_admin_or_owner_required
@@ -282,9 +282,10 @@ class ModelProviderModelCredentialApi(Resource):
                tenant_id=tenant_id, provider_name=provider
            )
        else:
-            model_type = args.model_type
+            # Normalize model_type to the origin value stored in DB (e.g., "text-generation" for LLM)
            normalized_model_type = args.model_type.to_origin_model_type()
            available_credentials = model_provider_service.provider_manager.get_provider_model_available_credentials(
-                tenant_id=tenant_id, provider_name=provider, model_type=model_type, model_name=args.model
+                tenant_id=tenant_id, provider_name=provider, model_type=normalized_model_type, model_name=args.model
            )
        return jsonable_encoder(
--- a/api/controllers/console/workspace/plugin.py
+++ b/api/controllers/console/workspace/plugin.py
@@ -46,8 +46,8 @@ class PluginDebuggingKeyApi(Resource):
 class ParserList(BaseModel):
-    page: int = Field(default=1)
+    page: int = Field(default=1, ge=1, description="Page number")
-    page_size: int = Field(default=256)
+    page_size: int = Field(default=256, ge=1, le=256, description="Page size (1-256)")
 reg(ParserList)
@@ -106,8 +106,8 @@ class ParserPluginIdentifierQuery(BaseModel):
 class ParserTasks(BaseModel):
-    page: int
+    page: int = Field(default=1, ge=1, description="Page number")
-    page_size: int
+    page_size: int = Field(default=256, ge=1, le=256, description="Page size (1-256)")
 class ParserMarketplaceUpgrade(BaseModel):
--- a/api/controllers/console/workspace/trigger_providers.py
+++ b/api/controllers/console/workspace/trigger_providers.py
@@ -22,7 +22,12 @@ from services.trigger.trigger_subscription_builder_service import TriggerSubscri
 from services.trigger.trigger_subscription_operator_service import TriggerSubscriptionOperatorService
 from .. import console_ns
-from ..wraps import account_initialization_required, is_admin_or_owner_required, setup_required
+from ..wraps import (
    account_initialization_required,
    edit_permission_required,
    is_admin_or_owner_required,
    setup_required,
 )
 logger = logging.getLogger(__name__)
@@ -72,7 +77,7 @@ class TriggerProviderInfoApi(Resource):
 class TriggerSubscriptionListApi(Resource):
    @setup_required
    @login_required
-    @is_admin_or_owner_required
+    @edit_permission_required
    @account_initialization_required
    def get(self, provider):
        """List all trigger subscriptions for the current tenant's provider"""
@@ -104,7 +109,7 @@ class TriggerSubscriptionBuilderCreateApi(Resource):
    @console_ns.expect(parser)
    @setup_required
    @login_required
-    @is_admin_or_owner_required
+    @edit_permission_required
    @account_initialization_required
    def post(self, provider):
        """Add a new subscription instance for a trigger provider"""
@@ -133,6 +138,7 @@ class TriggerSubscriptionBuilderCreateApi(Resource):
 class TriggerSubscriptionBuilderGetApi(Resource):
    @setup_required
    @login_required
    @edit_permission_required
    @account_initialization_required
    def get(self, provider, subscription_builder_id):
        """Get a subscription instance for a trigger provider"""
@@ -155,7 +161,7 @@ class TriggerSubscriptionBuilderVerifyApi(Resource):
    @console_ns.expect(parser_api)
    @setup_required
    @login_required
-    @is_admin_or_owner_required
+    @edit_permission_required
    @account_initialization_required
    def post(self, provider, subscription_builder_id):
        """Verify a subscription instance for a trigger provider"""
@@ -200,6 +206,7 @@ class TriggerSubscriptionBuilderUpdateApi(Resource):
    @console_ns.expect(parser_update_api)
    @setup_required
    @login_required
    @edit_permission_required
    @account_initialization_required
    def post(self, provider, subscription_builder_id):
        """Update a subscription instance for a trigger provider"""
@@ -233,6 +240,7 @@ class TriggerSubscriptionBuilderUpdateApi(Resource):
 class TriggerSubscriptionBuilderLogsApi(Resource):
    @setup_required
    @login_required
    @edit_permission_required
    @account_initialization_required
    def get(self, provider, subscription_builder_id):
        """Get the request logs for a subscription instance for a trigger provider"""
@@ -255,7 +263,7 @@ class TriggerSubscriptionBuilderBuildApi(Resource):
    @console_ns.expect(parser_update_api)
    @setup_required
    @login_required
-    @is_admin_or_owner_required
+    @edit_permission_required
    @account_initialization_required
    def post(self, provider, subscription_builder_id):
        """Build a subscription instance for a trigger provider"""
--- a/api/controllers/console/wraps.py
+++ b/api/controllers/console/wraps.py
@@ -331,3 +331,91 @@ def is_admin_or_owner_required(f: Callable[P, R]):
        return f(*args, **kwargs)
    return decorated_function
 def annotation_import_rate_limit(view: Callable[P, R]):
    """
    Rate limiting decorator for annotation import operations.
    Implements sliding window rate limiting with two tiers:
    - Short-term: Configurable requests per minute (default: 5)
    - Long-term: Configurable requests per hour (default: 20)
    Uses Redis ZSET for distributed rate limiting across multiple instances.
    """
    @wraps(view)
    def decorated(*args: P.args, **kwargs: P.kwargs):
        _, current_tenant_id = current_account_with_tenant()
        current_time = int(time.time() * 1000)
        # Check per-minute rate limit
        minute_key = f"annotation_import_rate_limit:{current_tenant_id}:1min"
        redis_client.zadd(minute_key, {current_time: current_time})
        redis_client.zremrangebyscore(minute_key, 0, current_time - 60000)
        minute_count = redis_client.zcard(minute_key)
        redis_client.expire(minute_key, 120)  # 2 minutes TTL
        if minute_count > dify_config.ANNOTATION_IMPORT_RATE_LIMIT_PER_MINUTE:
            abort(
                429,
                f"Too many annotation import requests. Maximum {dify_config.ANNOTATION_IMPORT_RATE_LIMIT_PER_MINUTE} "
                f"requests per minute allowed. Please try again later.",
            )
        # Check per-hour rate limit
        hour_key = f"annotation_import_rate_limit:{current_tenant_id}:1hour"
        redis_client.zadd(hour_key, {current_time: current_time})
        redis_client.zremrangebyscore(hour_key, 0, current_time - 3600000)
        hour_count = redis_client.zcard(hour_key)
        redis_client.expire(hour_key, 7200)  # 2 hours TTL
        if hour_count > dify_config.ANNOTATION_IMPORT_RATE_LIMIT_PER_HOUR:
            abort(
                429,
                f"Too many annotation import requests. Maximum {dify_config.ANNOTATION_IMPORT_RATE_LIMIT_PER_HOUR} "
                f"requests per hour allowed. Please try again later.",
            )
        return view(*args, **kwargs)
    return decorated
 def annotation_import_concurrency_limit(view: Callable[P, R]):
    """
    Concurrency control decorator for annotation import operations.
    Limits the number of concurrent import tasks per tenant to prevent
    resource exhaustion and ensure fair resource allocation.
    Uses Redis ZSET to track active import jobs with automatic cleanup
    of stale entries (jobs older than 2 minutes).
    """
    @wraps(view)
    def decorated(*args: P.args, **kwargs: P.kwargs):
        _, current_tenant_id = current_account_with_tenant()
        current_time = int(time.time() * 1000)
        active_jobs_key = f"annotation_import_active:{current_tenant_id}"
        # Clean up stale entries (jobs that should have completed or timed out)
        stale_threshold = current_time - 120000  # 2 minutes ago
        redis_client.zremrangebyscore(active_jobs_key, 0, stale_threshold)
        # Check current active job count
        active_count = redis_client.zcard(active_jobs_key)
        if active_count >= dify_config.ANNOTATION_IMPORT_MAX_CONCURRENT:
            abort(
                429,
                f"Too many concurrent import tasks. Maximum {dify_config.ANNOTATION_IMPORT_MAX_CONCURRENT} "
                f"concurrent imports allowed per workspace. Please wait for existing imports to complete.",
            )
        # Allow the request to proceed
        # The actual job registration will happen in the service layer
        return view(*args, **kwargs)
    return decorated
--- a/api/controllers/files/image_preview.py
+++ b/api/controllers/files/image_preview.py
@@ -1,7 +1,8 @@
 from urllib.parse import quote
 from flask import Response, request
-from flask_restx import Resource, reqparse
+from flask_restx import Resource
 from pydantic import BaseModel, Field
 from werkzeug.exceptions import NotFound
 import services
@@ -11,6 +12,26 @@ from extensions.ext_database import db
 from services.account_service import TenantService
 from services.file_service import FileService
 DEFAULT_REF_TEMPLATE_SWAGGER_2_0 = "#/definitions/{model}"
 class FileSignatureQuery(BaseModel):
    timestamp: str = Field(..., description="Unix timestamp used in the signature")
    nonce: str = Field(..., description="Random string for signature")
    sign: str = Field(..., description="HMAC signature")
 class FilePreviewQuery(FileSignatureQuery):
    as_attachment: bool = Field(default=False, description="Whether to download as attachment")
 files_ns.schema_model(
    FileSignatureQuery.__name__, FileSignatureQuery.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0)
 )
 files_ns.schema_model(
    FilePreviewQuery.__name__, FilePreviewQuery.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0)
 )
@files_ns.route("/<uuid:file_id>/image-preview")
 class ImagePreviewApi(Resource):
@@ -36,12 +57,10 @@ class ImagePreviewApi(Resource):
    def get(self, file_id):
        file_id = str(file_id)
-        timestamp = request.args.get("timestamp")
+        args = FileSignatureQuery.model_validate(request.args.to_dict(flat=True))  # type: ignore
-        nonce = request.args.get("nonce")
+        timestamp = args.timestamp
-        sign = request.args.get("sign")
+        nonce = args.nonce
-
+        sign = args.sign
        if not timestamp or not nonce or not sign:
            return {"content": "Invalid request."}, 400
        try:
            generator, mimetype = FileService(db.engine).get_image_preview(
@@ -80,25 +99,14 @@ class FilePreviewApi(Resource):
    def get(self, file_id):
        file_id = str(file_id)
-        parser = (
+        args = FilePreviewQuery.model_validate(request.args.to_dict(flat=True))  # type: ignore
            reqparse.RequestParser()
            .add_argument("timestamp", type=str, required=True, location="args")
            .add_argument("nonce", type=str, required=True, location="args")
            .add_argument("sign", type=str, required=True, location="args")
            .add_argument("as_attachment", type=bool, required=False, default=False, location="args")
        )
        args = parser.parse_args()
        if not args["timestamp"] or not args["nonce"] or not args["sign"]:
            return {"content": "Invalid request."}, 400
        try:
            generator, upload_file = FileService(db.engine).get_file_generator_by_file_id(
                file_id=file_id,
-                timestamp=args["timestamp"],
+                timestamp=args.timestamp,
-                nonce=args["nonce"],
+                nonce=args.nonce,
-                sign=args["sign"],
+                sign=args.sign,
            )
        except services.errors.file.UnsupportedFileTypeError:
            raise UnsupportedFileTypeError()
@@ -125,7 +133,7 @@ class FilePreviewApi(Resource):
            response.headers["Accept-Ranges"] = "bytes"
        if upload_file.size > 0:
            response.headers["Content-Length"] = str(upload_file.size)
-        if args["as_attachment"]:
+        if args.as_attachment:
            encoded_filename = quote(upload_file.name)
            response.headers["Content-Disposition"] = f"attachment; filename*=UTF-8''{encoded_filename}"
            response.headers["Content-Type"] = "application/octet-stream"
--- a/api/controllers/files/tool_files.py
+++ b/api/controllers/files/tool_files.py
@@ -1,7 +1,8 @@
 from urllib.parse import quote
-from flask import Response
+from flask import Response, request
-from flask_restx import Resource, reqparse
+from flask_restx import Resource
 from pydantic import BaseModel, Field
 from werkzeug.exceptions import Forbidden, NotFound
 from controllers.common.errors import UnsupportedFileTypeError
@@ -10,6 +11,20 @@ from core.tools.signature import verify_tool_file_signature
 from core.tools.tool_file_manager import ToolFileManager
 from extensions.ext_database import db as global_db
 DEFAULT_REF_TEMPLATE_SWAGGER_2_0 = "#/definitions/{model}"
 class ToolFileQuery(BaseModel):
    timestamp: str = Field(..., description="Unix timestamp")
    nonce: str = Field(..., description="Random nonce")
    sign: str = Field(..., description="HMAC signature")
    as_attachment: bool = Field(default=False, description="Download as attachment")
 files_ns.schema_model(
    ToolFileQuery.__name__, ToolFileQuery.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0)
 )
@files_ns.route("/tools/<uuid:file_id>.<string:extension>")
 class ToolFileApi(Resource):
@@ -36,18 +51,8 @@ class ToolFileApi(Resource):
    def get(self, file_id, extension):
        file_id = str(file_id)
-        parser = (
+        args = ToolFileQuery.model_validate(request.args.to_dict())
-            reqparse.RequestParser()
+        if not verify_tool_file_signature(file_id=file_id, timestamp=args.timestamp, nonce=args.nonce, sign=args.sign):
            .add_argument("timestamp", type=str, required=True, location="args")
            .add_argument("nonce", type=str, required=True, location="args")
            .add_argument("sign", type=str, required=True, location="args")
            .add_argument("as_attachment", type=bool, required=False, default=False, location="args")
        )
        args = parser.parse_args()
        if not verify_tool_file_signature(
            file_id=file_id, timestamp=args["timestamp"], nonce=args["nonce"], sign=args["sign"]
        ):
            raise Forbidden("Invalid request.")
        try:
@@ -69,7 +74,7 @@ class ToolFileApi(Resource):
        )
        if tool_file.size > 0:
            response.headers["Content-Length"] = str(tool_file.size)
-        if args["as_attachment"]:
+        if args.as_attachment:
            encoded_filename = quote(tool_file.name)
            response.headers["Content-Disposition"] = f"attachment; filename*=UTF-8''{encoded_filename}"
--- a/api/controllers/files/upload.py
+++ b/api/controllers/files/upload.py
@@ -1,40 +1,45 @@
 from mimetypes import guess_extension
-from flask_restx import Resource, reqparse
+from flask import request
 from flask_restx import Resource
 from flask_restx.api import HTTPStatus
 from pydantic import BaseModel, Field
 from werkzeug.datastructures import FileStorage
 from werkzeug.exceptions import Forbidden
 import services
 from controllers.common.errors import (
    FileTooLargeError,
    UnsupportedFileTypeError,
 )
 from controllers.console.wraps import setup_required
 from controllers.files import files_ns
 from controllers.inner_api.plugin.wraps import get_user
 from core.file.helpers import verify_plugin_file_signature
 from core.tools.tool_file_manager import ToolFileManager
 from fields.file_fields import build_file_model
-# Define parser for both documentation and validation
+from ..common.errors import (
-upload_parser = (
+    FileTooLargeError,
-    reqparse.RequestParser()
+    UnsupportedFileTypeError,
-    .add_argument("file", location="files", type=FileStorage, required=True, help="File to upload")
+)
-    .add_argument(
+from ..console.wraps import setup_required
-        "timestamp", type=str, required=True, location="args", help="Unix timestamp for signature verification"
+from ..files import files_ns
-    )
+from ..inner_api.plugin.wraps import get_user
-    .add_argument("nonce", type=str, required=True, location="args", help="Random string for signature verification")
+
-    .add_argument("sign", type=str, required=True, location="args", help="HMAC signature for request validation")
+DEFAULT_REF_TEMPLATE_SWAGGER_2_0 = "#/definitions/{model}"
-    .add_argument("tenant_id", type=str, required=True, location="args", help="Tenant identifier")
+
-    .add_argument("user_id", type=str, required=False, location="args", help="User identifier")
+
 class PluginUploadQuery(BaseModel):
    timestamp: str = Field(..., description="Unix timestamp for signature verification")
    nonce: str = Field(..., description="Random nonce for signature verification")
    sign: str = Field(..., description="HMAC signature")
    tenant_id: str = Field(..., description="Tenant identifier")
    user_id: str | None = Field(default=None, description="User identifier")
 files_ns.schema_model(
    PluginUploadQuery.__name__, PluginUploadQuery.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0)
 )
@files_ns.route("/upload/for-plugin")
 class PluginUploadFileApi(Resource):
    @setup_required
-    @files_ns.expect(upload_parser)
+    @files_ns.expect(files_ns.models[PluginUploadQuery.__name__])
    @files_ns.doc("upload_plugin_file")
    @files_ns.doc(description="Upload a file for plugin usage with signature verification")
    @files_ns.doc(
@@ -62,15 +67,17 @@ class PluginUploadFileApi(Resource):
            FileTooLargeError: File exceeds size limit
            UnsupportedFileTypeError: File type not supported
        """
-        # Parse and validate all arguments
+        args = PluginUploadQuery.model_validate(request.args.to_dict(flat=True))  # type: ignore
        args = upload_parser.parse_args()
-        file: FileStorage = args["file"]
+        file: FileStorage | None = request.files.get("file")
-        timestamp: str = args["timestamp"]
+        if file is None:
-        nonce: str = args["nonce"]
+            raise Forbidden("File is required.")
-        sign: str = args["sign"]
+
-        tenant_id: str = args["tenant_id"]
+        timestamp = args.timestamp
-        user_id: str | None = args.get("user_id")
+        nonce = args.nonce
        sign = args.sign
        tenant_id = args.tenant_id
        user_id = args.user_id
        user = get_user(tenant_id, user_id)
        filename: str | None = file.filename
--- a/api/controllers/inner_api/mail.py
+++ b/api/controllers/inner_api/mail.py
@@ -1,29 +1,38 @@
-from flask_restx import Resource, reqparse
+from typing import Any
 from flask_restx import Resource
 from pydantic import BaseModel, Field
 from controllers.common.schema import register_schema_model
 from controllers.console.wraps import setup_required
 from controllers.inner_api import inner_api_ns
 from controllers.inner_api.wraps import billing_inner_api_only, enterprise_inner_api_only
 from tasks.mail_inner_task import send_inner_email_task
-_mail_parser = (
+
-    reqparse.RequestParser()
+class InnerMailPayload(BaseModel):
-    .add_argument("to", type=str, action="append", required=True)
+    to: list[str] = Field(description="Recipient email addresses", min_length=1)
-    .add_argument("subject", type=str, required=True)
+    subject: str
-    .add_argument("body", type=str, required=True)
+    body: str
-    .add_argument("substitutions", type=dict, required=False)
+    substitutions: dict[str, Any] | None = None
-)
+
 register_schema_model(inner_api_ns, InnerMailPayload)
 class BaseMail(Resource):
    """Shared logic for sending an inner email."""
    @inner_api_ns.doc("send_inner_mail")
    @inner_api_ns.doc(description="Send internal email")
    @inner_api_ns.expect(inner_api_ns.models[InnerMailPayload.__name__])
    def post(self):
-        args = _mail_parser.parse_args()
+        args = InnerMailPayload.model_validate(inner_api_ns.payload or {})
-        send_inner_email_task.delay(  # type: ignore
+        send_inner_email_task.delay(
-            to=args["to"],
+            to=args.to,
-            subject=args["subject"],
+            subject=args.subject,
-            body=args["body"],
+            body=args.body,
-            substitutions=args["substitutions"],
+            substitutions=args.substitutions,  # type: ignore
        )
        return {"message": "success"}, 200
@@ -34,7 +43,7 @@ class EnterpriseMail(BaseMail):
    @inner_api_ns.doc("send_enterprise_mail")
    @inner_api_ns.doc(description="Send internal email for enterprise features")
-    @inner_api_ns.expect(_mail_parser)
+    @inner_api_ns.expect(inner_api_ns.models[InnerMailPayload.__name__])
    @inner_api_ns.doc(
        responses={200: "Email sent successfully", 401: "Unauthorized - invalid API key", 404: "Service not available"}
    )
@@ -56,7 +65,7 @@ class BillingMail(BaseMail):
    @inner_api_ns.doc("send_billing_mail")
    @inner_api_ns.doc(description="Send internal email for billing notifications")
-    @inner_api_ns.expect(_mail_parser)
+    @inner_api_ns.expect(inner_api_ns.models[InnerMailPayload.__name__])
    @inner_api_ns.doc(
        responses={200: "Email sent successfully", 401: "Unauthorized - invalid API key", 404: "Service not available"}
    )
--- a/api/controllers/inner_api/plugin/wraps.py
+++ b/api/controllers/inner_api/plugin/wraps.py
@@ -1,10 +1,9 @@
 from collections.abc import Callable
 from functools import wraps
-from typing import ParamSpec, TypeVar, cast
+from typing import ParamSpec, TypeVar
 from flask import current_app, request
 from flask_login import user_logged_in
 from flask_restx import reqparse
 from pydantic import BaseModel
 from sqlalchemy.orm import Session
@@ -17,6 +16,11 @@ P = ParamSpec("P")
 R = TypeVar("R")
 class TenantUserPayload(BaseModel):
    tenant_id: str
    user_id: str
 def get_user(tenant_id: str, user_id: str | None) -> EndUser:
    """
    Get current user
@@ -67,58 +71,45 @@ def get_user(tenant_id: str, user_id: str | None) -> EndUser:
    return user_model
-def get_user_tenant(view: Callable[P, R] | None = None):
+def get_user_tenant(view_func: Callable[P, R]):
-    def decorator(view_func: Callable[P, R]):
+    @wraps(view_func)
-        @wraps(view_func)
+    def decorated_view(*args: P.args, **kwargs: P.kwargs):
-        def decorated_view(*args: P.args, **kwargs: P.kwargs):
+        payload = TenantUserPayload.model_validate(request.get_json(silent=True) or {})
            # fetch json body
            parser = (
                reqparse.RequestParser()
                .add_argument("tenant_id", type=str, required=True, location="json")
                .add_argument("user_id", type=str, required=True, location="json")
            )
-            p = parser.parse_args()
+        user_id = payload.user_id
        tenant_id = payload.tenant_id
-            user_id = cast(str, p.get("user_id"))
+        if not tenant_id:
-            tenant_id = cast(str, p.get("tenant_id"))
+            raise ValueError("tenant_id is required")
-            if not tenant_id:
+        if not user_id:
-                raise ValueError("tenant_id is required")
+            user_id = DefaultEndUserSessionID.DEFAULT_SESSION_ID
-            if not user_id:
+        try:
-                user_id = DefaultEndUserSessionID.DEFAULT_SESSION_ID
+            tenant_model = (
-
+                db.session.query(Tenant)
-            try:
+                .where(
-                tenant_model = (
+                    Tenant.id == tenant_id,
                    db.session.query(Tenant)
                    .where(
                        Tenant.id == tenant_id,
                    )
                    .first()
                )
-            except Exception:
+                .first()
-                raise ValueError("tenant not found")
+            )
        except Exception:
            raise ValueError("tenant not found")
-            if not tenant_model:
+        if not tenant_model:
-                raise ValueError("tenant not found")
+            raise ValueError("tenant not found")
-            kwargs["tenant_model"] = tenant_model
+        kwargs["tenant_model"] = tenant_model
-            user = get_user(tenant_id, user_id)
+        user = get_user(tenant_id, user_id)
-            kwargs["user_model"] = user
+        kwargs["user_model"] = user
-            current_app.login_manager._update_request_context_with_user(user)  # type: ignore
+        current_app.login_manager._update_request_context_with_user(user)  # type: ignore
-            user_logged_in.send(current_app._get_current_object(), user=current_user)  # type: ignore
+        user_logged_in.send(current_app._get_current_object(), user=current_user)  # type: ignore
-            return view_func(*args, **kwargs)
+        return view_func(*args, **kwargs)
-        return decorated_view
+    return decorated_view
    if view is None:
        return decorator
    else:
        return decorator(view)
 def plugin_data(view: Callable[P, R] | None = None, *, payload_type: type[BaseModel]):
--- a/api/controllers/inner_api/workspace/workspace.py
+++ b/api/controllers/inner_api/workspace/workspace.py
@@ -1,7 +1,9 @@
 import json
-from flask_restx import Resource, reqparse
+from flask_restx import Resource
 from pydantic import BaseModel
 from controllers.common.schema import register_schema_models
 from controllers.console.wraps import setup_required
 from controllers.inner_api import inner_api_ns
 from controllers.inner_api.wraps import enterprise_inner_api_only
@@ -11,12 +13,25 @@ from models import Account
 from services.account_service import TenantService
 class WorkspaceCreatePayload(BaseModel):
    name: str
    owner_email: str
 class WorkspaceOwnerlessPayload(BaseModel):
    name: str
 register_schema_models(inner_api_ns, WorkspaceCreatePayload, WorkspaceOwnerlessPayload)
@inner_api_ns.route("/enterprise/workspace")
 class EnterpriseWorkspace(Resource):
    @setup_required
    @enterprise_inner_api_only
    @inner_api_ns.doc("create_enterprise_workspace")
    @inner_api_ns.doc(description="Create a new enterprise workspace with owner assignment")
    @inner_api_ns.expect(inner_api_ns.models[WorkspaceCreatePayload.__name__])
    @inner_api_ns.doc(
        responses={
            200: "Workspace created successfully",
@@ -25,18 +40,13 @@ class EnterpriseWorkspace(Resource):
        }
    )
    def post(self):
-        parser = (
+        args = WorkspaceCreatePayload.model_validate(inner_api_ns.payload or {})
            reqparse.RequestParser()
            .add_argument("name", type=str, required=True, location="json")
            .add_argument("owner_email", type=str, required=True, location="json")
        )
        args = parser.parse_args()
-        account = db.session.query(Account).filter_by(email=args["owner_email"]).first()
+        account = db.session.query(Account).filter_by(email=args.owner_email).first()
        if account is None:
            return {"message": "owner account not found."}, 404
-        tenant = TenantService.create_tenant(args["name"], is_from_dashboard=True)
+        tenant = TenantService.create_tenant(args.name, is_from_dashboard=True)
        TenantService.create_tenant_member(tenant, account, role="owner")
        tenant_was_created.send(tenant)
@@ -62,6 +72,7 @@ class EnterpriseWorkspaceNoOwnerEmail(Resource):
    @enterprise_inner_api_only
    @inner_api_ns.doc("create_enterprise_workspace_ownerless")
    @inner_api_ns.doc(description="Create a new enterprise workspace without initial owner assignment")
    @inner_api_ns.expect(inner_api_ns.models[WorkspaceOwnerlessPayload.__name__])
    @inner_api_ns.doc(
        responses={
            200: "Workspace created successfully",
@@ -70,10 +81,9 @@ class EnterpriseWorkspaceNoOwnerEmail(Resource):
        }
    )
    def post(self):
-        parser = reqparse.RequestParser().add_argument("name", type=str, required=True, location="json")
+        args = WorkspaceOwnerlessPayload.model_validate(inner_api_ns.payload or {})
        args = parser.parse_args()
-        tenant = TenantService.create_tenant(args["name"], is_from_dashboard=True)
+        tenant = TenantService.create_tenant(args.name, is_from_dashboard=True)
        tenant_was_created.send(tenant)
--- a/api/controllers/mcp/mcp.py
+++ b/api/controllers/mcp/mcp.py
@@ -1,10 +1,11 @@
-from typing import Union
+from typing import Any, Union
 from flask import Response
-from flask_restx import Resource, reqparse
+from flask_restx import Resource
-from pydantic import ValidationError
+from pydantic import BaseModel, Field, ValidationError
 from sqlalchemy.orm import Session
 from controllers.common.schema import register_schema_model
 from controllers.console.app.mcp_server import AppMCPServerStatus
 from controllers.mcp import mcp_ns
 from core.app.app_config.entities import VariableEntity
@@ -24,27 +25,19 @@ class MCPRequestError(Exception):
        super().__init__(message)
-def int_or_str(value):
+class MCPRequestPayload(BaseModel):
-    """Validate that a value is either an integer or string."""
+    jsonrpc: str = Field(description="JSON-RPC version (should be '2.0')")
-    if isinstance(value, (int, str)):
+    method: str = Field(description="The method to invoke")
-        return value
+    params: dict[str, Any] | None = Field(default=None, description="Parameters for the method")
-    else:
+    id: int | str | None = Field(default=None, description="Request ID for tracking responses")
        return None
-# Define parser for both documentation and validation
+register_schema_model(mcp_ns, MCPRequestPayload)
 mcp_request_parser = (
    reqparse.RequestParser()
    .add_argument("jsonrpc", type=str, required=True, location="json", help="JSON-RPC version (should be '2.0')")
    .add_argument("method", type=str, required=True, location="json", help="The method to invoke")
    .add_argument("params", type=dict, required=False, location="json", help="Parameters for the method")
    .add_argument("id", type=int_or_str, required=False, location="json", help="Request ID for tracking responses")
 )
@mcp_ns.route("/server/<string:server_code>/mcp")
 class MCPAppApi(Resource):
-    @mcp_ns.expect(mcp_request_parser)
+    @mcp_ns.expect(mcp_ns.models[MCPRequestPayload.__name__])
    @mcp_ns.doc("handle_mcp_request")
    @mcp_ns.doc(description="Handle Model Context Protocol (MCP) requests for a specific server")
    @mcp_ns.doc(params={"server_code": "Unique identifier for the MCP server"})
@@ -70,9 +63,9 @@ class MCPAppApi(Resource):
        Raises:
            ValidationError: Invalid request format or parameters
        """
-        args = mcp_request_parser.parse_args()
+        args = MCPRequestPayload.model_validate(mcp_ns.payload or {})
-        request_id: Union[int, str] | None = args.get("id")
+        request_id: Union[int, str] | None = args.id
-        mcp_request = self._parse_mcp_request(args)
+        mcp_request = self._parse_mcp_request(args.model_dump(exclude_none=True))
        with Session(db.engine, expire_on_commit=False) as session:
            # Get MCP server and app
--- a/api/controllers/service_api/app/annotation.py
+++ b/api/controllers/service_api/app/annotation.py
@@ -1,9 +1,11 @@
 from typing import Literal
 from flask import request
-from flask_restx import Api, Namespace, Resource, fields, reqparse
+from flask_restx import Api, Namespace, Resource, fields
 from flask_restx.api import HTTPStatus
 from pydantic import BaseModel, Field
 from controllers.common.schema import register_schema_models
 from controllers.console.wraps import edit_permission_required
 from controllers.service_api import service_api_ns
 from controllers.service_api.wraps import validate_app_token
@@ -12,26 +14,24 @@ from fields.annotation_fields import annotation_fields, build_annotation_model
 from models.model import App
 from services.annotation_service import AppAnnotationService
 # Define parsers for annotation API
 annotation_create_parser = (
    reqparse.RequestParser()
    .add_argument("question", required=True, type=str, location="json", help="Annotation question")
    .add_argument("answer", required=True, type=str, location="json", help="Annotation answer")
 )
-annotation_reply_action_parser = (
+class AnnotationCreatePayload(BaseModel):
-    reqparse.RequestParser()
+    question: str = Field(description="Annotation question")
-    .add_argument(
+    answer: str = Field(description="Annotation answer")
-        "score_threshold", required=True, type=float, location="json", help="Score threshold for annotation matching"
+
-    )
+
-    .add_argument("embedding_provider_name", required=True, type=str, location="json", help="Embedding provider name")
+class AnnotationReplyActionPayload(BaseModel):
-    .add_argument("embedding_model_name", required=True, type=str, location="json", help="Embedding model name")
+    score_threshold: float = Field(description="Score threshold for annotation matching")
-)
+    embedding_provider_name: str = Field(description="Embedding provider name")
    embedding_model_name: str = Field(description="Embedding model name")
 register_schema_models(service_api_ns, AnnotationCreatePayload, AnnotationReplyActionPayload)
@service_api_ns.route("/apps/annotation-reply/<string:action>")
 class AnnotationReplyActionApi(Resource):
-    @service_api_ns.expect(annotation_reply_action_parser)
+    @service_api_ns.expect(service_api_ns.models[AnnotationReplyActionPayload.__name__])
    @service_api_ns.doc("annotation_reply_action")
    @service_api_ns.doc(description="Enable or disable annotation reply feature")
    @service_api_ns.doc(params={"action": "Action to perform: 'enable' or 'disable'"})
@@ -44,7 +44,7 @@ class AnnotationReplyActionApi(Resource):
    @validate_app_token
    def post(self, app_model: App, action: Literal["enable", "disable"]):
        """Enable or disable annotation reply feature."""
-        args = annotation_reply_action_parser.parse_args()
+        args = AnnotationReplyActionPayload.model_validate(service_api_ns.payload or {}).model_dump()
        if action == "enable":
            result = AppAnnotationService.enable_app_annotation(args, app_model.id)
        elif action == "disable":
@@ -126,7 +126,7 @@ class AnnotationListApi(Resource):
            "page": page,
        }
-    @service_api_ns.expect(annotation_create_parser)
+    @service_api_ns.expect(service_api_ns.models[AnnotationCreatePayload.__name__])
    @service_api_ns.doc("create_annotation")
    @service_api_ns.doc(description="Create a new annotation")
    @service_api_ns.doc(
@@ -139,14 +139,14 @@ class AnnotationListApi(Resource):
    @service_api_ns.marshal_with(build_annotation_model(service_api_ns), code=HTTPStatus.CREATED)
    def post(self, app_model: App):
        """Create a new annotation."""
-        args = annotation_create_parser.parse_args()
+        args = AnnotationCreatePayload.model_validate(service_api_ns.payload or {}).model_dump()
        annotation = AppAnnotationService.insert_app_annotation_directly(args, app_model.id)
        return annotation, 201
@service_api_ns.route("/apps/annotations/<uuid:annotation_id>")
 class AnnotationUpdateDeleteApi(Resource):
-    @service_api_ns.expect(annotation_create_parser)
+    @service_api_ns.expect(service_api_ns.models[AnnotationCreatePayload.__name__])
    @service_api_ns.doc("update_annotation")
    @service_api_ns.doc(description="Update an existing annotation")
    @service_api_ns.doc(params={"annotation_id": "Annotation ID"})
@@ -163,7 +163,7 @@ class AnnotationUpdateDeleteApi(Resource):
    @service_api_ns.marshal_with(build_annotation_model(service_api_ns))
    def put(self, app_model: App, annotation_id: str):
        """Update an existing annotation."""
-        args = annotation_create_parser.parse_args()
+        args = AnnotationCreatePayload.model_validate(service_api_ns.payload or {}).model_dump()
        annotation = AppAnnotationService.update_app_annotation_directly(args, app_model.id, annotation_id)
        return annotation
--- a/api/controllers/service_api/app/audio.py
+++ b/api/controllers/service_api/app/audio.py
@@ -1,10 +1,12 @@
 import logging
 from flask import request
-from flask_restx import Resource, reqparse
+from flask_restx import Resource
 from pydantic import BaseModel, Field
 from werkzeug.exceptions import InternalServerError
 import services
 from controllers.common.schema import register_schema_model
 from controllers.service_api import service_api_ns
 from controllers.service_api.app.error import (
    AppUnavailableError,
@@ -84,19 +86,19 @@ class AudioApi(Resource):
            raise InternalServerError()
-# Define parser for text-to-audio API
+class TextToAudioPayload(BaseModel):
-text_to_audio_parser = (
+    message_id: str | None = Field(default=None, description="Message ID")
-    reqparse.RequestParser()
+    voice: str | None = Field(default=None, description="Voice to use for TTS")
-    .add_argument("message_id", type=str, required=False, location="json", help="Message ID")
+    text: str | None = Field(default=None, description="Text to convert to audio")
-    .add_argument("voice", type=str, location="json", help="Voice to use for TTS")
+    streaming: bool | None = Field(default=None, description="Enable streaming response")
-    .add_argument("text", type=str, location="json", help="Text to convert to audio")
+
-    .add_argument("streaming", type=bool, location="json", help="Enable streaming response")
+
-)
+register_schema_model(service_api_ns, TextToAudioPayload)
@service_api_ns.route("/text-to-audio")
 class TextApi(Resource):
-    @service_api_ns.expect(text_to_audio_parser)
+    @service_api_ns.expect(service_api_ns.models[TextToAudioPayload.__name__])
    @service_api_ns.doc("text_to_audio")
    @service_api_ns.doc(description="Convert text to audio using text-to-speech")
    @service_api_ns.doc(
@@ -114,11 +116,11 @@ class TextApi(Resource):
        Converts the provided text to audio using the specified voice.
        """
        try:
-            args = text_to_audio_parser.parse_args()
+            payload = TextToAudioPayload.model_validate(service_api_ns.payload or {})
-            message_id = args.get("message_id", None)
+            message_id = payload.message_id
-            text = args.get("text", None)
+            text = payload.text
-            voice = args.get("voice", None)
+            voice = payload.voice
            response = AudioService.transcript_tts(
                app_model=app_model, text=text, voice=voice, end_user=end_user.external_user_id, message_id=message_id
            )
--- a/api/controllers/service_api/app/completion.py
+++ b/api/controllers/service_api/app/completion.py
@@ -1,10 +1,14 @@
 import logging
 from typing import Any, Literal
 from uuid import UUID
 from flask import request
-from flask_restx import Resource, reqparse
+from flask_restx import Resource
 from pydantic import BaseModel, Field, field_validator
 from werkzeug.exceptions import BadRequest, InternalServerError, NotFound
 import services
 from controllers.common.schema import register_schema_models
 from controllers.service_api import service_api_ns
 from controllers.service_api.app.error import (
    AppUnavailableError,
@@ -26,7 +30,6 @@ from core.errors.error import (
 from core.helper.trace_id_helper import get_external_trace_id
 from core.model_runtime.errors.invoke import InvokeError
 from libs import helper
 from libs.helper import uuid_value
 from models.model import App, AppMode, EndUser
 from services.app_generate_service import AppGenerateService
 from services.app_task_service import AppTaskService
@@ -36,40 +39,46 @@ from services.errors.llm import InvokeRateLimitError
 logger = logging.getLogger(__name__)
-# Define parser for completion API
+class CompletionRequestPayload(BaseModel):
-completion_parser = (
+    inputs: dict[str, Any]
-    reqparse.RequestParser()
+    query: str = Field(default="")
-    .add_argument("inputs", type=dict, required=True, location="json", help="Input parameters for completion")
+    files: list[dict[str, Any]] | None = None
-    .add_argument("query", type=str, location="json", default="", help="The query string")
+    response_mode: Literal["blocking", "streaming"] | None = None
-    .add_argument("files", type=list, required=False, location="json", help="List of file attachments")
+    retriever_from: str = Field(default="dev")
    .add_argument("response_mode", type=str, choices=["blocking", "streaming"], location="json", help="Response mode")
    .add_argument("retriever_from", type=str, required=False, default="dev", location="json", help="Retriever source")
 )
-# Define parser for chat API
+
-chat_parser = (
+class ChatRequestPayload(BaseModel):
-    reqparse.RequestParser()
+    inputs: dict[str, Any]
-    .add_argument("inputs", type=dict, required=True, location="json", help="Input parameters for chat")
+    query: str
-    .add_argument("query", type=str, required=True, location="json", help="The chat query")
+    files: list[dict[str, Any]] | None = None
-    .add_argument("files", type=list, required=False, location="json", help="List of file attachments")
+    response_mode: Literal["blocking", "streaming"] | None = None
-    .add_argument("response_mode", type=str, choices=["blocking", "streaming"], location="json", help="Response mode")
+    conversation_id: str | None = Field(default=None, description="Conversation UUID")
-    .add_argument("conversation_id", type=uuid_value, location="json", help="Existing conversation ID")
+    retriever_from: str = Field(default="dev")
-    .add_argument("retriever_from", type=str, required=False, default="dev", location="json", help="Retriever source")
+    auto_generate_name: bool = Field(default=True, description="Auto generate conversation name")
-    .add_argument(
+    workflow_id: str | None = Field(default=None, description="Workflow ID for advanced chat")
-        "auto_generate_name",
+
-        type=bool,
+    @field_validator("conversation_id", mode="before")
-        required=False,
+    @classmethod
-        default=True,
+    def normalize_conversation_id(cls, value: str | UUID | None) -> str | None:
-        location="json",
+        """Allow missing or blank conversation IDs; enforce UUID format when provided."""
-        help="Auto generate conversation name",
+        if isinstance(value, str):
-    )
+            value = value.strip()
-    .add_argument("workflow_id", type=str, required=False, location="json", help="Workflow ID for advanced chat")
+
-)
+        if not value:
            return None
        try:
            return helper.uuid_value(value)
        except ValueError as exc:
            raise ValueError("conversation_id must be a valid UUID") from exc
 register_schema_models(service_api_ns, CompletionRequestPayload, ChatRequestPayload)
@service_api_ns.route("/completion-messages")
 class CompletionApi(Resource):
-    @service_api_ns.expect(completion_parser)
+    @service_api_ns.expect(service_api_ns.models[CompletionRequestPayload.__name__])
    @service_api_ns.doc("create_completion")
    @service_api_ns.doc(description="Create a completion for the given prompt")
    @service_api_ns.doc(
@@ -91,12 +100,13 @@ class CompletionApi(Resource):
        if app_model.mode != AppMode.COMPLETION:
            raise AppUnavailableError()
-        args = completion_parser.parse_args()
+        payload = CompletionRequestPayload.model_validate(service_api_ns.payload or {})
        external_trace_id = get_external_trace_id(request)
        args = payload.model_dump(exclude_none=True)
        if external_trace_id:
            args["external_trace_id"] = external_trace_id
-        streaming = args["response_mode"] == "streaming"
+        streaming = payload.response_mode == "streaming"
        args["auto_generate_name"] = False
@@ -162,7 +172,7 @@ class CompletionStopApi(Resource):
@service_api_ns.route("/chat-messages")
 class ChatApi(Resource):
-    @service_api_ns.expect(chat_parser)
+    @service_api_ns.expect(service_api_ns.models[ChatRequestPayload.__name__])
    @service_api_ns.doc("create_chat_message")
    @service_api_ns.doc(description="Send a message in a chat conversation")
    @service_api_ns.doc(
@@ -186,13 +196,14 @@ class ChatApi(Resource):
        if app_mode not in {AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT}:
            raise NotChatAppError()
-        args = chat_parser.parse_args()
+        payload = ChatRequestPayload.model_validate(service_api_ns.payload or {})
        external_trace_id = get_external_trace_id(request)
        args = payload.model_dump(exclude_none=True)
        if external_trace_id:
            args["external_trace_id"] = external_trace_id
-        streaming = args["response_mode"] == "streaming"
+        streaming = payload.response_mode == "streaming"
        try:
            response = AppGenerateService.generate(
--- a/api/controllers/service_api/app/conversation.py
+++ b/api/controllers/service_api/app/conversation.py
@@ -1,10 +1,15 @@
-from flask_restx import Resource, reqparse
+from typing import Any, Literal
 from uuid import UUID
 from flask import request
 from flask_restx import Resource
 from flask_restx._http import HTTPStatus
-from flask_restx.inputs import int_range
+from pydantic import BaseModel, Field, model_validator
 from sqlalchemy.orm import Session
 from werkzeug.exceptions import BadRequest, NotFound
 import services
 from controllers.common.schema import register_schema_models
 from controllers.service_api import service_api_ns
 from controllers.service_api.app.error import NotChatAppError
 from controllers.service_api.wraps import FetchUserArg, WhereisUserArg, validate_app_token
@@ -19,74 +24,51 @@ from fields.conversation_variable_fields import (
    build_conversation_variable_infinite_scroll_pagination_model,
    build_conversation_variable_model,
 )
 from libs.helper import uuid_value
 from models.model import App, AppMode, EndUser
 from services.conversation_service import ConversationService
 # Define parsers for conversation APIs
 conversation_list_parser = (
    reqparse.RequestParser()
    .add_argument("last_id", type=uuid_value, location="args", help="Last conversation ID for pagination")
    .add_argument(
        "limit",
        type=int_range(1, 100),
        required=False,
        default=20,
        location="args",
        help="Number of conversations to return",
    )
    .add_argument(
        "sort_by",
        type=str,
        choices=["created_at", "-created_at", "updated_at", "-updated_at"],
        required=False,
        default="-updated_at",
        location="args",
        help="Sort order for conversations",
    )
 )
-conversation_rename_parser = (
+class ConversationListQuery(BaseModel):
-    reqparse.RequestParser()
+    last_id: UUID | None = Field(default=None, description="Last conversation ID for pagination")
-    .add_argument("name", type=str, required=False, location="json", help="New conversation name")
+    limit: int = Field(default=20, ge=1, le=100, description="Number of conversations to return")
-    .add_argument(
+    sort_by: Literal["created_at", "-created_at", "updated_at", "-updated_at"] = Field(
-        "auto_generate",
+        default="-updated_at", description="Sort order for conversations"
        type=bool,
        required=False,
        default=False,
        location="json",
        help="Auto-generate conversation name",
    )
 )
 conversation_variables_parser = (
    reqparse.RequestParser()
    .add_argument("last_id", type=uuid_value, location="args", help="Last variable ID for pagination")
    .add_argument(
        "limit",
        type=int_range(1, 100),
        required=False,
        default=20,
        location="args",
        help="Number of variables to return",
    )
 )
-conversation_variable_update_parser = reqparse.RequestParser().add_argument(
+class ConversationRenamePayload(BaseModel):
-    # using lambda is for passing the already-typed value without modification
+    name: str | None = Field(default=None, description="New conversation name (required if auto_generate is false)")
-    # if no lambda, it will be converted to string
+    auto_generate: bool = Field(default=False, description="Auto-generate conversation name")
-    # the string cannot be converted using json.loads
+
-    "value",
+    @model_validator(mode="after")
-    required=True,
+    def validate_name_requirement(self):
-    location="json",
+        if not self.auto_generate:
-    type=lambda x: x,
+            if self.name is None or not self.name.strip():
-    help="New value for the conversation variable",
+                raise ValueError("name is required when auto_generate is false")
        return self
 class ConversationVariablesQuery(BaseModel):
    last_id: UUID | None = Field(default=None, description="Last variable ID for pagination")
    limit: int = Field(default=20, ge=1, le=100, description="Number of variables to return")
 class ConversationVariableUpdatePayload(BaseModel):
    value: Any
 register_schema_models(
    service_api_ns,
    ConversationListQuery,
    ConversationRenamePayload,
    ConversationVariablesQuery,
    ConversationVariableUpdatePayload,
 )
@service_api_ns.route("/conversations")
 class ConversationApi(Resource):
-    @service_api_ns.expect(conversation_list_parser)
+    @service_api_ns.expect(service_api_ns.models[ConversationListQuery.__name__])
    @service_api_ns.doc("list_conversations")
    @service_api_ns.doc(description="List all conversations for the current user")
    @service_api_ns.doc(
@@ -107,7 +89,8 @@ class ConversationApi(Resource):
        if app_mode not in {AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT}:
            raise NotChatAppError()
-        args = conversation_list_parser.parse_args()
+        query_args = ConversationListQuery.model_validate(request.args.to_dict())
        last_id = str(query_args.last_id) if query_args.last_id else None
        try:
            with Session(db.engine) as session:
@@ -115,10 +98,10 @@ class ConversationApi(Resource):
                    session=session,
                    app_model=app_model,
                    user=end_user,
-                    last_id=args["last_id"],
+                    last_id=last_id,
-                    limit=args["limit"],
+                    limit=query_args.limit,
                    invoke_from=InvokeFrom.SERVICE_API,
-                    sort_by=args["sort_by"],
+                    sort_by=query_args.sort_by,
                )
        except services.errors.conversation.LastConversationNotExistsError:
            raise NotFound("Last Conversation Not Exists.")
@@ -155,7 +138,7 @@ class ConversationDetailApi(Resource):
@service_api_ns.route("/conversations/<uuid:c_id>/name")
 class ConversationRenameApi(Resource):
-    @service_api_ns.expect(conversation_rename_parser)
+    @service_api_ns.expect(service_api_ns.models[ConversationRenamePayload.__name__])
    @service_api_ns.doc("rename_conversation")
    @service_api_ns.doc(description="Rename a conversation or auto-generate a name")
    @service_api_ns.doc(params={"c_id": "Conversation ID"})
@@ -176,17 +159,17 @@ class ConversationRenameApi(Resource):
        conversation_id = str(c_id)
-        args = conversation_rename_parser.parse_args()
+        payload = ConversationRenamePayload.model_validate(service_api_ns.payload or {})
        try:
-            return ConversationService.rename(app_model, conversation_id, end_user, args["name"], args["auto_generate"])
+            return ConversationService.rename(app_model, conversation_id, end_user, payload.name, payload.auto_generate)
        except services.errors.conversation.ConversationNotExistsError:
            raise NotFound("Conversation Not Exists.")
@service_api_ns.route("/conversations/<uuid:c_id>/variables")
 class ConversationVariablesApi(Resource):
-    @service_api_ns.expect(conversation_variables_parser)
+    @service_api_ns.expect(service_api_ns.models[ConversationVariablesQuery.__name__])
    @service_api_ns.doc("list_conversation_variables")
    @service_api_ns.doc(description="List all variables for a conversation")
    @service_api_ns.doc(params={"c_id": "Conversation ID"})
@@ -211,11 +194,12 @@ class ConversationVariablesApi(Resource):
        conversation_id = str(c_id)
-        args = conversation_variables_parser.parse_args()
+        query_args = ConversationVariablesQuery.model_validate(request.args.to_dict())
        last_id = str(query_args.last_id) if query_args.last_id else None
        try:
            return ConversationService.get_conversational_variable(
-                app_model, conversation_id, end_user, args["limit"], args["last_id"]
+                app_model, conversation_id, end_user, query_args.limit, last_id
            )
        except services.errors.conversation.ConversationNotExistsError:
            raise NotFound("Conversation Not Exists.")
@@ -223,7 +207,7 @@ class ConversationVariablesApi(Resource):
@service_api_ns.route("/conversations/<uuid:c_id>/variables/<uuid:variable_id>")
 class ConversationVariableDetailApi(Resource):
-    @service_api_ns.expect(conversation_variable_update_parser)
+    @service_api_ns.expect(service_api_ns.models[ConversationVariableUpdatePayload.__name__])
    @service_api_ns.doc("update_conversation_variable")
    @service_api_ns.doc(description="Update a conversation variable's value")
    @service_api_ns.doc(params={"c_id": "Conversation ID", "variable_id": "Variable ID"})
@@ -250,11 +234,11 @@ class ConversationVariableDetailApi(Resource):
        conversation_id = str(c_id)
        variable_id = str(variable_id)
-        args = conversation_variable_update_parser.parse_args()
+        payload = ConversationVariableUpdatePayload.model_validate(service_api_ns.payload or {})
        try:
            return ConversationService.update_conversation_variable(
-                app_model, conversation_id, variable_id, end_user, args["value"]
+                app_model, conversation_id, variable_id, end_user, payload.value
            )
        except services.errors.conversation.ConversationNotExistsError:
            raise NotFound("Conversation Not Exists.")
--- a/api/controllers/service_api/app/file_preview.py
+++ b/api/controllers/service_api/app/file_preview.py
@@ -1,9 +1,11 @@
 import logging
 from urllib.parse import quote
-from flask import Response
+from flask import Response, request
-from flask_restx import Resource, reqparse
+from flask_restx import Resource
 from pydantic import BaseModel, Field
 from controllers.common.schema import register_schema_model
 from controllers.service_api import service_api_ns
 from controllers.service_api.app.error import (
    FileAccessDeniedError,
@@ -17,10 +19,11 @@ from models.model import App, EndUser, Message, MessageFile, UploadFile
 logger = logging.getLogger(__name__)
-# Define parser for file preview API
+class FilePreviewQuery(BaseModel):
-file_preview_parser = reqparse.RequestParser().add_argument(
+    as_attachment: bool = Field(default=False, description="Download as attachment")
-    "as_attachment", type=bool, required=False, default=False, location="args", help="Download as attachment"
+
-)
+
 register_schema_model(service_api_ns, FilePreviewQuery)
@service_api_ns.route("/files/<uuid:file_id>/preview")
@@ -32,7 +35,7 @@ class FilePreviewApi(Resource):
    Files can only be accessed if they belong to messages within the requesting app's context.
    """
-    @service_api_ns.expect(file_preview_parser)
+    @service_api_ns.expect(service_api_ns.models[FilePreviewQuery.__name__])
    @service_api_ns.doc("preview_file")
    @service_api_ns.doc(description="Preview or download a file uploaded via Service API")
    @service_api_ns.doc(params={"file_id": "UUID of the file to preview"})
@@ -55,7 +58,7 @@ class FilePreviewApi(Resource):
        file_id = str(file_id)
        # Parse query parameters
-        args = file_preview_parser.parse_args()
+        args = FilePreviewQuery.model_validate(request.args.to_dict())
        # Validate file ownership and get file objects
        _, upload_file = self._validate_file_ownership(file_id, app_model.id)
@@ -67,7 +70,7 @@ class FilePreviewApi(Resource):
            raise FileNotFoundError(f"Failed to load file content: {str(e)}")
        # Build response with appropriate headers
-        response = self._build_file_response(generator, upload_file, args["as_attachment"])
+        response = self._build_file_response(generator, upload_file, args.as_attachment)
        return response
--- a/Show More
+++ b/Show More