Initial plan

Co-authored-by: Rajat Agarwal <rajat.agarwal@infocusp.com>

.github/dependabot.yml

@@ -25,6 +25,10 @@ updates:
       interval: "weekly"
     open-pull-requests-limit: 2
     groups:
+      lexical:
+        patterns:
+          - "lexical"
+          - "@lexical/*"
       storybook:
         patterns:
           - "storybook"
@@ -33,5 +37,7 @@ updates:
         patterns:
           - "*"
         exclude-patterns:
+          - "lexical"
+          - "@lexical/*"
           - "storybook"
           - "@storybook/*"

README.md

@@ -133,7 +133,7 @@ Star Dify on GitHub and be instantly notified of new releases.
 
 ### Custom configurations
 
-If you need to customize the configuration, please refer to the comments in our [.env.example](docker/.env.example) file and update the corresponding values in your `.env` file. Additionally, you might need to make adjustments to the `docker-compose.yaml` file itself, such as changing image versions, port mappings, or volume mounts, based on your specific deployment environment and requirements. After making any changes, please re-run `docker-compose up -d`. You can find the full list of available environment variables [here](https://docs.dify.ai/getting-started/install-self-hosted/environments).
+If you need to customize the configuration, please refer to the comments in our [.env.example](docker/.env.example) file and update the corresponding values in your `.env` file. Additionally, you might need to make adjustments to the `docker-compose.yaml` file itself, such as changing image versions, port mappings, or volume mounts, based on your specific deployment environment and requirements. After making any changes, please re-run `docker compose up -d`. You can find the full list of available environment variables [here](https://docs.dify.ai/getting-started/install-self-hosted/environments).
 
 #### Customizing Suggested Questions
 

api/commands.py

@@ -30,6 +30,7 @@ from extensions.ext_redis import redis_client
 from extensions.ext_storage import storage
 from extensions.storage.opendal_storage import OpenDALStorage
 from extensions.storage.storage_type import StorageType
+from libs.datetime_utils import naive_utc_now
 from libs.db_migration_lock import DbMigrationAutoRenewLock
 from libs.helper import email as email_validate
 from libs.password import hash_password, password_pattern, valid_password
@@ -2598,15 +2599,29 @@ def migrate_oss(
 @click.option(
     "--start-from",
     type=click.DateTime(formats=["%Y-%m-%d", "%Y-%m-%dT%H:%M:%S"]),
-    required=True,
+    required=False,
+    default=None,
     help="Lower bound (inclusive) for created_at.",
 )
 @click.option(
     "--end-before",
     type=click.DateTime(formats=["%Y-%m-%d", "%Y-%m-%dT%H:%M:%S"]),
-    required=True,
+    required=False,
+    default=None,
     help="Upper bound (exclusive) for created_at.",
 )
+@click.option(
+    "--from-days-ago",
+    type=int,
+    default=None,
+    help="Relative lower bound in days ago (inclusive). Must be used with --before-days.",
+)
+@click.option(
+    "--before-days",
+    type=int,
+    default=None,
+    help="Relative upper bound in days ago (exclusive). Required for relative mode.",
+)
 @click.option("--batch-size", default=1000, show_default=True, help="Batch size for selecting messages.")
 @click.option(
     "--graceful-period",
@@ -2618,8 +2633,10 @@ def migrate_oss(
 def clean_expired_messages(
     batch_size: int,
     graceful_period: int,
-    start_from: datetime.datetime,
-    end_before: datetime.datetime,
+    start_from: datetime.datetime | None,
+    end_before: datetime.datetime | None,
+    from_days_ago: int | None,
+    before_days: int | None,
     dry_run: bool,
 ):
     """
@@ -2630,18 +2647,70 @@ def clean_expired_messages(
     start_at = time.perf_counter()
 
     try:
+        abs_mode = start_from is not None and end_before is not None
+        rel_mode = before_days is not None
+
+        if abs_mode and rel_mode:
+            raise click.UsageError(
+                "Options are mutually exclusive: use either (--start-from,--end-before) "
+                "or (--from-days-ago,--before-days)."
+            )
+
+        if from_days_ago is not None and before_days is None:
+            raise click.UsageError("--from-days-ago must be used together with --before-days.")
+
+        if (start_from is None) ^ (end_before is None):
+            raise click.UsageError("Both --start-from and --end-before are required when using absolute time range.")
+
+        if not abs_mode and not rel_mode:
+            raise click.UsageError(
+                "You must provide either (--start-from,--end-before) or (--before-days [--from-days-ago])."
+            )
+
+        if rel_mode:
+            assert before_days is not None
+            if before_days < 0:
+                raise click.UsageError("--before-days must be >= 0.")
+            if from_days_ago is not None:
+                if from_days_ago < 0:
+                    raise click.UsageError("--from-days-ago must be >= 0.")
+                if from_days_ago <= before_days:
+                    raise click.UsageError("--from-days-ago must be greater than --before-days.")
+
         # Create policy based on billing configuration
         # NOTE: graceful_period will be ignored when billing is disabled.
         policy = create_message_clean_policy(graceful_period_days=graceful_period)
 
         # Create and run the cleanup service
-        service = MessagesCleanService.from_time_range(
-            policy=policy,
-            start_from=start_from,
-            end_before=end_before,
-            batch_size=batch_size,
-            dry_run=dry_run,
-        )
+        if abs_mode:
+            assert start_from is not None
+            assert end_before is not None
+            service = MessagesCleanService.from_time_range(
+                policy=policy,
+                start_from=start_from,
+                end_before=end_before,
+                batch_size=batch_size,
+                dry_run=dry_run,
+            )
+        elif from_days_ago is None:
+            assert before_days is not None
+            service = MessagesCleanService.from_days(
+                policy=policy,
+                days=before_days,
+                batch_size=batch_size,
+                dry_run=dry_run,
+            )
+        else:
+            assert before_days is not None
+            assert from_days_ago is not None
+            now = naive_utc_now()
+            service = MessagesCleanService.from_time_range(
+                policy=policy,
+                start_from=now - datetime.timedelta(days=from_days_ago),
+                end_before=now - datetime.timedelta(days=before_days),
+                batch_size=batch_size,
+                dry_run=dry_run,
+            )
         stats = service.run()
 
         end_at = time.perf_counter()

api/controllers/web/message.py

@@ -239,7 +239,7 @@ class MessageSuggestedQuestionApi(WebApiResource):
     def get(self, app_model, end_user, message_id):
         app_mode = AppMode.value_of(app_model.mode)
         if app_mode not in {AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT}:
-            raise NotCompletionAppError()
+            raise NotChatAppError()
 
         message_id = str(message_id)
 

api/core/tools/workflow_as_tool/provider.py

@@ -37,6 +37,7 @@ VARIABLE_TO_PARAMETER_TYPE_MAPPING = {
     VariableEntityType.CHECKBOX: ToolParameter.ToolParameterType.BOOLEAN,
     VariableEntityType.FILE: ToolParameter.ToolParameterType.FILE,
     VariableEntityType.FILE_LIST: ToolParameter.ToolParameterType.FILES,
+    VariableEntityType.JSON_OBJECT: ToolParameter.ToolParameterType.OBJECT,
 }
 
 

api/dify_graph/nodes/document_extractor/node.py

@@ -4,6 +4,7 @@ import json
 import logging
 import os
 import tempfile
+import zipfile
 from collections.abc import Mapping, Sequence
 from typing import TYPE_CHECKING, Any
 
@@ -82,8 +83,18 @@ class DocumentExtractorNode(Node[DocumentExtractorNodeData]):
 
         value = variable.value
         inputs = {"variable_selector": variable_selector}
+        if isinstance(value, list):
+            value = list(filter(lambda x: x, value))
         process_data = {"documents": value if isinstance(value, list) else [value]}
 
+        if not value:
+            return NodeRunResult(
+                status=WorkflowNodeExecutionStatus.SUCCEEDED,
+                inputs=inputs,
+                process_data=process_data,
+                outputs={"text": ArrayStringSegment(value=[])},
+            )
+
         try:
             if isinstance(value, list):
                 extracted_text_list = [
@@ -111,6 +122,7 @@ class DocumentExtractorNode(Node[DocumentExtractorNodeData]):
             else:
                 raise DocumentExtractorError(f"Unsupported variable type: {type(value)}")
         except DocumentExtractorError as e:
+            logger.warning(e, exc_info=True)
             return NodeRunResult(
                 status=WorkflowNodeExecutionStatus.FAILED,
                 error=str(e),
@@ -385,6 +397,32 @@ def parser_docx_part(block, doc: Document, content_items, i):
         content_items.append((i, "table", Table(block, doc)))
 
 
+def _normalize_docx_zip(file_content: bytes) -> bytes:
+    """
+    Some DOCX files (e.g. exported by Evernote on Windows) are malformed:
+    ZIP entry names use backslash (\\) as path separator instead of the forward
+    slash (/) required by both the ZIP spec and OOXML.  On Linux/Mac the entry
+    "word\\document.xml" is never found when python-docx looks for
+    "word/document.xml", which triggers a KeyError about a missing relationship.
+
+    This function rewrites the ZIP in-memory, normalizing all entry names to
+    use forward slashes without touching any actual document content.
+    """
+    try:
+        with zipfile.ZipFile(io.BytesIO(file_content), "r") as zin:
+            out_buf = io.BytesIO()
+            with zipfile.ZipFile(out_buf, "w", compression=zipfile.ZIP_DEFLATED) as zout:
+                for item in zin.infolist():
+                    data = zin.read(item.filename)
+                    # Normalize backslash path separators to forward slash
+                    item.filename = item.filename.replace("\\", "/")
+                    zout.writestr(item, data)
+            return out_buf.getvalue()
+    except zipfile.BadZipFile:
+        # Not a valid zip — return as-is and let python-docx report the real error
+        return file_content
+
+
 def _extract_text_from_docx(file_content: bytes) -> str:
     """
     Extract text from a DOCX file.
@@ -392,7 +430,15 @@ def _extract_text_from_docx(file_content: bytes) -> str:
     """
     try:
         doc_file = io.BytesIO(file_content)
-        doc = docx.Document(doc_file)
+        try:
+            doc = docx.Document(doc_file)
+        except Exception as e:
+            logger.warning("Failed to parse DOCX, attempting to normalize ZIP entry paths: %s", e)
+            # Some DOCX files exported by tools like Evernote on Windows use
+            # backslash path separators in ZIP entries and/or single-quoted XML
+            # attributes, both of which break python-docx on Linux. Normalize and retry.
+            file_content = _normalize_docx_zip(file_content)
+            doc = docx.Document(io.BytesIO(file_content))
         text = []
 
         # Keep track of paragraph and table positions

api/dify_graph/nodes/knowledge_retrieval/knowledge_retrieval_node.py

@@ -23,7 +23,11 @@ from dify_graph.variables import (
 )
 from dify_graph.variables.segments import ArrayObjectSegment
 
-from .entities import KnowledgeRetrievalNodeData
+from .entities import (
+    Condition,
+    KnowledgeRetrievalNodeData,
+    MetadataFilteringCondition,
+)
 from .exc import (
     KnowledgeRetrievalNodeError,
     RateLimitExceededError,
@@ -171,6 +175,12 @@ class KnowledgeRetrievalNode(LLMUsageTrackingMixin, Node[KnowledgeRetrievalNodeD
         if node_data.metadata_filtering_mode is not None:
             metadata_filtering_mode = node_data.metadata_filtering_mode
 
+        resolved_metadata_conditions = (
+            self._resolve_metadata_filtering_conditions(node_data.metadata_filtering_conditions)
+            if node_data.metadata_filtering_conditions
+            else None
+        )
+
         if str(node_data.retrieval_mode) == DatasetRetrieveConfigEntity.RetrieveStrategy.SINGLE and query:
             # fetch model config
             if node_data.single_retrieval_config is None:
@@ -189,7 +199,7 @@ class KnowledgeRetrievalNode(LLMUsageTrackingMixin, Node[KnowledgeRetrievalNodeD
                     model_mode=model.mode,
                     model_name=model.name,
                     metadata_model_config=node_data.metadata_model_config,
-                    metadata_filtering_conditions=node_data.metadata_filtering_conditions,
+                    metadata_filtering_conditions=resolved_metadata_conditions,
                     metadata_filtering_mode=metadata_filtering_mode,
                     query=query,
                 )
@@ -247,7 +257,7 @@ class KnowledgeRetrievalNode(LLMUsageTrackingMixin, Node[KnowledgeRetrievalNodeD
                     weights=weights,
                     reranking_enable=node_data.multiple_retrieval_config.reranking_enable,
                     metadata_model_config=node_data.metadata_model_config,
-                    metadata_filtering_conditions=node_data.metadata_filtering_conditions,
+                    metadata_filtering_conditions=resolved_metadata_conditions,
                     metadata_filtering_mode=metadata_filtering_mode,
                     attachment_ids=[attachment.related_id for attachment in attachments] if attachments else None,
                 )
@@ -256,6 +266,48 @@ class KnowledgeRetrievalNode(LLMUsageTrackingMixin, Node[KnowledgeRetrievalNodeD
         usage = self._rag_retrieval.llm_usage
         return retrieval_resource_list, usage
 
+    def _resolve_metadata_filtering_conditions(
+        self, conditions: MetadataFilteringCondition
+    ) -> MetadataFilteringCondition:
+        if conditions.conditions is None:
+            return MetadataFilteringCondition(
+                logical_operator=conditions.logical_operator,
+                conditions=None,
+            )
+
+        variable_pool = self.graph_runtime_state.variable_pool
+        resolved_conditions: list[Condition] = []
+        for cond in conditions.conditions or []:
+            value = cond.value
+            if isinstance(value, str):
+                segment_group = variable_pool.convert_template(value)
+                if len(segment_group.value) == 1:
+                    resolved_value = segment_group.value[0].to_object()
+                else:
+                    resolved_value = segment_group.text
+            elif isinstance(value, Sequence) and all(isinstance(v, str) for v in value):
+                resolved_values = []
+                for v in value:  # type: ignore
+                    segment_group = variable_pool.convert_template(v)
+                    if len(segment_group.value) == 1:
+                        resolved_values.append(segment_group.value[0].to_object())
+                    else:
+                        resolved_values.append(segment_group.text)
+                resolved_value = resolved_values
+            else:
+                resolved_value = value
+            resolved_conditions.append(
+                Condition(
+                    name=cond.name,
+                    comparison_operator=cond.comparison_operator,
+                    value=resolved_value,
+                )
+            )
+        return MetadataFilteringCondition(
+            logical_operator=conditions.logical_operator or "and",
+            conditions=resolved_conditions,
+        )
+
     @classmethod
     def _extract_variable_selector_to_variable_mapping(
         cls,

api/schedule/queue_monitor_task.py

@@ -21,6 +21,10 @@ celery_redis = Redis(
     ssl_cert_reqs=getattr(dify_config, "REDIS_SSL_CERT_REQS", None) if dify_config.BROKER_USE_SSL else None,
     ssl_certfile=getattr(dify_config, "REDIS_SSL_CERTFILE", None) if dify_config.BROKER_USE_SSL else None,
     ssl_keyfile=getattr(dify_config, "REDIS_SSL_KEYFILE", None) if dify_config.BROKER_USE_SSL else None,
+    # Add conservative socket timeouts and health checks to avoid long-lived half-open sockets
+    socket_timeout=5,
+    socket_connect_timeout=5,
+    health_check_interval=30,
 )
 
 logger = logging.getLogger(__name__)

api/schedule/trigger_provider_refresh_task.py

@@ -3,6 +3,7 @@ import math
 import time
 from collections.abc import Iterable, Sequence
 
+from celery import group
 from sqlalchemy import ColumnElement, and_, func, or_, select
 from sqlalchemy.engine.row import Row
 from sqlalchemy.orm import Session
@@ -85,20 +86,25 @@ def trigger_provider_refresh() -> None:
             lock_keys: list[str] = build_trigger_refresh_lock_keys(subscriptions)
             acquired: list[bool] = _acquire_locks(keys=lock_keys, ttl_seconds=lock_ttl)
 
-            enqueued: int = 0
-            for (tenant_id, subscription_id), is_locked in zip(subscriptions, acquired):
-                if not is_locked:
-                    continue
-                trigger_subscription_refresh.delay(tenant_id=tenant_id, subscription_id=subscription_id)
-                enqueued += 1
+            if not any(acquired):
+                continue
+
+            jobs = [
+                trigger_subscription_refresh.s(tenant_id=tenant_id, subscription_id=subscription_id)
+                for (tenant_id, subscription_id), is_locked in zip(subscriptions, acquired)
+                if is_locked
+            ]
+            result = group(jobs).apply_async()
+            enqueued = len(jobs)
 
             logger.info(
-                "Trigger refresh page %d/%d: scanned=%d locks_acquired=%d enqueued=%d",
+                "Trigger refresh page %d/%d: scanned=%d locks_acquired=%d enqueued=%d result=%s",
                 page + 1,
                 pages,
                 len(subscriptions),
                 sum(1 for x in acquired if x),
                 enqueued,
+                result,
             )
 
     logger.info("Trigger refresh scan done: due=%d", total_due)

api/schedule/workflow_schedule_task.py

@@ -1,6 +1,6 @@
 import logging
 
-from celery import group, shared_task
+from celery import current_app, group, shared_task
 from sqlalchemy import and_, select
 from sqlalchemy.orm import Session, sessionmaker
 
@@ -29,31 +29,27 @@ def poll_workflow_schedules() -> None:
     with session_factory() as session:
         total_dispatched = 0
 
-        # Process in batches until we've handled all due schedules or hit the limit
         while True:
             due_schedules = _fetch_due_schedules(session)
 
             if not due_schedules:
                 break
 
-            dispatched_count = _process_schedules(session, due_schedules)
-            total_dispatched += dispatched_count
+            with current_app.producer_or_acquire() as producer:  # type: ignore
+                dispatched_count = _process_schedules(session, due_schedules, producer)
+                total_dispatched += dispatched_count
 
-            logger.debug("Batch processed: %d dispatched", dispatched_count)
-
-            # Circuit breaker: check if we've hit the per-tick limit (if enabled)
-            if (
-                dify_config.WORKFLOW_SCHEDULE_MAX_DISPATCH_PER_TICK > 0
-                and total_dispatched >= dify_config.WORKFLOW_SCHEDULE_MAX_DISPATCH_PER_TICK
-            ):
-                logger.warning(
-                    "Circuit breaker activated: reached dispatch limit (%d), will continue next tick",
-                    dify_config.WORKFLOW_SCHEDULE_MAX_DISPATCH_PER_TICK,
-                )
-                break
+                logger.debug("Batch processed: %d dispatched", dispatched_count)
 
+                # Circuit breaker: check if we've hit the per-tick limit (if enabled)
+                if 0 < dify_config.WORKFLOW_SCHEDULE_MAX_DISPATCH_PER_TICK <= total_dispatched:
+                    logger.warning(
+                        "Circuit breaker activated: reached dispatch limit (%d), will continue next tick",
+                        dify_config.WORKFLOW_SCHEDULE_MAX_DISPATCH_PER_TICK,
+                    )
+                    break
         if total_dispatched > 0:
-            logger.info("Total processed: %d dispatched", total_dispatched)
+            logger.info("Total processed: %d workflow schedule(s) dispatched", total_dispatched)
 
 
 def _fetch_due_schedules(session: Session) -> list[WorkflowSchedulePlan]:
@@ -90,7 +86,7 @@ def _fetch_due_schedules(session: Session) -> list[WorkflowSchedulePlan]:
     return list(due_schedules)
 
 
-def _process_schedules(session: Session, schedules: list[WorkflowSchedulePlan]) -> int:
+def _process_schedules(session: Session, schedules: list[WorkflowSchedulePlan], producer=None) -> int:
     """Process schedules: check quota, update next run time and dispatch to Celery in parallel."""
     if not schedules:
         return 0
@@ -107,7 +103,7 @@ def _process_schedules(session: Session, schedules: list[WorkflowSchedulePlan])
 
     if tasks_to_dispatch:
         job = group(run_schedule_trigger.s(schedule_id) for schedule_id in tasks_to_dispatch)
-        job.apply_async()
+        job.apply_async(producer=producer)
 
         logger.debug("Dispatched %d tasks in parallel", len(tasks_to_dispatch))
 

api/services/retention/conversation/messages_clean_service.py

@@ -12,6 +12,7 @@ from sqlalchemy.engine import CursorResult
 from sqlalchemy.orm import Session
 
 from extensions.ext_database import db
+from libs.datetime_utils import naive_utc_now
 from models.model import (
     App,
     AppAnnotationHitHistory,
@@ -142,7 +143,7 @@ class MessagesCleanService:
         if batch_size <= 0:
             raise ValueError(f"batch_size ({batch_size}) must be greater than 0")
 
-        end_before = datetime.datetime.now() - datetime.timedelta(days=days)
+        end_before = naive_utc_now() - datetime.timedelta(days=days)
 
         logger.info(
             "clean_messages: days=%s, end_before=%s, batch_size=%s, policy=%s",

api/tasks/document_indexing_task.py

@@ -1,9 +1,10 @@
 import logging
 import time
-from collections.abc import Callable, Sequence
+from collections.abc import Sequence
+from typing import Any, Protocol
 
 import click
-from celery import shared_task
+from celery import current_app, shared_task
 
 from configs import dify_config
 from core.db.session_factory import session_factory
@@ -19,6 +20,12 @@ from tasks.generate_summary_index_task import generate_summary_index_task
 logger = logging.getLogger(__name__)
 
 
+class CeleryTaskLike(Protocol):
+    def delay(self, *args: Any, **kwargs: Any) -> Any: ...
+
+    def apply_async(self, *args: Any, **kwargs: Any) -> Any: ...
+
+
 @shared_task(queue="dataset")
 def document_indexing_task(dataset_id: str, document_ids: list):
     """
@@ -179,8 +186,8 @@ def _document_indexing(dataset_id: str, document_ids: Sequence[str]):
 
 
 def _document_indexing_with_tenant_queue(
-    tenant_id: str, dataset_id: str, document_ids: Sequence[str], task_func: Callable[[str, str, Sequence[str]], None]
-):
+    tenant_id: str, dataset_id: str, document_ids: Sequence[str], task_func: CeleryTaskLike
+) -> None:
     try:
         _document_indexing(dataset_id, document_ids)
     except Exception:
@@ -201,16 +208,20 @@ def _document_indexing_with_tenant_queue(
         logger.info("document indexing tenant isolation queue %s next tasks: %s", tenant_id, next_tasks)
 
         if next_tasks:
-            for next_task in next_tasks:
-                document_task = DocumentTask(**next_task)
-                # Process the next waiting task
-                # Keep the flag set to indicate a task is running
-                tenant_isolated_task_queue.set_task_waiting_time()
-                task_func.delay(  # type: ignore
-                    tenant_id=document_task.tenant_id,
-                    dataset_id=document_task.dataset_id,
-                    document_ids=document_task.document_ids,
-                )
+            with current_app.producer_or_acquire() as producer:  # type: ignore
+                for next_task in next_tasks:
+                    document_task = DocumentTask(**next_task)
+                    # Keep the flag set to indicate a task is running
+                    tenant_isolated_task_queue.set_task_waiting_time()
+                    task_func.apply_async(
+                        kwargs={
+                            "tenant_id": document_task.tenant_id,
+                            "dataset_id": document_task.dataset_id,
+                            "document_ids": document_task.document_ids,
+                        },
+                        producer=producer,
+                    )
+
         else:
             # No more waiting tasks, clear the flag
             tenant_isolated_task_queue.delete_task_key()

api/tasks/rag_pipeline/rag_pipeline_run_task.py

@@ -3,12 +3,13 @@ import json
 import logging
 import time
 import uuid
-from collections.abc import Mapping
+from collections.abc import Mapping, Sequence
 from concurrent.futures import ThreadPoolExecutor
+from itertools import islice
 from typing import Any
 
 import click
-from celery import shared_task  # type: ignore
+from celery import group, shared_task
 from flask import current_app, g
 from sqlalchemy.orm import Session, sessionmaker
 
@@ -27,6 +28,11 @@ from services.file_service import FileService
 logger = logging.getLogger(__name__)
 
 
+def chunked(iterable: Sequence, size: int):
+    it = iter(iterable)
+    return iter(lambda: list(islice(it, size)), [])
+
+
 @shared_task(queue="pipeline")
 def rag_pipeline_run_task(
     rag_pipeline_invoke_entities_file_id: str,
@@ -83,16 +89,24 @@ def rag_pipeline_run_task(
         logger.info("rag pipeline tenant isolation queue %s next files: %s", tenant_id, next_file_ids)
 
         if next_file_ids:
-            for next_file_id in next_file_ids:
-                # Process the next waiting task
-                # Keep the flag set to indicate a task is running
-                tenant_isolated_task_queue.set_task_waiting_time()
-                rag_pipeline_run_task.delay(  # type: ignore
-                    rag_pipeline_invoke_entities_file_id=next_file_id.decode("utf-8")
-                    if isinstance(next_file_id, bytes)
-                    else next_file_id,
-                    tenant_id=tenant_id,
-                )
+            for batch in chunked(next_file_ids, 100):
+                jobs = []
+                for next_file_id in batch:
+                    tenant_isolated_task_queue.set_task_waiting_time()
+
+                    file_id = (
+                        next_file_id.decode("utf-8") if isinstance(next_file_id, (bytes, bytearray)) else next_file_id
+                    )
+
+                    jobs.append(
+                        rag_pipeline_run_task.s(
+                            rag_pipeline_invoke_entities_file_id=file_id,
+                            tenant_id=tenant_id,
+                        )
+                    )
+
+                if jobs:
+                    group(jobs).apply_async()
         else:
             # No more waiting tasks, clear the flag
             tenant_isolated_task_queue.delete_task_key()

api/tests/test_containers_integration_tests/tasks/test_dataset_indexing_task.py

@@ -322,11 +322,14 @@ class TestDatasetIndexingTaskIntegration:
             _document_indexing_with_tenant_queue(dataset.tenant_id, dataset.id, document_ids, task_dispatch_spy)
 
         # Assert
-        task_dispatch_spy.delay.assert_called_once_with(
-            tenant_id=next_task["tenant_id"],
-            dataset_id=next_task["dataset_id"],
-            document_ids=next_task["document_ids"],
-        )
+        # apply_async is used by implementation; assert it was called once with expected kwargs
+        assert task_dispatch_spy.apply_async.call_count == 1
+        call_kwargs = task_dispatch_spy.apply_async.call_args.kwargs.get("kwargs", {})
+        assert call_kwargs == {
+            "tenant_id": next_task["tenant_id"],
+            "dataset_id": next_task["dataset_id"],
+            "document_ids": next_task["document_ids"],
+        }
         set_waiting_spy.assert_called_once()
         delete_key_spy.assert_not_called()
 
@@ -352,7 +355,7 @@ class TestDatasetIndexingTaskIntegration:
             _document_indexing_with_tenant_queue(dataset.tenant_id, dataset.id, document_ids, task_dispatch_spy)
 
         # Assert
-        task_dispatch_spy.delay.assert_not_called()
+        task_dispatch_spy.apply_async.assert_not_called()
         delete_key_spy.assert_called_once()
 
     def test_validation_failure_sets_error_status_when_vector_space_at_limit(
@@ -447,7 +450,7 @@ class TestDatasetIndexingTaskIntegration:
             _document_indexing_with_tenant_queue(dataset.tenant_id, dataset.id, document_ids, task_dispatch_spy)
 
         # Assert
-        task_dispatch_spy.delay.assert_called_once()
+        task_dispatch_spy.apply_async.assert_called_once()
 
     def test_sessions_close_on_successful_indexing(
         self,
@@ -534,7 +537,7 @@ class TestDatasetIndexingTaskIntegration:
             _document_indexing_with_tenant_queue(dataset.tenant_id, dataset.id, document_ids, task_dispatch_spy)
 
         # Assert
-        assert task_dispatch_spy.delay.call_count == concurrency_limit
+        assert task_dispatch_spy.apply_async.call_count == concurrency_limit
         assert set_waiting_spy.call_count == concurrency_limit
 
     def test_task_queue_fifo_ordering(self, db_session_with_containers, patched_external_dependencies):
@@ -565,9 +568,10 @@ class TestDatasetIndexingTaskIntegration:
             _document_indexing_with_tenant_queue(dataset.tenant_id, dataset.id, document_ids, task_dispatch_spy)
 
         # Assert
-        assert task_dispatch_spy.delay.call_count == 3
+        assert task_dispatch_spy.apply_async.call_count == 3
         for index, expected_task in enumerate(ordered_tasks):
-            assert task_dispatch_spy.delay.call_args_list[index].kwargs["document_ids"] == expected_task["document_ids"]
+            call_kwargs = task_dispatch_spy.apply_async.call_args_list[index].kwargs.get("kwargs", {})
+            assert call_kwargs.get("document_ids") == expected_task["document_ids"]
 
     def test_billing_disabled_skips_limit_checks(self, db_session_with_containers, patched_external_dependencies):
         """Skip limit checks when billing feature is disabled."""

api/tests/test_containers_integration_tests/tasks/test_document_indexing_task.py

@@ -762,11 +762,12 @@ class TestDocumentIndexingTasks:
         mock_external_service_dependencies["indexing_runner_instance"].run.assert_called_once()
 
         # Verify task function was called for each waiting task
-        assert mock_task_func.delay.call_count == 1
+        assert mock_task_func.apply_async.call_count == 1
 
         # Verify correct parameters for each call
-        calls = mock_task_func.delay.call_args_list
-        assert calls[0][1] == {"tenant_id": tenant_id, "dataset_id": dataset_id, "document_ids": ["waiting-doc-1"]}
+        calls = mock_task_func.apply_async.call_args_list
+        sent_kwargs = calls[0][1]["kwargs"]
+        assert sent_kwargs == {"tenant_id": tenant_id, "dataset_id": dataset_id, "document_ids": ["waiting-doc-1"]}
 
         # Verify queue is empty after processing (tasks were pulled)
         remaining_tasks = queue.pull_tasks(count=10)  # Pull more than we added
@@ -830,11 +831,15 @@ class TestDocumentIndexingTasks:
             assert updated_document.processing_started_at is not None
 
         # Verify waiting task was still processed despite core processing error
-        mock_task_func.delay.assert_called_once()
+        mock_task_func.apply_async.assert_called_once()
 
         # Verify correct parameters for the call
-        call = mock_task_func.delay.call_args
-        assert call[1] == {"tenant_id": tenant_id, "dataset_id": dataset_id, "document_ids": ["waiting-doc-1"]}
+        call = mock_task_func.apply_async.call_args
+        assert call[1]["kwargs"] == {
+            "tenant_id": tenant_id,
+            "dataset_id": dataset_id,
+            "document_ids": ["waiting-doc-1"],
+        }
 
         # Verify queue is empty after processing (task was pulled)
         remaining_tasks = queue.pull_tasks(count=10)
@@ -896,9 +901,13 @@ class TestDocumentIndexingTasks:
         mock_external_service_dependencies["indexing_runner_instance"].run.assert_called_once()
 
         # Verify only tenant1's waiting task was processed
-        mock_task_func.delay.assert_called_once()
-        call = mock_task_func.delay.call_args
-        assert call[1] == {"tenant_id": tenant1_id, "dataset_id": dataset1_id, "document_ids": ["tenant1-doc-1"]}
+        mock_task_func.apply_async.assert_called_once()
+        call = mock_task_func.apply_async.call_args
+        assert call[1]["kwargs"] == {
+            "tenant_id": tenant1_id,
+            "dataset_id": dataset1_id,
+            "document_ids": ["tenant1-doc-1"],
+        }
 
         # Verify tenant1's queue is empty
         remaining_tasks1 = queue1.pull_tasks(count=10)

api/tests/test_containers_integration_tests/tasks/test_rag_pipeline_run_tasks.py

@@ -1,6 +1,6 @@
 import json
 import uuid
-from unittest.mock import patch
+from unittest.mock import MagicMock, patch
 
 import pytest
 from faker import Faker
@@ -388,8 +388,10 @@ class TestRagPipelineRunTasks:
         # Set the task key to indicate there are waiting tasks (legacy behavior)
         redis_client.set(legacy_task_key, 1, ex=60 * 60)
 
-        # Mock the task function calls
-        with patch("tasks.rag_pipeline.rag_pipeline_run_task.rag_pipeline_run_task.delay") as mock_delay:
+        # Mock the Celery group scheduling used by the implementation
+        with patch("tasks.rag_pipeline.rag_pipeline_run_task.group") as mock_group:
+            mock_group.return_value.apply_async = MagicMock()
+
             # Act: Execute the priority task with new code but legacy queue data
             rag_pipeline_run_task(file_id, tenant.id)
 
@@ -398,13 +400,14 @@ class TestRagPipelineRunTasks:
             mock_file_service["delete_file"].assert_called_once_with(file_id)
             assert mock_pipeline_generator.call_count == 1
 
-            # Verify waiting tasks were processed, pull 1 task a time by default
-            assert mock_delay.call_count == 1
+            # Verify waiting tasks were processed via group, pull 1 task a time by default
+            assert mock_group.return_value.apply_async.called
 
-            # Verify correct parameters for the call
-            call_kwargs = mock_delay.call_args[1] if mock_delay.call_args else {}
-            assert call_kwargs.get("rag_pipeline_invoke_entities_file_id") == legacy_file_ids[0]
-            assert call_kwargs.get("tenant_id") == tenant.id
+            # Verify correct parameters for the first scheduled job signature
+            jobs = mock_group.call_args.args[0] if mock_group.call_args else []
+            first_kwargs = jobs[0].kwargs if jobs else {}
+            assert first_kwargs.get("rag_pipeline_invoke_entities_file_id") == legacy_file_ids[0]
+            assert first_kwargs.get("tenant_id") == tenant.id
 
             # Verify that new code can process legacy queue entries
             # The new TenantIsolatedTaskQueue should be able to read from the legacy format
@@ -446,8 +449,10 @@ class TestRagPipelineRunTasks:
         waiting_file_ids = [str(uuid.uuid4()) for _ in range(3)]
         queue.push_tasks(waiting_file_ids)
 
-        # Mock the task function calls
-        with patch("tasks.rag_pipeline.rag_pipeline_run_task.rag_pipeline_run_task.delay") as mock_delay:
+        # Mock the Celery group scheduling used by the implementation
+        with patch("tasks.rag_pipeline.rag_pipeline_run_task.group") as mock_group:
+            mock_group.return_value.apply_async = MagicMock()
+
             # Act: Execute the regular task
             rag_pipeline_run_task(file_id, tenant.id)
 
@@ -456,13 +461,14 @@ class TestRagPipelineRunTasks:
             mock_file_service["delete_file"].assert_called_once_with(file_id)
             assert mock_pipeline_generator.call_count == 1
 
-            # Verify waiting tasks were processed, pull 1 task a time by default
-            assert mock_delay.call_count == 1
+            # Verify waiting tasks were processed via group.apply_async
+            assert mock_group.return_value.apply_async.called
 
-            # Verify correct parameters for the call
-            call_kwargs = mock_delay.call_args[1] if mock_delay.call_args else {}
-            assert call_kwargs.get("rag_pipeline_invoke_entities_file_id") == waiting_file_ids[0]
-            assert call_kwargs.get("tenant_id") == tenant.id
+            # Verify correct parameters for the first scheduled job signature
+            jobs = mock_group.call_args.args[0] if mock_group.call_args else []
+            first_kwargs = jobs[0].kwargs if jobs else {}
+            assert first_kwargs.get("rag_pipeline_invoke_entities_file_id") == waiting_file_ids[0]
+            assert first_kwargs.get("tenant_id") == tenant.id
 
             # Verify queue still has remaining tasks (only 1 was pulled)
             remaining_tasks = queue.pull_tasks(count=10)
@@ -557,8 +563,10 @@ class TestRagPipelineRunTasks:
         waiting_file_id = str(uuid.uuid4())
         queue.push_tasks([waiting_file_id])
 
-        # Mock the task function calls
-        with patch("tasks.rag_pipeline.rag_pipeline_run_task.rag_pipeline_run_task.delay") as mock_delay:
+        # Mock the Celery group scheduling used by the implementation
+        with patch("tasks.rag_pipeline.rag_pipeline_run_task.group") as mock_group:
+            mock_group.return_value.apply_async = MagicMock()
+
             # Act: Execute the regular task (should not raise exception)
             rag_pipeline_run_task(file_id, tenant.id)
 
@@ -569,12 +577,13 @@ class TestRagPipelineRunTasks:
             assert mock_pipeline_generator.call_count == 1
 
             # Verify waiting task was still processed despite core processing error
-            mock_delay.assert_called_once()
+            assert mock_group.return_value.apply_async.called
 
-            # Verify correct parameters for the call
-            call_kwargs = mock_delay.call_args[1] if mock_delay.call_args else {}
-            assert call_kwargs.get("rag_pipeline_invoke_entities_file_id") == waiting_file_id
-            assert call_kwargs.get("tenant_id") == tenant.id
+            # Verify correct parameters for the first scheduled job signature
+            jobs = mock_group.call_args.args[0] if mock_group.call_args else []
+            first_kwargs = jobs[0].kwargs if jobs else {}
+            assert first_kwargs.get("rag_pipeline_invoke_entities_file_id") == waiting_file_id
+            assert first_kwargs.get("tenant_id") == tenant.id
 
             # Verify queue is empty after processing (task was pulled)
             remaining_tasks = queue.pull_tasks(count=10)
@@ -684,8 +693,10 @@ class TestRagPipelineRunTasks:
         queue1.push_tasks([waiting_file_id1])
         queue2.push_tasks([waiting_file_id2])
 
-        # Mock the task function calls
-        with patch("tasks.rag_pipeline.rag_pipeline_run_task.rag_pipeline_run_task.delay") as mock_delay:
+        # Mock the Celery group scheduling used by the implementation
+        with patch("tasks.rag_pipeline.rag_pipeline_run_task.group") as mock_group:
+            mock_group.return_value.apply_async = MagicMock()
+
             # Act: Execute the regular task for tenant1 only
             rag_pipeline_run_task(file_id1, tenant1.id)
 
@@ -694,11 +705,12 @@ class TestRagPipelineRunTasks:
             assert mock_file_service["delete_file"].call_count == 1
             assert mock_pipeline_generator.call_count == 1
 
-            # Verify only tenant1's waiting task was processed
-            mock_delay.assert_called_once()
-            call_kwargs = mock_delay.call_args[1] if mock_delay.call_args else {}
-            assert call_kwargs.get("rag_pipeline_invoke_entities_file_id") == waiting_file_id1
-            assert call_kwargs.get("tenant_id") == tenant1.id
+            # Verify only tenant1's waiting task was processed (via group)
+            assert mock_group.return_value.apply_async.called
+            jobs = mock_group.call_args.args[0] if mock_group.call_args else []
+            first_kwargs = jobs[0].kwargs if jobs else {}
+            assert first_kwargs.get("rag_pipeline_invoke_entities_file_id") == waiting_file_id1
+            assert first_kwargs.get("tenant_id") == tenant1.id
 
             # Verify tenant1's queue is empty
             remaining_tasks1 = queue1.pull_tasks(count=10)
@@ -913,8 +925,10 @@ class TestRagPipelineRunTasks:
         waiting_file_id = str(uuid.uuid4())
         queue.push_tasks([waiting_file_id])
 
-        # Mock the task function calls
-        with patch("tasks.rag_pipeline.rag_pipeline_run_task.rag_pipeline_run_task.delay") as mock_delay:
+        # Mock the Celery group scheduling used by the implementation
+        with patch("tasks.rag_pipeline.rag_pipeline_run_task.group") as mock_group:
+            mock_group.return_value.apply_async = MagicMock()
+
             # Act & Assert: Execute the regular task (should raise Exception)
             with pytest.raises(Exception, match="File not found"):
                 rag_pipeline_run_task(file_id, tenant.id)
@@ -924,12 +938,13 @@ class TestRagPipelineRunTasks:
             mock_pipeline_generator.assert_not_called()
 
             # Verify waiting task was still processed despite file error
-            mock_delay.assert_called_once()
+            assert mock_group.return_value.apply_async.called
 
-            # Verify correct parameters for the call
-            call_kwargs = mock_delay.call_args[1] if mock_delay.call_args else {}
-            assert call_kwargs.get("rag_pipeline_invoke_entities_file_id") == waiting_file_id
-            assert call_kwargs.get("tenant_id") == tenant.id
+            # Verify correct parameters for the first scheduled job signature
+            jobs = mock_group.call_args.args[0] if mock_group.call_args else []
+            first_kwargs = jobs[0].kwargs if jobs else {}
+            assert first_kwargs.get("rag_pipeline_invoke_entities_file_id") == waiting_file_id
+            assert first_kwargs.get("tenant_id") == tenant.id
 
             # Verify queue is empty after processing (task was pulled)
             remaining_tasks = queue.pull_tasks(count=10)

api/tests/test_containers_integration_tests/trigger/conftest.py

@@ -105,18 +105,26 @@ def app_model(
 
 
 class MockCeleryGroup:
-    """Mock for celery group() function that collects dispatched tasks."""
+    """Mock for celery group() function that collects dispatched tasks.
+
+    Matches the Celery group API loosely, accepting arbitrary kwargs on apply_async
+    (e.g. producer) so production code can pass broker-related options without
+    breaking tests.
+    """
 
     def __init__(self) -> None:
         self.collected: list[dict[str, Any]] = []
         self._applied = False
+        self.last_apply_async_kwargs: dict[str, Any] | None = None
 
     def __call__(self, items: Any) -> MockCeleryGroup:
         self.collected = list(items)
         return self
 
-    def apply_async(self) -> None:
+    def apply_async(self, **kwargs: Any) -> None:
+        # Accept arbitrary kwargs like producer to be compatible with Celery
         self._applied = True
+        self.last_apply_async_kwargs = kwargs
 
     @property
     def applied(self) -> bool:

api/tests/unit_tests/commands/test_clean_expired_messages.py

@@ -0,0 +1,181 @@
+import datetime
+import re
+from unittest.mock import MagicMock, patch
+
+import click
+import pytest
+
+from commands import clean_expired_messages
+
+
+def _mock_service() -> MagicMock:
+    service = MagicMock()
+    service.run.return_value = {
+        "batches": 1,
+        "total_messages": 10,
+        "filtered_messages": 5,
+        "total_deleted": 5,
+    }
+    return service
+
+
+def test_absolute_mode_calls_from_time_range():
+    policy = object()
+    service = _mock_service()
+    start_from = datetime.datetime(2024, 1, 1, 0, 0, 0)
+    end_before = datetime.datetime(2024, 2, 1, 0, 0, 0)
+
+    with (
+        patch("commands.create_message_clean_policy", return_value=policy),
+        patch("commands.MessagesCleanService.from_time_range", return_value=service) as mock_from_time_range,
+        patch("commands.MessagesCleanService.from_days") as mock_from_days,
+    ):
+        clean_expired_messages.callback(
+            batch_size=200,
+            graceful_period=21,
+            start_from=start_from,
+            end_before=end_before,
+            from_days_ago=None,
+            before_days=None,
+            dry_run=True,
+        )
+
+    mock_from_time_range.assert_called_once_with(
+        policy=policy,
+        start_from=start_from,
+        end_before=end_before,
+        batch_size=200,
+        dry_run=True,
+    )
+    mock_from_days.assert_not_called()
+
+
+def test_relative_mode_before_days_only_calls_from_days():
+    policy = object()
+    service = _mock_service()
+
+    with (
+        patch("commands.create_message_clean_policy", return_value=policy),
+        patch("commands.MessagesCleanService.from_days", return_value=service) as mock_from_days,
+        patch("commands.MessagesCleanService.from_time_range") as mock_from_time_range,
+    ):
+        clean_expired_messages.callback(
+            batch_size=500,
+            graceful_period=14,
+            start_from=None,
+            end_before=None,
+            from_days_ago=None,
+            before_days=30,
+            dry_run=False,
+        )
+
+    mock_from_days.assert_called_once_with(
+        policy=policy,
+        days=30,
+        batch_size=500,
+        dry_run=False,
+    )
+    mock_from_time_range.assert_not_called()
+
+
+def test_relative_mode_with_from_days_ago_calls_from_time_range():
+    policy = object()
+    service = _mock_service()
+    fixed_now = datetime.datetime(2024, 8, 20, 12, 0, 0)
+
+    with (
+        patch("commands.create_message_clean_policy", return_value=policy),
+        patch("commands.MessagesCleanService.from_time_range", return_value=service) as mock_from_time_range,
+        patch("commands.MessagesCleanService.from_days") as mock_from_days,
+        patch("commands.naive_utc_now", return_value=fixed_now),
+    ):
+        clean_expired_messages.callback(
+            batch_size=1000,
+            graceful_period=21,
+            start_from=None,
+            end_before=None,
+            from_days_ago=60,
+            before_days=30,
+            dry_run=False,
+        )
+
+    mock_from_time_range.assert_called_once_with(
+        policy=policy,
+        start_from=fixed_now - datetime.timedelta(days=60),
+        end_before=fixed_now - datetime.timedelta(days=30),
+        batch_size=1000,
+        dry_run=False,
+    )
+    mock_from_days.assert_not_called()
+
+
+@pytest.mark.parametrize(
+    ("kwargs", "message"),
+    [
+        (
+            {
+                "start_from": datetime.datetime(2024, 1, 1),
+                "end_before": datetime.datetime(2024, 2, 1),
+                "from_days_ago": None,
+                "before_days": 30,
+            },
+            "mutually exclusive",
+        ),
+        (
+            {
+                "start_from": datetime.datetime(2024, 1, 1),
+                "end_before": None,
+                "from_days_ago": None,
+                "before_days": None,
+            },
+            "Both --start-from and --end-before are required",
+        ),
+        (
+            {
+                "start_from": None,
+                "end_before": None,
+                "from_days_ago": 10,
+                "before_days": None,
+            },
+            "--from-days-ago must be used together with --before-days",
+        ),
+        (
+            {
+                "start_from": None,
+                "end_before": None,
+                "from_days_ago": None,
+                "before_days": -1,
+            },
+            "--before-days must be >= 0",
+        ),
+        (
+            {
+                "start_from": None,
+                "end_before": None,
+                "from_days_ago": 30,
+                "before_days": 30,
+            },
+            "--from-days-ago must be greater than --before-days",
+        ),
+        (
+            {
+                "start_from": None,
+                "end_before": None,
+                "from_days_ago": None,
+                "before_days": None,
+            },
+            "You must provide either (--start-from,--end-before) or (--before-days [--from-days-ago])",
+        ),
+    ],
+)
+def test_invalid_inputs_raise_usage_error(kwargs: dict, message: str):
+    with pytest.raises(click.UsageError, match=re.escape(message)):
+        clean_expired_messages.callback(
+            batch_size=1000,
+            graceful_period=21,
+            start_from=kwargs["start_from"],
+            end_before=kwargs["end_before"],
+            from_days_ago=kwargs["from_days_ago"],
+            before_days=kwargs["before_days"],
+            dry_run=False,
+        )

api/tests/unit_tests/controllers/web/conftest.py

@@ -0,0 +1,85 @@
+"""Shared fixtures for controllers.web unit tests."""
+
+from __future__ import annotations
+
+from types import SimpleNamespace
+from typing import Any
+
+import pytest
+from flask import Flask
+
+
+@pytest.fixture
+def app() -> Flask:
+    """Minimal Flask app for request contexts."""
+    flask_app = Flask(__name__)
+    flask_app.config["TESTING"] = True
+    return flask_app
+
+
+class FakeSession:
+    """Stand-in for db.session that returns pre-seeded objects by model class name."""
+
+    def __init__(self, mapping: dict[str, Any] | None = None):
+        self._mapping: dict[str, Any] = mapping or {}
+        self._model_name: str | None = None
+
+    def query(self, model: type) -> FakeSession:
+        self._model_name = model.__name__
+        return self
+
+    def where(self, *_args: object, **_kwargs: object) -> FakeSession:
+        return self
+
+    def first(self) -> Any:
+        assert self._model_name is not None
+        return self._mapping.get(self._model_name)
+
+
+class FakeDB:
+    """Minimal db stub exposing engine and session."""
+
+    def __init__(self, session: FakeSession | None = None):
+        self.session = session or FakeSession()
+        self.engine = object()
+
+
+def make_app_model(
+    *,
+    app_id: str = "app-1",
+    tenant_id: str = "tenant-1",
+    mode: str = "chat",
+    enable_site: bool = True,
+    status: str = "normal",
+) -> SimpleNamespace:
+    """Build a fake App model with common defaults."""
+    tenant = SimpleNamespace(
+        id=tenant_id,
+        status="normal",
+        plan="basic",
+        custom_config_dict={},
+    )
+    return SimpleNamespace(
+        id=app_id,
+        tenant_id=tenant_id,
+        tenant=tenant,
+        mode=mode,
+        enable_site=enable_site,
+        status=status,
+        workflow=None,
+        app_model_config=None,
+    )
+
+
+def make_end_user(
+    *,
+    user_id: str = "end-user-1",
+    session_id: str = "session-1",
+    external_user_id: str = "ext-user-1",
+) -> SimpleNamespace:
+    """Build a fake EndUser model with common defaults."""
+    return SimpleNamespace(
+        id=user_id,
+        session_id=session_id,
+        external_user_id=external_user_id,
+    )

api/tests/unit_tests/controllers/web/test_app.py

@@ -0,0 +1,165 @@
+"""Unit tests for controllers.web.app endpoints."""
+
+from __future__ import annotations
+
+from types import SimpleNamespace
+from unittest.mock import MagicMock, patch
+
+import pytest
+from flask import Flask
+
+from controllers.web.app import AppAccessMode, AppMeta, AppParameterApi, AppWebAuthPermission
+from controllers.web.error import AppUnavailableError
+
+
+# ---------------------------------------------------------------------------
+# AppParameterApi
+# ---------------------------------------------------------------------------
+class TestAppParameterApi:
+    def test_advanced_chat_mode_uses_workflow(self, app: Flask) -> None:
+        features_dict = {"opening_statement": "Hello"}
+        workflow = SimpleNamespace(
+            features_dict=features_dict,
+            user_input_form=lambda to_old_structure=False: [],
+        )
+        app_model = SimpleNamespace(mode="advanced-chat", workflow=workflow)
+
+        with (
+            app.test_request_context("/parameters"),
+            patch("controllers.web.app.get_parameters_from_feature_dict", return_value={}) as mock_params,
+            patch("controllers.web.app.fields.Parameters") as mock_fields,
+        ):
+            mock_fields.model_validate.return_value.model_dump.return_value = {"result": "ok"}
+            result = AppParameterApi().get(app_model, SimpleNamespace())
+
+        mock_params.assert_called_once_with(features_dict=features_dict, user_input_form=[])
+        assert result == {"result": "ok"}
+
+    def test_workflow_mode_uses_workflow(self, app: Flask) -> None:
+        features_dict = {}
+        workflow = SimpleNamespace(
+            features_dict=features_dict,
+            user_input_form=lambda to_old_structure=False: [{"var": "x"}],
+        )
+        app_model = SimpleNamespace(mode="workflow", workflow=workflow)
+
+        with (
+            app.test_request_context("/parameters"),
+            patch("controllers.web.app.get_parameters_from_feature_dict", return_value={}) as mock_params,
+            patch("controllers.web.app.fields.Parameters") as mock_fields,
+        ):
+            mock_fields.model_validate.return_value.model_dump.return_value = {}
+            AppParameterApi().get(app_model, SimpleNamespace())
+
+        mock_params.assert_called_once_with(features_dict=features_dict, user_input_form=[{"var": "x"}])
+
+    def test_advanced_chat_mode_no_workflow_raises(self, app: Flask) -> None:
+        app_model = SimpleNamespace(mode="advanced-chat", workflow=None)
+        with app.test_request_context("/parameters"):
+            with pytest.raises(AppUnavailableError):
+                AppParameterApi().get(app_model, SimpleNamespace())
+
+    def test_standard_mode_uses_app_model_config(self, app: Flask) -> None:
+        config = SimpleNamespace(to_dict=lambda: {"user_input_form": [{"var": "y"}], "key": "val"})
+        app_model = SimpleNamespace(mode="chat", app_model_config=config)
+
+        with (
+            app.test_request_context("/parameters"),
+            patch("controllers.web.app.get_parameters_from_feature_dict", return_value={}) as mock_params,
+            patch("controllers.web.app.fields.Parameters") as mock_fields,
+        ):
+            mock_fields.model_validate.return_value.model_dump.return_value = {}
+            AppParameterApi().get(app_model, SimpleNamespace())
+
+        call_kwargs = mock_params.call_args
+        assert call_kwargs.kwargs["user_input_form"] == [{"var": "y"}]
+
+    def test_standard_mode_no_config_raises(self, app: Flask) -> None:
+        app_model = SimpleNamespace(mode="chat", app_model_config=None)
+        with app.test_request_context("/parameters"):
+            with pytest.raises(AppUnavailableError):
+                AppParameterApi().get(app_model, SimpleNamespace())
+
+
+# ---------------------------------------------------------------------------
+# AppMeta
+# ---------------------------------------------------------------------------
+class TestAppMeta:
+    @patch("controllers.web.app.AppService")
+    def test_get_returns_meta(self, mock_service_cls: MagicMock, app: Flask) -> None:
+        mock_service_cls.return_value.get_app_meta.return_value = {"tool_icons": {}}
+        app_model = SimpleNamespace(id="app-1")
+
+        with app.test_request_context("/meta"):
+            result = AppMeta().get(app_model, SimpleNamespace())
+
+        assert result == {"tool_icons": {}}
+
+
+# ---------------------------------------------------------------------------
+# AppAccessMode
+# ---------------------------------------------------------------------------
+class TestAppAccessMode:
+    @patch("controllers.web.app.FeatureService.get_system_features")
+    def test_returns_public_when_webapp_auth_disabled(self, mock_features: MagicMock, app: Flask) -> None:
+        mock_features.return_value = SimpleNamespace(webapp_auth=SimpleNamespace(enabled=False))
+
+        with app.test_request_context("/webapp/access-mode?appId=app-1"):
+            result = AppAccessMode().get()
+
+        assert result == {"accessMode": "public"}
+
+    @patch("controllers.web.app.EnterpriseService.WebAppAuth.get_app_access_mode_by_id")
+    @patch("controllers.web.app.FeatureService.get_system_features")
+    def test_returns_access_mode_with_app_id(
+        self, mock_features: MagicMock, mock_access: MagicMock, app: Flask
+    ) -> None:
+        mock_features.return_value = SimpleNamespace(webapp_auth=SimpleNamespace(enabled=True))
+        mock_access.return_value = SimpleNamespace(access_mode="internal")
+
+        with app.test_request_context("/webapp/access-mode?appId=app-1"):
+            result = AppAccessMode().get()
+
+        assert result == {"accessMode": "internal"}
+        mock_access.assert_called_once_with("app-1")
+
+    @patch("controllers.web.app.AppService.get_app_id_by_code", return_value="resolved-id")
+    @patch("controllers.web.app.EnterpriseService.WebAppAuth.get_app_access_mode_by_id")
+    @patch("controllers.web.app.FeatureService.get_system_features")
+    def test_resolves_app_code_to_id(
+        self, mock_features: MagicMock, mock_access: MagicMock, mock_resolve: MagicMock, app: Flask
+    ) -> None:
+        mock_features.return_value = SimpleNamespace(webapp_auth=SimpleNamespace(enabled=True))
+        mock_access.return_value = SimpleNamespace(access_mode="external")
+
+        with app.test_request_context("/webapp/access-mode?appCode=code1"):
+            result = AppAccessMode().get()
+
+        mock_resolve.assert_called_once_with("code1")
+        mock_access.assert_called_once_with("resolved-id")
+        assert result == {"accessMode": "external"}
+
+    @patch("controllers.web.app.FeatureService.get_system_features")
+    def test_raises_when_no_app_id_or_code(self, mock_features: MagicMock, app: Flask) -> None:
+        mock_features.return_value = SimpleNamespace(webapp_auth=SimpleNamespace(enabled=True))
+
+        with app.test_request_context("/webapp/access-mode"):
+            with pytest.raises(ValueError, match="appId or appCode"):
+                AppAccessMode().get()
+
+
+# ---------------------------------------------------------------------------
+# AppWebAuthPermission
+# ---------------------------------------------------------------------------
+class TestAppWebAuthPermission:
+    @patch("controllers.web.app.WebAppAuthService.is_app_require_permission_check", return_value=False)
+    def test_returns_true_when_no_permission_check_required(self, mock_check: MagicMock, app: Flask) -> None:
+        with app.test_request_context("/webapp/permission?appId=app-1", headers={"X-App-Code": "code1"}):
+            result = AppWebAuthPermission().get()
+
+        assert result == {"result": True}
+
+    def test_raises_when_missing_app_id(self, app: Flask) -> None:
+        with app.test_request_context("/webapp/permission", headers={"X-App-Code": "code1"}):
+            with pytest.raises(ValueError, match="appId"):
+                AppWebAuthPermission().get()

api/tests/unit_tests/controllers/web/test_audio.py

@@ -0,0 +1,135 @@
+"""Unit tests for controllers.web.audio endpoints."""
+
+from __future__ import annotations
+
+from io import BytesIO
+from types import SimpleNamespace
+from unittest.mock import MagicMock, patch
+
+import pytest
+from flask import Flask
+
+from controllers.web.audio import AudioApi, TextApi
+from controllers.web.error import (
+    AudioTooLargeError,
+    CompletionRequestError,
+    NoAudioUploadedError,
+    ProviderModelCurrentlyNotSupportError,
+    ProviderNotInitializeError,
+    ProviderNotSupportSpeechToTextError,
+    ProviderQuotaExceededError,
+    UnsupportedAudioTypeError,
+)
+from core.errors.error import ModelCurrentlyNotSupportError, ProviderTokenNotInitError, QuotaExceededError
+from dify_graph.model_runtime.errors.invoke import InvokeError
+from services.errors.audio import (
+    AudioTooLargeServiceError,
+    NoAudioUploadedServiceError,
+    ProviderNotSupportSpeechToTextServiceError,
+    UnsupportedAudioTypeServiceError,
+)
+
+
+def _app_model() -> SimpleNamespace:
+    return SimpleNamespace(id="app-1", mode="chat")
+
+
+def _end_user() -> SimpleNamespace:
+    return SimpleNamespace(id="eu-1", external_user_id="ext-1")
+
+
+# ---------------------------------------------------------------------------
+# AudioApi (audio-to-text)
+# ---------------------------------------------------------------------------
+class TestAudioApi:
+    @patch("controllers.web.audio.AudioService.transcript_asr", return_value={"text": "hello"})
+    def test_happy_path(self, mock_asr: MagicMock, app: Flask) -> None:
+        app.config["RESTX_MASK_HEADER"] = "X-Fields"
+        data = {"file": (BytesIO(b"fake-audio"), "test.mp3")}
+        with app.test_request_context("/audio-to-text", method="POST", data=data, content_type="multipart/form-data"):
+            result = AudioApi().post(_app_model(), _end_user())
+
+        assert result == {"text": "hello"}
+
+    @patch("controllers.web.audio.AudioService.transcript_asr", side_effect=NoAudioUploadedServiceError())
+    def test_no_audio_uploaded(self, mock_asr: MagicMock, app: Flask) -> None:
+        data = {"file": (BytesIO(b""), "empty.mp3")}
+        with app.test_request_context("/audio-to-text", method="POST", data=data, content_type="multipart/form-data"):
+            with pytest.raises(NoAudioUploadedError):
+                AudioApi().post(_app_model(), _end_user())
+
+    @patch("controllers.web.audio.AudioService.transcript_asr", side_effect=AudioTooLargeServiceError("too big"))
+    def test_audio_too_large(self, mock_asr: MagicMock, app: Flask) -> None:
+        data = {"file": (BytesIO(b"big"), "big.mp3")}
+        with app.test_request_context("/audio-to-text", method="POST", data=data, content_type="multipart/form-data"):
+            with pytest.raises(AudioTooLargeError):
+                AudioApi().post(_app_model(), _end_user())
+
+    @patch("controllers.web.audio.AudioService.transcript_asr", side_effect=UnsupportedAudioTypeServiceError())
+    def test_unsupported_type(self, mock_asr: MagicMock, app: Flask) -> None:
+        data = {"file": (BytesIO(b"bad"), "bad.xyz")}
+        with app.test_request_context("/audio-to-text", method="POST", data=data, content_type="multipart/form-data"):
+            with pytest.raises(UnsupportedAudioTypeError):
+                AudioApi().post(_app_model(), _end_user())
+
+    @patch(
+        "controllers.web.audio.AudioService.transcript_asr",
+        side_effect=ProviderNotSupportSpeechToTextServiceError(),
+    )
+    def test_provider_not_support(self, mock_asr: MagicMock, app: Flask) -> None:
+        data = {"file": (BytesIO(b"x"), "x.mp3")}
+        with app.test_request_context("/audio-to-text", method="POST", data=data, content_type="multipart/form-data"):
+            with pytest.raises(ProviderNotSupportSpeechToTextError):
+                AudioApi().post(_app_model(), _end_user())
+
+    @patch(
+        "controllers.web.audio.AudioService.transcript_asr",
+        side_effect=ProviderTokenNotInitError(description="no token"),
+    )
+    def test_provider_not_init(self, mock_asr: MagicMock, app: Flask) -> None:
+        data = {"file": (BytesIO(b"x"), "x.mp3")}
+        with app.test_request_context("/audio-to-text", method="POST", data=data, content_type="multipart/form-data"):
+            with pytest.raises(ProviderNotInitializeError):
+                AudioApi().post(_app_model(), _end_user())
+
+    @patch("controllers.web.audio.AudioService.transcript_asr", side_effect=QuotaExceededError())
+    def test_quota_exceeded(self, mock_asr: MagicMock, app: Flask) -> None:
+        data = {"file": (BytesIO(b"x"), "x.mp3")}
+        with app.test_request_context("/audio-to-text", method="POST", data=data, content_type="multipart/form-data"):
+            with pytest.raises(ProviderQuotaExceededError):
+                AudioApi().post(_app_model(), _end_user())
+
+    @patch("controllers.web.audio.AudioService.transcript_asr", side_effect=ModelCurrentlyNotSupportError())
+    def test_model_not_support(self, mock_asr: MagicMock, app: Flask) -> None:
+        data = {"file": (BytesIO(b"x"), "x.mp3")}
+        with app.test_request_context("/audio-to-text", method="POST", data=data, content_type="multipart/form-data"):
+            with pytest.raises(ProviderModelCurrentlyNotSupportError):
+                AudioApi().post(_app_model(), _end_user())
+
+
+# ---------------------------------------------------------------------------
+# TextApi (text-to-audio)
+# ---------------------------------------------------------------------------
+class TestTextApi:
+    @patch("controllers.web.audio.AudioService.transcript_tts", return_value="audio-bytes")
+    @patch("controllers.web.audio.web_ns")
+    def test_happy_path(self, mock_ns: MagicMock, mock_tts: MagicMock, app: Flask) -> None:
+        mock_ns.payload = {"text": "hello", "voice": "alloy"}
+
+        with app.test_request_context("/text-to-audio", method="POST"):
+            result = TextApi().post(_app_model(), _end_user())
+
+        assert result == "audio-bytes"
+        mock_tts.assert_called_once()
+
+    @patch(
+        "controllers.web.audio.AudioService.transcript_tts",
+        side_effect=InvokeError(description="invoke failed"),
+    )
+    @patch("controllers.web.audio.web_ns")
+    def test_invoke_error_mapped(self, mock_ns: MagicMock, mock_tts: MagicMock, app: Flask) -> None:
+        mock_ns.payload = {"text": "hello"}
+
+        with app.test_request_context("/text-to-audio", method="POST"):
+            with pytest.raises(CompletionRequestError):
+                TextApi().post(_app_model(), _end_user())

api/tests/unit_tests/controllers/web/test_completion.py

@@ -0,0 +1,161 @@
+"""Unit tests for controllers.web.completion endpoints."""
+
+from __future__ import annotations
+
+from types import SimpleNamespace
+from unittest.mock import MagicMock, patch
+
+import pytest
+from flask import Flask
+
+from controllers.web.completion import ChatApi, ChatStopApi, CompletionApi, CompletionStopApi
+from controllers.web.error import (
+    CompletionRequestError,
+    NotChatAppError,
+    NotCompletionAppError,
+    ProviderModelCurrentlyNotSupportError,
+    ProviderNotInitializeError,
+    ProviderQuotaExceededError,
+)
+from core.errors.error import ModelCurrentlyNotSupportError, ProviderTokenNotInitError, QuotaExceededError
+from dify_graph.model_runtime.errors.invoke import InvokeError
+
+
+def _completion_app() -> SimpleNamespace:
+    return SimpleNamespace(id="app-1", mode="completion")
+
+
+def _chat_app() -> SimpleNamespace:
+    return SimpleNamespace(id="app-1", mode="chat")
+
+
+def _end_user() -> SimpleNamespace:
+    return SimpleNamespace(id="eu-1")
+
+
+# ---------------------------------------------------------------------------
+# CompletionApi
+# ---------------------------------------------------------------------------
+class TestCompletionApi:
+    def test_wrong_mode_raises(self, app: Flask) -> None:
+        with app.test_request_context("/completion-messages", method="POST"):
+            with pytest.raises(NotCompletionAppError):
+                CompletionApi().post(_chat_app(), _end_user())
+
+    @patch("controllers.web.completion.helper.compact_generate_response", return_value={"answer": "hi"})
+    @patch("controllers.web.completion.AppGenerateService.generate")
+    @patch("controllers.web.completion.web_ns")
+    def test_happy_path(self, mock_ns: MagicMock, mock_gen: MagicMock, mock_compact: MagicMock, app: Flask) -> None:
+        mock_ns.payload = {"inputs": {}, "query": "test"}
+        mock_gen.return_value = "response-obj"
+
+        with app.test_request_context("/completion-messages", method="POST"):
+            result = CompletionApi().post(_completion_app(), _end_user())
+
+        assert result == {"answer": "hi"}
+
+    @patch(
+        "controllers.web.completion.AppGenerateService.generate",
+        side_effect=ProviderTokenNotInitError(description="not init"),
+    )
+    @patch("controllers.web.completion.web_ns")
+    def test_provider_not_init_error(self, mock_ns: MagicMock, mock_gen: MagicMock, app: Flask) -> None:
+        mock_ns.payload = {"inputs": {}}
+
+        with app.test_request_context("/completion-messages", method="POST"):
+            with pytest.raises(ProviderNotInitializeError):
+                CompletionApi().post(_completion_app(), _end_user())
+
+    @patch(
+        "controllers.web.completion.AppGenerateService.generate",
+        side_effect=QuotaExceededError(),
+    )
+    @patch("controllers.web.completion.web_ns")
+    def test_quota_exceeded_error(self, mock_ns: MagicMock, mock_gen: MagicMock, app: Flask) -> None:
+        mock_ns.payload = {"inputs": {}}
+
+        with app.test_request_context("/completion-messages", method="POST"):
+            with pytest.raises(ProviderQuotaExceededError):
+                CompletionApi().post(_completion_app(), _end_user())
+
+    @patch(
+        "controllers.web.completion.AppGenerateService.generate",
+        side_effect=ModelCurrentlyNotSupportError(),
+    )
+    @patch("controllers.web.completion.web_ns")
+    def test_model_not_support_error(self, mock_ns: MagicMock, mock_gen: MagicMock, app: Flask) -> None:
+        mock_ns.payload = {"inputs": {}}
+
+        with app.test_request_context("/completion-messages", method="POST"):
+            with pytest.raises(ProviderModelCurrentlyNotSupportError):
+                CompletionApi().post(_completion_app(), _end_user())
+
+
+# ---------------------------------------------------------------------------
+# CompletionStopApi
+# ---------------------------------------------------------------------------
+class TestCompletionStopApi:
+    def test_wrong_mode_raises(self, app: Flask) -> None:
+        with app.test_request_context("/completion-messages/task-1/stop", method="POST"):
+            with pytest.raises(NotCompletionAppError):
+                CompletionStopApi().post(_chat_app(), _end_user(), "task-1")
+
+    @patch("controllers.web.completion.AppTaskService.stop_task")
+    def test_stop_success(self, mock_stop: MagicMock, app: Flask) -> None:
+        with app.test_request_context("/completion-messages/task-1/stop", method="POST"):
+            result, status = CompletionStopApi().post(_completion_app(), _end_user(), "task-1")
+
+        assert status == 200
+        assert result == {"result": "success"}
+
+
+# ---------------------------------------------------------------------------
+# ChatApi
+# ---------------------------------------------------------------------------
+class TestChatApi:
+    def test_wrong_mode_raises(self, app: Flask) -> None:
+        with app.test_request_context("/chat-messages", method="POST"):
+            with pytest.raises(NotChatAppError):
+                ChatApi().post(_completion_app(), _end_user())
+
+    @patch("controllers.web.completion.helper.compact_generate_response", return_value={"answer": "reply"})
+    @patch("controllers.web.completion.AppGenerateService.generate")
+    @patch("controllers.web.completion.web_ns")
+    def test_happy_path(self, mock_ns: MagicMock, mock_gen: MagicMock, mock_compact: MagicMock, app: Flask) -> None:
+        mock_ns.payload = {"inputs": {}, "query": "hi"}
+        mock_gen.return_value = "response"
+
+        with app.test_request_context("/chat-messages", method="POST"):
+            result = ChatApi().post(_chat_app(), _end_user())
+
+        assert result == {"answer": "reply"}
+
+    @patch(
+        "controllers.web.completion.AppGenerateService.generate",
+        side_effect=InvokeError(description="rate limit"),
+    )
+    @patch("controllers.web.completion.web_ns")
+    def test_invoke_error_mapped(self, mock_ns: MagicMock, mock_gen: MagicMock, app: Flask) -> None:
+        mock_ns.payload = {"inputs": {}, "query": "x"}
+
+        with app.test_request_context("/chat-messages", method="POST"):
+            with pytest.raises(CompletionRequestError):
+                ChatApi().post(_chat_app(), _end_user())
+
+
+# ---------------------------------------------------------------------------
+# ChatStopApi
+# ---------------------------------------------------------------------------
+class TestChatStopApi:
+    def test_wrong_mode_raises(self, app: Flask) -> None:
+        with app.test_request_context("/chat-messages/task-1/stop", method="POST"):
+            with pytest.raises(NotChatAppError):
+                ChatStopApi().post(_completion_app(), _end_user(), "task-1")
+
+    @patch("controllers.web.completion.AppTaskService.stop_task")
+    def test_stop_success(self, mock_stop: MagicMock, app: Flask) -> None:
+        with app.test_request_context("/chat-messages/task-1/stop", method="POST"):
+            result, status = ChatStopApi().post(_chat_app(), _end_user(), "task-1")
+
+        assert status == 200
+        assert result == {"result": "success"}

api/tests/unit_tests/controllers/web/test_conversation.py

@@ -0,0 +1,183 @@
+"""Unit tests for controllers.web.conversation endpoints."""
+
+from __future__ import annotations
+
+from types import SimpleNamespace
+from unittest.mock import MagicMock, patch
+from uuid import uuid4
+
+import pytest
+from flask import Flask
+from werkzeug.exceptions import NotFound
+
+from controllers.web.conversation import (
+    ConversationApi,
+    ConversationListApi,
+    ConversationPinApi,
+    ConversationRenameApi,
+    ConversationUnPinApi,
+)
+from controllers.web.error import NotChatAppError
+from services.errors.conversation import ConversationNotExistsError
+
+
+def _chat_app() -> SimpleNamespace:
+    return SimpleNamespace(id="app-1", mode="chat")
+
+
+def _completion_app() -> SimpleNamespace:
+    return SimpleNamespace(id="app-1", mode="completion")
+
+
+def _end_user() -> SimpleNamespace:
+    return SimpleNamespace(id="eu-1")
+
+
+# ---------------------------------------------------------------------------
+# ConversationListApi
+# ---------------------------------------------------------------------------
+class TestConversationListApi:
+    def test_non_chat_mode_raises(self, app: Flask) -> None:
+        with app.test_request_context("/conversations"):
+            with pytest.raises(NotChatAppError):
+                ConversationListApi().get(_completion_app(), _end_user())
+
+    @patch("controllers.web.conversation.WebConversationService.pagination_by_last_id")
+    @patch("controllers.web.conversation.db")
+    def test_happy_path(self, mock_db: MagicMock, mock_paginate: MagicMock, app: Flask) -> None:
+        conv_id = str(uuid4())
+        conv = SimpleNamespace(
+            id=conv_id,
+            name="Test",
+            inputs={},
+            status="normal",
+            introduction="",
+            created_at=1700000000,
+            updated_at=1700000000,
+        )
+        mock_paginate.return_value = SimpleNamespace(limit=20, has_more=False, data=[conv])
+        mock_db.engine = "engine"
+
+        session_mock = MagicMock()
+        session_ctx = MagicMock()
+        session_ctx.__enter__ = MagicMock(return_value=session_mock)
+        session_ctx.__exit__ = MagicMock(return_value=False)
+
+        with (
+            app.test_request_context("/conversations?limit=20"),
+            patch("controllers.web.conversation.Session", return_value=session_ctx),
+        ):
+            result = ConversationListApi().get(_chat_app(), _end_user())
+
+        assert result["limit"] == 20
+        assert result["has_more"] is False
+
+
+# ---------------------------------------------------------------------------
+# ConversationApi (delete)
+# ---------------------------------------------------------------------------
+class TestConversationApi:
+    def test_non_chat_mode_raises(self, app: Flask) -> None:
+        with app.test_request_context(f"/conversations/{uuid4()}"):
+            with pytest.raises(NotChatAppError):
+                ConversationApi().delete(_completion_app(), _end_user(), uuid4())
+
+    @patch("controllers.web.conversation.ConversationService.delete")
+    def test_delete_success(self, mock_delete: MagicMock, app: Flask) -> None:
+        c_id = uuid4()
+        with app.test_request_context(f"/conversations/{c_id}"):
+            result, status = ConversationApi().delete(_chat_app(), _end_user(), c_id)
+
+        assert status == 204
+        assert result["result"] == "success"
+
+    @patch("controllers.web.conversation.ConversationService.delete", side_effect=ConversationNotExistsError())
+    def test_delete_not_found(self, mock_delete: MagicMock, app: Flask) -> None:
+        c_id = uuid4()
+        with app.test_request_context(f"/conversations/{c_id}"):
+            with pytest.raises(NotFound, match="Conversation Not Exists"):
+                ConversationApi().delete(_chat_app(), _end_user(), c_id)
+
+
+# ---------------------------------------------------------------------------
+# ConversationRenameApi
+# ---------------------------------------------------------------------------
+class TestConversationRenameApi:
+    def test_non_chat_mode_raises(self, app: Flask) -> None:
+        with app.test_request_context(f"/conversations/{uuid4()}/name", method="POST", json={"name": "x"}):
+            with pytest.raises(NotChatAppError):
+                ConversationRenameApi().post(_completion_app(), _end_user(), uuid4())
+
+    @patch("controllers.web.conversation.ConversationService.rename")
+    @patch("controllers.web.conversation.web_ns")
+    def test_rename_success(self, mock_ns: MagicMock, mock_rename: MagicMock, app: Flask) -> None:
+        c_id = uuid4()
+        mock_ns.payload = {"name": "New Name", "auto_generate": False}
+        conv = SimpleNamespace(
+            id=str(c_id),
+            name="New Name",
+            inputs={},
+            status="normal",
+            introduction="",
+            created_at=1700000000,
+            updated_at=1700000000,
+        )
+        mock_rename.return_value = conv
+
+        with app.test_request_context(f"/conversations/{c_id}/name", method="POST", json={"name": "New Name"}):
+            result = ConversationRenameApi().post(_chat_app(), _end_user(), c_id)
+
+        assert result["name"] == "New Name"
+
+    @patch(
+        "controllers.web.conversation.ConversationService.rename",
+        side_effect=ConversationNotExistsError(),
+    )
+    @patch("controllers.web.conversation.web_ns")
+    def test_rename_not_found(self, mock_ns: MagicMock, mock_rename: MagicMock, app: Flask) -> None:
+        c_id = uuid4()
+        mock_ns.payload = {"name": "X", "auto_generate": False}
+
+        with app.test_request_context(f"/conversations/{c_id}/name", method="POST", json={"name": "X"}):
+            with pytest.raises(NotFound, match="Conversation Not Exists"):
+                ConversationRenameApi().post(_chat_app(), _end_user(), c_id)
+
+
+# ---------------------------------------------------------------------------
+# ConversationPinApi / ConversationUnPinApi
+# ---------------------------------------------------------------------------
+class TestConversationPinApi:
+    def test_non_chat_mode_raises(self, app: Flask) -> None:
+        with app.test_request_context(f"/conversations/{uuid4()}/pin", method="PATCH"):
+            with pytest.raises(NotChatAppError):
+                ConversationPinApi().patch(_completion_app(), _end_user(), uuid4())
+
+    @patch("controllers.web.conversation.WebConversationService.pin")
+    def test_pin_success(self, mock_pin: MagicMock, app: Flask) -> None:
+        c_id = uuid4()
+        with app.test_request_context(f"/conversations/{c_id}/pin", method="PATCH"):
+            result = ConversationPinApi().patch(_chat_app(), _end_user(), c_id)
+
+        assert result["result"] == "success"
+
+    @patch("controllers.web.conversation.WebConversationService.pin", side_effect=ConversationNotExistsError())
+    def test_pin_not_found(self, mock_pin: MagicMock, app: Flask) -> None:
+        c_id = uuid4()
+        with app.test_request_context(f"/conversations/{c_id}/pin", method="PATCH"):
+            with pytest.raises(NotFound):
+                ConversationPinApi().patch(_chat_app(), _end_user(), c_id)
+
+
+class TestConversationUnPinApi:
+    def test_non_chat_mode_raises(self, app: Flask) -> None:
+        with app.test_request_context(f"/conversations/{uuid4()}/unpin", method="PATCH"):
+            with pytest.raises(NotChatAppError):
+                ConversationUnPinApi().patch(_completion_app(), _end_user(), uuid4())
+
+    @patch("controllers.web.conversation.WebConversationService.unpin")
+    def test_unpin_success(self, mock_unpin: MagicMock, app: Flask) -> None:
+        c_id = uuid4()
+        with app.test_request_context(f"/conversations/{c_id}/unpin", method="PATCH"):
+            result = ConversationUnPinApi().patch(_chat_app(), _end_user(), c_id)
+
+        assert result["result"] == "success"

api/tests/unit_tests/controllers/web/test_error.py

@@ -0,0 +1,75 @@
+"""Unit tests for controllers.web.error HTTP exception classes."""
+
+from __future__ import annotations
+
+import pytest
+
+from controllers.web.error import (
+    AppMoreLikeThisDisabledError,
+    AppSuggestedQuestionsAfterAnswerDisabledError,
+    AppUnavailableError,
+    AudioTooLargeError,
+    CompletionRequestError,
+    ConversationCompletedError,
+    InvalidArgumentError,
+    InvokeRateLimitError,
+    NoAudioUploadedError,
+    NotChatAppError,
+    NotCompletionAppError,
+    NotFoundError,
+    NotWorkflowAppError,
+    ProviderModelCurrentlyNotSupportError,
+    ProviderNotInitializeError,
+    ProviderNotSupportSpeechToTextError,
+    ProviderQuotaExceededError,
+    UnsupportedAudioTypeError,
+    WebAppAuthAccessDeniedError,
+    WebAppAuthRequiredError,
+    WebFormRateLimitExceededError,
+)
+
+_ERROR_SPECS: list[tuple[type, str, int]] = [
+    (AppUnavailableError, "app_unavailable", 400),
+    (NotCompletionAppError, "not_completion_app", 400),
+    (NotChatAppError, "not_chat_app", 400),
+    (NotWorkflowAppError, "not_workflow_app", 400),
+    (ConversationCompletedError, "conversation_completed", 400),
+    (ProviderNotInitializeError, "provider_not_initialize", 400),
+    (ProviderQuotaExceededError, "provider_quota_exceeded", 400),
+    (ProviderModelCurrentlyNotSupportError, "model_currently_not_support", 400),
+    (CompletionRequestError, "completion_request_error", 400),
+    (AppMoreLikeThisDisabledError, "app_more_like_this_disabled", 403),
+    (AppSuggestedQuestionsAfterAnswerDisabledError, "app_suggested_questions_after_answer_disabled", 403),
+    (NoAudioUploadedError, "no_audio_uploaded", 400),
+    (AudioTooLargeError, "audio_too_large", 413),
+    (UnsupportedAudioTypeError, "unsupported_audio_type", 415),
+    (ProviderNotSupportSpeechToTextError, "provider_not_support_speech_to_text", 400),
+    (WebAppAuthRequiredError, "web_sso_auth_required", 401),
+    (WebAppAuthAccessDeniedError, "web_app_access_denied", 401),
+    (InvokeRateLimitError, "rate_limit_error", 429),
+    (WebFormRateLimitExceededError, "web_form_rate_limit_exceeded", 429),
+    (NotFoundError, "not_found", 404),
+    (InvalidArgumentError, "invalid_param", 400),
+]
+
+
+@pytest.mark.parametrize(
+    ("cls", "expected_code", "expected_status"),
+    _ERROR_SPECS,
+    ids=[cls.__name__ for cls, _, _ in _ERROR_SPECS],
+)
+def test_error_class_attributes(cls: type, expected_code: str, expected_status: int) -> None:
+    """Each error class exposes the correct error_code and HTTP status code."""
+    assert cls.error_code == expected_code
+    assert cls.code == expected_status
+
+
+def test_error_classes_have_description() -> None:
+    """Every error class has a description (string or None for generic errors)."""
+    # NotFoundError and InvalidArgumentError use None description by design
+    _NO_DESCRIPTION = {NotFoundError, InvalidArgumentError}
+    for cls, _, _ in _ERROR_SPECS:
+        if cls in _NO_DESCRIPTION:
+            continue
+        assert isinstance(cls.description, str), f"{cls.__name__} missing description"
+        assert len(cls.description) > 0, f"{cls.__name__} has empty description"

api/tests/unit_tests/controllers/web/test_feature.py

@@ -0,0 +1,38 @@
+"""Unit tests for controllers.web.feature endpoints."""
+
+from __future__ import annotations
+
+from unittest.mock import MagicMock, patch
+
+from flask import Flask
+
+from controllers.web.feature import SystemFeatureApi
+
+
+class TestSystemFeatureApi:
+    @patch("controllers.web.feature.FeatureService.get_system_features")
+    def test_returns_system_features(self, mock_features: MagicMock, app: Flask) -> None:
+        mock_model = MagicMock()
+        mock_model.model_dump.return_value = {"sso_enforced_for_signin": False, "webapp_auth": {"enabled": False}}
+        mock_features.return_value = mock_model
+
+        with app.test_request_context("/system-features"):
+            result = SystemFeatureApi().get()
+
+        assert result == {"sso_enforced_for_signin": False, "webapp_auth": {"enabled": False}}
+        mock_features.assert_called_once()
+
+    @patch("controllers.web.feature.FeatureService.get_system_features")
+    def test_unauthenticated_access(self, mock_features: MagicMock, app: Flask) -> None:
+        """SystemFeatureApi is unauthenticated by design — no WebApiResource decorator."""
+        mock_model = MagicMock()
+        mock_model.model_dump.return_value = {}
+        mock_features.return_value = mock_model
+
+        # Verify it's a bare Resource, not WebApiResource
+        from flask_restx import Resource
+
+        from controllers.web.wraps import WebApiResource
+
+        assert issubclass(SystemFeatureApi, Resource)
+        assert not issubclass(SystemFeatureApi, WebApiResource)

api/tests/unit_tests/controllers/web/test_files.py

@@ -0,0 +1,89 @@
+"""Unit tests for controllers.web.files endpoints."""
+
+from __future__ import annotations
+
+from io import BytesIO
+from types import SimpleNamespace
+from unittest.mock import MagicMock, patch
+
+import pytest
+from flask import Flask
+
+from controllers.common.errors import (
+    FilenameNotExistsError,
+    FileTooLargeError,
+    NoFileUploadedError,
+    TooManyFilesError,
+)
+from controllers.web.files import FileApi
+
+
+def _app_model() -> SimpleNamespace:
+    return SimpleNamespace(id="app-1")
+
+
+def _end_user() -> SimpleNamespace:
+    return SimpleNamespace(id="eu-1")
+
+
+class TestFileApi:
+    def test_no_file_uploaded(self, app: Flask) -> None:
+        with app.test_request_context("/files/upload", method="POST", content_type="multipart/form-data"):
+            with pytest.raises(NoFileUploadedError):
+                FileApi().post(_app_model(), _end_user())
+
+    def test_too_many_files(self, app: Flask) -> None:
+        data = {
+            "file": (BytesIO(b"a"), "a.txt"),
+            "file2": (BytesIO(b"b"), "b.txt"),
+        }
+        with app.test_request_context("/files/upload", method="POST", data=data, content_type="multipart/form-data"):
+            # Now has "file" key but len(request.files) > 1
+            with pytest.raises(TooManyFilesError):
+                FileApi().post(_app_model(), _end_user())
+
+    def test_filename_missing(self, app: Flask) -> None:
+        data = {"file": (BytesIO(b"content"), "")}
+        with app.test_request_context("/files/upload", method="POST", data=data, content_type="multipart/form-data"):
+            with pytest.raises(FilenameNotExistsError):
+                FileApi().post(_app_model(), _end_user())
+
+    @patch("controllers.web.files.FileService")
+    @patch("controllers.web.files.db")
+    def test_upload_success(self, mock_db: MagicMock, mock_file_svc_cls: MagicMock, app: Flask) -> None:
+        mock_db.engine = "engine"
+        from datetime import datetime
+
+        upload_file = SimpleNamespace(
+            id="file-1",
+            name="test.txt",
+            size=100,
+            extension="txt",
+            mime_type="text/plain",
+            created_by="eu-1",
+            created_at=datetime(2024, 1, 1),
+        )
+        mock_file_svc_cls.return_value.upload_file.return_value = upload_file
+
+        data = {"file": (BytesIO(b"content"), "test.txt")}
+        with app.test_request_context("/files/upload", method="POST", data=data, content_type="multipart/form-data"):
+            result, status = FileApi().post(_app_model(), _end_user())
+
+        assert status == 201
+        assert result["id"] == "file-1"
+        assert result["name"] == "test.txt"
+
+    @patch("controllers.web.files.FileService")
+    @patch("controllers.web.files.db")
+    def test_file_too_large_from_service(self, mock_db: MagicMock, mock_file_svc_cls: MagicMock, app: Flask) -> None:
+        import services.errors.file
+
+        mock_db.engine = "engine"
+        mock_file_svc_cls.return_value.upload_file.side_effect = services.errors.file.FileTooLargeError(
+            description="max 10MB"
+        )
+
+        data = {"file": (BytesIO(b"big"), "big.txt")}
+        with app.test_request_context("/files/upload", method="POST", data=data, content_type="multipart/form-data"):
+            with pytest.raises(FileTooLargeError):
+                FileApi().post(_app_model(), _end_user())

api/tests/unit_tests/controllers/web/test_message_endpoints.py

@@ -0,0 +1,156 @@
+"""Unit tests for controllers.web.message — feedback, more-like-this, suggested questions."""
+
+from __future__ import annotations
+
+from types import SimpleNamespace
+from unittest.mock import MagicMock, patch
+from uuid import uuid4
+
+import pytest
+from flask import Flask
+from werkzeug.exceptions import NotFound
+
+from controllers.web.error import (
+    AppMoreLikeThisDisabledError,
+    NotChatAppError,
+    NotCompletionAppError,
+)
+from controllers.web.message import (
+    MessageFeedbackApi,
+    MessageMoreLikeThisApi,
+    MessageSuggestedQuestionApi,
+)
+from services.errors.app import MoreLikeThisDisabledError
+from services.errors.message import MessageNotExistsError
+
+
+def _chat_app() -> SimpleNamespace:
+    return SimpleNamespace(id="app-1", mode="chat")
+
+
+def _completion_app() -> SimpleNamespace:
+    return SimpleNamespace(id="app-1", mode="completion")
+
+
+def _end_user() -> SimpleNamespace:
+    return SimpleNamespace(id="eu-1")
+
+
+# ---------------------------------------------------------------------------
+# MessageFeedbackApi
+# ---------------------------------------------------------------------------
+class TestMessageFeedbackApi:
+    @patch("controllers.web.message.MessageService.create_feedback")
+    @patch("controllers.web.message.web_ns")
+    def test_feedback_success(self, mock_ns: MagicMock, mock_create: MagicMock, app: Flask) -> None:
+        mock_ns.payload = {"rating": "like", "content": "great"}
+        msg_id = uuid4()
+
+        with app.test_request_context(f"/messages/{msg_id}/feedbacks", method="POST"):
+            result = MessageFeedbackApi().post(_chat_app(), _end_user(), msg_id)
+
+        assert result == {"result": "success"}
+        mock_create.assert_called_once()
+
+    @patch("controllers.web.message.MessageService.create_feedback")
+    @patch("controllers.web.message.web_ns")
+    def test_feedback_null_rating(self, mock_ns: MagicMock, mock_create: MagicMock, app: Flask) -> None:
+        mock_ns.payload = {"rating": None}
+        msg_id = uuid4()
+
+        with app.test_request_context(f"/messages/{msg_id}/feedbacks", method="POST"):
+            result = MessageFeedbackApi().post(_chat_app(), _end_user(), msg_id)
+
+        assert result == {"result": "success"}
+
+    @patch(
+        "controllers.web.message.MessageService.create_feedback",
+        side_effect=MessageNotExistsError(),
+    )
+    @patch("controllers.web.message.web_ns")
+    def test_feedback_message_not_found(self, mock_ns: MagicMock, mock_create: MagicMock, app: Flask) -> None:
+        mock_ns.payload = {"rating": "dislike"}
+        msg_id = uuid4()
+
+        with app.test_request_context(f"/messages/{msg_id}/feedbacks", method="POST"):
+            with pytest.raises(NotFound, match="Message Not Exists"):
+                MessageFeedbackApi().post(_chat_app(), _end_user(), msg_id)
+
+
+# ---------------------------------------------------------------------------
+# MessageMoreLikeThisApi
+# ---------------------------------------------------------------------------
+class TestMessageMoreLikeThisApi:
+    def test_wrong_mode_raises(self, app: Flask) -> None:
+        msg_id = uuid4()
+        with app.test_request_context(f"/messages/{msg_id}/more-like-this?response_mode=blocking"):
+            with pytest.raises(NotCompletionAppError):
+                MessageMoreLikeThisApi().get(_chat_app(), _end_user(), msg_id)
+
+    @patch("controllers.web.message.helper.compact_generate_response", return_value={"answer": "similar"})
+    @patch("controllers.web.message.AppGenerateService.generate_more_like_this")
+    def test_happy_path(self, mock_gen: MagicMock, mock_compact: MagicMock, app: Flask) -> None:
+        msg_id = uuid4()
+        mock_gen.return_value = "response"
+
+        with app.test_request_context(f"/messages/{msg_id}/more-like-this?response_mode=blocking"):
+            result = MessageMoreLikeThisApi().get(_completion_app(), _end_user(), msg_id)
+
+        assert result == {"answer": "similar"}
+
+    @patch(
+        "controllers.web.message.AppGenerateService.generate_more_like_this",
+        side_effect=MessageNotExistsError(),
+    )
+    def test_message_not_found(self, mock_gen: MagicMock, app: Flask) -> None:
+        msg_id = uuid4()
+        with app.test_request_context(f"/messages/{msg_id}/more-like-this?response_mode=blocking"):
+            with pytest.raises(NotFound, match="Message Not Exists"):
+                MessageMoreLikeThisApi().get(_completion_app(), _end_user(), msg_id)
+
+    @patch(
+        "controllers.web.message.AppGenerateService.generate_more_like_this",
+        side_effect=MoreLikeThisDisabledError(),
+    )
+    def test_feature_disabled(self, mock_gen: MagicMock, app: Flask) -> None:
+        msg_id = uuid4()
+        with app.test_request_context(f"/messages/{msg_id}/more-like-this?response_mode=blocking"):
+            with pytest.raises(AppMoreLikeThisDisabledError):
+                MessageMoreLikeThisApi().get(_completion_app(), _end_user(), msg_id)
+
+
+# ---------------------------------------------------------------------------
+# MessageSuggestedQuestionApi
+# ---------------------------------------------------------------------------
+class TestMessageSuggestedQuestionApi:
+    def test_wrong_mode_raises(self, app: Flask) -> None:
+        msg_id = uuid4()
+        with app.test_request_context(f"/messages/{msg_id}/suggested-questions"):
+            with pytest.raises(NotChatAppError):
+                MessageSuggestedQuestionApi().get(_completion_app(), _end_user(), msg_id)
+
+    def test_wrong_mode_raises(self, app: Flask) -> None:
+        msg_id = uuid4()
+        with app.test_request_context(f"/messages/{msg_id}/suggested-questions"):
+            with pytest.raises(NotChatAppError):
+                MessageSuggestedQuestionApi().get(_completion_app(), _end_user(), msg_id)
+
+    @patch("controllers.web.message.MessageService.get_suggested_questions_after_answer")
+    def test_happy_path(self, mock_suggest: MagicMock, app: Flask) -> None:
+        msg_id = uuid4()
+        mock_suggest.return_value = ["What about X?", "Tell me more about Y."]
+
+        with app.test_request_context(f"/messages/{msg_id}/suggested-questions"):
+            result = MessageSuggestedQuestionApi().get(_chat_app(), _end_user(), msg_id)
+
+        assert result["data"] == ["What about X?", "Tell me more about Y."]
+
+    @patch(
+        "controllers.web.message.MessageService.get_suggested_questions_after_answer",
+        side_effect=MessageNotExistsError(),
+    )
+    def test_message_not_found(self, mock_suggest: MagicMock, app: Flask) -> None:
+        msg_id = uuid4()
+        with app.test_request_context(f"/messages/{msg_id}/suggested-questions"):
+            with pytest.raises(NotFound, match="Message not found"):
+                MessageSuggestedQuestionApi().get(_chat_app(), _end_user(), msg_id)

api/tests/unit_tests/controllers/web/test_passport.py

@@ -0,0 +1,103 @@
+from __future__ import annotations
+
+from types import SimpleNamespace
+
+import pytest
+from werkzeug.exceptions import NotFound, Unauthorized
+
+from controllers.web.error import WebAppAuthRequiredError
+from controllers.web.passport import (
+    PassportService,
+    decode_enterprise_webapp_user_id,
+    exchange_token_for_existing_web_user,
+    generate_session_id,
+)
+from services.webapp_auth_service import WebAppAuthType
+
+
+def test_decode_enterprise_webapp_user_id_none() -> None:
+    assert decode_enterprise_webapp_user_id(None) is None
+
+
+def test_decode_enterprise_webapp_user_id_invalid_source(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setattr(PassportService, "verify", lambda *_args, **_kwargs: {"token_source": "bad"})
+    with pytest.raises(Unauthorized):
+        decode_enterprise_webapp_user_id("token")
+
+
+def test_decode_enterprise_webapp_user_id_valid(monkeypatch: pytest.MonkeyPatch) -> None:
+    decoded = {"token_source": "webapp_login_token", "user_id": "u1"}
+    monkeypatch.setattr(PassportService, "verify", lambda *_args, **_kwargs: decoded)
+    assert decode_enterprise_webapp_user_id("token") == decoded
+
+
+def test_exchange_token_public_flow(monkeypatch: pytest.MonkeyPatch) -> None:
+    site = SimpleNamespace(id="s1", app_id="a1", code="code", status="normal")
+    app_model = SimpleNamespace(id="a1", status="normal", enable_site=True)
+
+    def _scalar_side_effect(*_args, **_kwargs):
+        if not hasattr(_scalar_side_effect, "calls"):
+            _scalar_side_effect.calls = 0
+        _scalar_side_effect.calls += 1
+        return site if _scalar_side_effect.calls == 1 else app_model
+
+    db_session = SimpleNamespace(scalar=_scalar_side_effect)
+    monkeypatch.setattr("controllers.web.passport.db", SimpleNamespace(session=db_session))
+    monkeypatch.setattr("controllers.web.passport._exchange_for_public_app_token", lambda *_args, **_kwargs: "resp")
+
+    decoded = {"auth_type": "public"}
+    result = exchange_token_for_existing_web_user("code", decoded, WebAppAuthType.PUBLIC)
+    assert result == "resp"
+
+
+def test_exchange_token_requires_external(monkeypatch: pytest.MonkeyPatch) -> None:
+    site = SimpleNamespace(id="s1", app_id="a1", code="code", status="normal")
+    app_model = SimpleNamespace(id="a1", status="normal", enable_site=True)
+
+    def _scalar_side_effect(*_args, **_kwargs):
+        if not hasattr(_scalar_side_effect, "calls"):
+            _scalar_side_effect.calls = 0
+        _scalar_side_effect.calls += 1
+        return site if _scalar_side_effect.calls == 1 else app_model
+
+    db_session = SimpleNamespace(scalar=_scalar_side_effect)
+    monkeypatch.setattr("controllers.web.passport.db", SimpleNamespace(session=db_session))
+
+    decoded = {"auth_type": "internal"}
+    with pytest.raises(WebAppAuthRequiredError):
+        exchange_token_for_existing_web_user("code", decoded, WebAppAuthType.EXTERNAL)
+
+
+def test_exchange_token_missing_session_id(monkeypatch: pytest.MonkeyPatch) -> None:
+    site = SimpleNamespace(id="s1", app_id="a1", code="code", status="normal")
+    app_model = SimpleNamespace(id="a1", status="normal", enable_site=True, tenant_id="t1")
+
+    def _scalar_side_effect(*_args, **_kwargs):
+        if not hasattr(_scalar_side_effect, "calls"):
+            _scalar_side_effect.calls = 0
+        _scalar_side_effect.calls += 1
+        if _scalar_side_effect.calls == 1:
+            return site
+        if _scalar_side_effect.calls == 2:
+            return app_model
+        return None
+
+    db_session = SimpleNamespace(scalar=_scalar_side_effect, add=lambda *_a, **_k: None, commit=lambda: None)
+    monkeypatch.setattr("controllers.web.passport.db", SimpleNamespace(session=db_session))
+
+    decoded = {"auth_type": "internal"}
+    with pytest.raises(NotFound):
+        exchange_token_for_existing_web_user("code", decoded, WebAppAuthType.INTERNAL)
+
+
+def test_generate_session_id(monkeypatch: pytest.MonkeyPatch) -> None:
+    counts = [1, 0]
+
+    def _scalar(*_args, **_kwargs):
+        return counts.pop(0)
+
+    db_session = SimpleNamespace(scalar=_scalar)
+    monkeypatch.setattr("controllers.web.passport.db", SimpleNamespace(session=db_session))
+
+    session_id = generate_session_id()
+    assert session_id

api/tests/unit_tests/controllers/web/test_pydantic_models.py

@@ -0,0 +1,423 @@
+"""Unit tests for Pydantic models defined in controllers.web modules.
+
+Covers validation logic, field defaults, constraints, and custom validators
+for all ~15 Pydantic models across the web controller layer.
+"""
+
+from __future__ import annotations
+
+from uuid import uuid4
+
+import pytest
+from pydantic import ValidationError
+
+# ---------------------------------------------------------------------------
+# app.py models
+# ---------------------------------------------------------------------------
+from controllers.web.app import AppAccessModeQuery
+
+
+class TestAppAccessModeQuery:
+    def test_alias_resolution(self) -> None:
+        q = AppAccessModeQuery.model_validate({"appId": "abc", "appCode": "xyz"})
+        assert q.app_id == "abc"
+        assert q.app_code == "xyz"
+
+    def test_defaults_to_none(self) -> None:
+        q = AppAccessModeQuery.model_validate({})
+        assert q.app_id is None
+        assert q.app_code is None
+
+    def test_accepts_snake_case(self) -> None:
+        q = AppAccessModeQuery(app_id="id1", app_code="code1")
+        assert q.app_id == "id1"
+        assert q.app_code == "code1"
+
+
+# ---------------------------------------------------------------------------
+# audio.py models
+# ---------------------------------------------------------------------------
+from controllers.web.audio import TextToAudioPayload
+
+
+class TestTextToAudioPayload:
+    def test_defaults(self) -> None:
+        p = TextToAudioPayload.model_validate({})
+        assert p.message_id is None
+        assert p.voice is None
+        assert p.text is None
+        assert p.streaming is None
+
+    def test_valid_uuid_message_id(self) -> None:
+        uid = str(uuid4())
+        p = TextToAudioPayload(message_id=uid)
+        assert p.message_id == uid
+
+    def test_none_message_id_passthrough(self) -> None:
+        p = TextToAudioPayload(message_id=None)
+        assert p.message_id is None
+
+    def test_invalid_uuid_message_id(self) -> None:
+        with pytest.raises(ValidationError, match="not a valid uuid"):
+            TextToAudioPayload(message_id="not-a-uuid")
+
+
+# ---------------------------------------------------------------------------
+# completion.py models
+# ---------------------------------------------------------------------------
+from controllers.web.completion import ChatMessagePayload, CompletionMessagePayload
+
+
+class TestCompletionMessagePayload:
+    def test_defaults(self) -> None:
+        p = CompletionMessagePayload(inputs={})
+        assert p.query == ""
+        assert p.files is None
+        assert p.response_mode is None
+        assert p.retriever_from == "web_app"
+
+    def test_accepts_full_payload(self) -> None:
+        p = CompletionMessagePayload(
+            inputs={"key": "val"},
+            query="test",
+            files=[{"id": "f1"}],
+            response_mode="streaming",
+        )
+        assert p.response_mode == "streaming"
+        assert p.files == [{"id": "f1"}]
+
+    def test_invalid_response_mode(self) -> None:
+        with pytest.raises(ValidationError):
+            CompletionMessagePayload(inputs={}, response_mode="invalid")
+
+
+class TestChatMessagePayload:
+    def test_valid_uuid_fields(self) -> None:
+        cid = str(uuid4())
+        pid = str(uuid4())
+        p = ChatMessagePayload(inputs={}, query="hi", conversation_id=cid, parent_message_id=pid)
+        assert p.conversation_id == cid
+        assert p.parent_message_id == pid
+
+    def test_none_uuid_fields(self) -> None:
+        p = ChatMessagePayload(inputs={}, query="hi")
+        assert p.conversation_id is None
+        assert p.parent_message_id is None
+
+    def test_invalid_conversation_id(self) -> None:
+        with pytest.raises(ValidationError, match="not a valid uuid"):
+            ChatMessagePayload(inputs={}, query="hi", conversation_id="bad")
+
+    def test_invalid_parent_message_id(self) -> None:
+        with pytest.raises(ValidationError, match="not a valid uuid"):
+            ChatMessagePayload(inputs={}, query="hi", parent_message_id="bad")
+
+    def test_query_required(self) -> None:
+        with pytest.raises(ValidationError):
+            ChatMessagePayload(inputs={})
+
+
+# ---------------------------------------------------------------------------
+# conversation.py models
+# ---------------------------------------------------------------------------
+from controllers.web.conversation import ConversationListQuery, ConversationRenamePayload
+
+
+class TestConversationListQuery:
+    def test_defaults(self) -> None:
+        q = ConversationListQuery()
+        assert q.last_id is None
+        assert q.limit == 20
+        assert q.pinned is None
+        assert q.sort_by == "-updated_at"
+
+    def test_limit_lower_bound(self) -> None:
+        with pytest.raises(ValidationError):
+            ConversationListQuery(limit=0)
+
+    def test_limit_upper_bound(self) -> None:
+        with pytest.raises(ValidationError):
+            ConversationListQuery(limit=101)
+
+    def test_limit_boundaries_valid(self) -> None:
+        assert ConversationListQuery(limit=1).limit == 1
+        assert ConversationListQuery(limit=100).limit == 100
+
+    def test_valid_sort_by_options(self) -> None:
+        for opt in ("created_at", "-created_at", "updated_at", "-updated_at"):
+            assert ConversationListQuery(sort_by=opt).sort_by == opt
+
+    def test_invalid_sort_by(self) -> None:
+        with pytest.raises(ValidationError):
+            ConversationListQuery(sort_by="invalid")
+
+    def test_valid_last_id(self) -> None:
+        uid = str(uuid4())
+        assert ConversationListQuery(last_id=uid).last_id == uid
+
+    def test_invalid_last_id(self) -> None:
+        with pytest.raises(ValidationError, match="not a valid uuid"):
+            ConversationListQuery(last_id="not-uuid")
+
+
+class TestConversationRenamePayload:
+    def test_auto_generate_true_no_name_required(self) -> None:
+        p = ConversationRenamePayload(auto_generate=True)
+        assert p.name is None
+
+    def test_auto_generate_false_requires_name(self) -> None:
+        with pytest.raises(ValidationError, match="name is required"):
+            ConversationRenamePayload(auto_generate=False)
+
+    def test_auto_generate_false_blank_name_rejected(self) -> None:
+        with pytest.raises(ValidationError, match="name is required"):
+            ConversationRenamePayload(auto_generate=False, name="   ")
+
+    def test_auto_generate_false_with_valid_name(self) -> None:
+        p = ConversationRenamePayload(auto_generate=False, name="My Chat")
+        assert p.name == "My Chat"
+
+    def test_defaults(self) -> None:
+        p = ConversationRenamePayload(name="test")
+        assert p.auto_generate is False
+        assert p.name == "test"
+
+
+# ---------------------------------------------------------------------------
+# message.py models
+# ---------------------------------------------------------------------------
+from controllers.web.message import MessageFeedbackPayload, MessageListQuery, MessageMoreLikeThisQuery
+
+
+class TestMessageListQuery:
+    def test_valid_query(self) -> None:
+        cid = str(uuid4())
+        q = MessageListQuery(conversation_id=cid)
+        assert q.conversation_id == cid
+        assert q.first_id is None
+        assert q.limit == 20
+
+    def test_invalid_conversation_id(self) -> None:
+        with pytest.raises(ValidationError, match="not a valid uuid"):
+            MessageListQuery(conversation_id="bad")
+
+    def test_limit_bounds(self) -> None:
+        cid = str(uuid4())
+        with pytest.raises(ValidationError):
+            MessageListQuery(conversation_id=cid, limit=0)
+        with pytest.raises(ValidationError):
+            MessageListQuery(conversation_id=cid, limit=101)
+
+    def test_valid_first_id(self) -> None:
+        cid = str(uuid4())
+        fid = str(uuid4())
+        q = MessageListQuery(conversation_id=cid, first_id=fid)
+        assert q.first_id == fid
+
+    def test_invalid_first_id(self) -> None:
+        cid = str(uuid4())
+        with pytest.raises(ValidationError, match="not a valid uuid"):
+            MessageListQuery(conversation_id=cid, first_id="invalid")
+
+
+class TestMessageFeedbackPayload:
+    def test_defaults(self) -> None:
+        p = MessageFeedbackPayload()
+        assert p.rating is None
+        assert p.content is None
+
+    def test_valid_ratings(self) -> None:
+        assert MessageFeedbackPayload(rating="like").rating == "like"
+        assert MessageFeedbackPayload(rating="dislike").rating == "dislike"
+
+    def test_invalid_rating(self) -> None:
+        with pytest.raises(ValidationError):
+            MessageFeedbackPayload(rating="neutral")
+
+
+class TestMessageMoreLikeThisQuery:
+    def test_valid_modes(self) -> None:
+        assert MessageMoreLikeThisQuery(response_mode="blocking").response_mode == "blocking"
+        assert MessageMoreLikeThisQuery(response_mode="streaming").response_mode == "streaming"
+
+    def test_invalid_mode(self) -> None:
+        with pytest.raises(ValidationError):
+            MessageMoreLikeThisQuery(response_mode="invalid")
+
+    def test_required(self) -> None:
+        with pytest.raises(ValidationError):
+            MessageMoreLikeThisQuery()
+
+
+# ---------------------------------------------------------------------------
+# remote_files.py models
+# ---------------------------------------------------------------------------
+from controllers.web.remote_files import RemoteFileUploadPayload
+
+
+class TestRemoteFileUploadPayload:
+    def test_valid_url(self) -> None:
+        p = RemoteFileUploadPayload(url="https://example.com/file.pdf")
+        assert str(p.url) == "https://example.com/file.pdf"
+
+    def test_invalid_url(self) -> None:
+        with pytest.raises(ValidationError):
+            RemoteFileUploadPayload(url="not-a-url")
+
+    def test_url_required(self) -> None:
+        with pytest.raises(ValidationError):
+            RemoteFileUploadPayload()
+
+
+# ---------------------------------------------------------------------------
+# saved_message.py models
+# ---------------------------------------------------------------------------
+from controllers.web.saved_message import SavedMessageCreatePayload, SavedMessageListQuery
+
+
+class TestSavedMessageListQuery:
+    def test_defaults(self) -> None:
+        q = SavedMessageListQuery()
+        assert q.last_id is None
+        assert q.limit == 20
+
+    def test_limit_bounds(self) -> None:
+        with pytest.raises(ValidationError):
+            SavedMessageListQuery(limit=0)
+        with pytest.raises(ValidationError):
+            SavedMessageListQuery(limit=101)
+
+    def test_valid_last_id(self) -> None:
+        uid = str(uuid4())
+        q = SavedMessageListQuery(last_id=uid)
+        assert q.last_id == uid
+
+    def test_empty_last_id(self) -> None:
+        q = SavedMessageListQuery(last_id="")
+        assert q.last_id == ""
+
+
+class TestSavedMessageCreatePayload:
+    def test_valid_message_id(self) -> None:
+        uid = str(uuid4())
+        p = SavedMessageCreatePayload(message_id=uid)
+        assert p.message_id == uid
+
+    def test_required(self) -> None:
+        with pytest.raises(ValidationError):
+            SavedMessageCreatePayload()
+
+
+# ---------------------------------------------------------------------------
+# workflow.py models
+# ---------------------------------------------------------------------------
+from controllers.web.workflow import WorkflowRunPayload
+
+
+class TestWorkflowRunPayload:
+    def test_defaults(self) -> None:
+        p = WorkflowRunPayload(inputs={})
+        assert p.inputs == {}
+        assert p.files is None
+
+    def test_with_files(self) -> None:
+        p = WorkflowRunPayload(inputs={"k": "v"}, files=[{"id": "f1"}])
+        assert p.files == [{"id": "f1"}]
+
+    def test_inputs_required(self) -> None:
+        with pytest.raises(ValidationError):
+            WorkflowRunPayload()
+
+
+# ---------------------------------------------------------------------------
+# forgot_password.py models
+# ---------------------------------------------------------------------------
+from controllers.web.forgot_password import (
+    ForgotPasswordCheckPayload,
+    ForgotPasswordResetPayload,
+    ForgotPasswordSendPayload,
+)
+
+
+class TestForgotPasswordSendPayload:
+    def test_valid_email(self) -> None:
+        p = ForgotPasswordSendPayload(email="user@example.com")
+        assert p.email == "user@example.com"
+
+    def test_invalid_email(self) -> None:
+        with pytest.raises(ValidationError, match="not a valid email"):
+            ForgotPasswordSendPayload(email="not-an-email")
+
+    def test_language_optional(self) -> None:
+        p = ForgotPasswordSendPayload(email="a@b.com")
+        assert p.language is None
+
+
+class TestForgotPasswordCheckPayload:
+    def test_valid(self) -> None:
+        p = ForgotPasswordCheckPayload(email="a@b.com", code="1234", token="tok")
+        assert p.email == "a@b.com"
+        assert p.code == "1234"
+        assert p.token == "tok"
+
+    def test_empty_token_rejected(self) -> None:
+        with pytest.raises(ValidationError):
+            ForgotPasswordCheckPayload(email="a@b.com", code="1234", token="")
+
+
+class TestForgotPasswordResetPayload:
+    def test_valid_passwords(self) -> None:
+        p = ForgotPasswordResetPayload(token="tok", new_password="Valid1234", password_confirm="Valid1234")
+        assert p.new_password == "Valid1234"
+
+    def test_weak_password_rejected(self) -> None:
+        with pytest.raises(ValidationError, match="Password must contain"):
+            ForgotPasswordResetPayload(token="tok", new_password="short", password_confirm="short")
+
+    def test_letters_only_password_rejected(self) -> None:
+        with pytest.raises(ValidationError, match="Password must contain"):
+            ForgotPasswordResetPayload(token="tok", new_password="abcdefghi", password_confirm="abcdefghi")
+
+    def test_digits_only_password_rejected(self) -> None:
+        with pytest.raises(ValidationError, match="Password must contain"):
+            ForgotPasswordResetPayload(token="tok", new_password="123456789", password_confirm="123456789")
+
+
+# ---------------------------------------------------------------------------
+# login.py models
+# ---------------------------------------------------------------------------
+from controllers.web.login import EmailCodeLoginSendPayload, EmailCodeLoginVerifyPayload, LoginPayload
+
+
+class TestLoginPayload:
+    def test_valid(self) -> None:
+        p = LoginPayload(email="a@b.com", password="Valid1234")
+        assert p.email == "a@b.com"
+
+    def test_invalid_email(self) -> None:
+        with pytest.raises(ValidationError, match="not a valid email"):
+            LoginPayload(email="bad", password="Valid1234")
+
+    def test_weak_password(self) -> None:
+        with pytest.raises(ValidationError, match="Password must contain"):
+            LoginPayload(email="a@b.com", password="weak")
+
+
+class TestEmailCodeLoginSendPayload:
+    def test_valid(self) -> None:
+        p = EmailCodeLoginSendPayload(email="a@b.com")
+        assert p.language is None
+
+    def test_with_language(self) -> None:
+        p = EmailCodeLoginSendPayload(email="a@b.com", language="zh-Hans")
+        assert p.language == "zh-Hans"
+
+
+class TestEmailCodeLoginVerifyPayload:
+    def test_valid(self) -> None:
+        p = EmailCodeLoginVerifyPayload(email="a@b.com", code="1234", token="tok")
+        assert p.code == "1234"
+
+    def test_empty_token_rejected(self) -> None:
+        with pytest.raises(ValidationError):
+            EmailCodeLoginVerifyPayload(email="a@b.com", code="1234", token="")

api/tests/unit_tests/controllers/web/test_remote_files.py

@@ -0,0 +1,147 @@
+"""Unit tests for controllers.web.remote_files endpoints."""
+
+from __future__ import annotations
+
+from types import SimpleNamespace
+from unittest.mock import MagicMock, patch
+
+import pytest
+from flask import Flask
+
+from controllers.common.errors import FileTooLargeError, RemoteFileUploadError
+from controllers.web.remote_files import RemoteFileInfoApi, RemoteFileUploadApi
+
+
+def _app_model() -> SimpleNamespace:
+    return SimpleNamespace(id="app-1")
+
+
+def _end_user() -> SimpleNamespace:
+    return SimpleNamespace(id="eu-1")
+
+
+# ---------------------------------------------------------------------------
+# RemoteFileInfoApi
+# ---------------------------------------------------------------------------
+class TestRemoteFileInfoApi:
+    @patch("controllers.web.remote_files.ssrf_proxy")
+    def test_head_success(self, mock_proxy: MagicMock, app: Flask) -> None:
+        mock_resp = MagicMock()
+        mock_resp.status_code = 200
+        mock_resp.headers = {"Content-Type": "application/pdf", "Content-Length": "1024"}
+        mock_proxy.head.return_value = mock_resp
+
+        with app.test_request_context("/remote-files/https%3A%2F%2Fexample.com%2Ffile.pdf"):
+            result = RemoteFileInfoApi().get(_app_model(), _end_user(), "https%3A%2F%2Fexample.com%2Ffile.pdf")
+
+        assert result["file_type"] == "application/pdf"
+        assert result["file_length"] == 1024
+
+    @patch("controllers.web.remote_files.ssrf_proxy")
+    def test_fallback_to_get(self, mock_proxy: MagicMock, app: Flask) -> None:
+        head_resp = MagicMock()
+        head_resp.status_code = 405  # Method not allowed
+        get_resp = MagicMock()
+        get_resp.status_code = 200
+        get_resp.headers = {"Content-Type": "text/plain", "Content-Length": "42"}
+        get_resp.raise_for_status = MagicMock()
+        mock_proxy.head.return_value = head_resp
+        mock_proxy.get.return_value = get_resp
+
+        with app.test_request_context("/remote-files/https%3A%2F%2Fexample.com%2Ffile.txt"):
+            result = RemoteFileInfoApi().get(_app_model(), _end_user(), "https%3A%2F%2Fexample.com%2Ffile.txt")
+
+        assert result["file_type"] == "text/plain"
+        mock_proxy.get.assert_called_once()
+
+
+# ---------------------------------------------------------------------------
+# RemoteFileUploadApi
+# ---------------------------------------------------------------------------
+class TestRemoteFileUploadApi:
+    @patch("controllers.web.remote_files.file_helpers.get_signed_file_url", return_value="https://signed-url")
+    @patch("controllers.web.remote_files.FileService")
+    @patch("controllers.web.remote_files.helpers.guess_file_info_from_response")
+    @patch("controllers.web.remote_files.ssrf_proxy")
+    @patch("controllers.web.remote_files.web_ns")
+    @patch("controllers.web.remote_files.db")
+    def test_upload_success(
+        self,
+        mock_db: MagicMock,
+        mock_ns: MagicMock,
+        mock_proxy: MagicMock,
+        mock_guess: MagicMock,
+        mock_file_svc_cls: MagicMock,
+        mock_signed: MagicMock,
+        app: Flask,
+    ) -> None:
+        mock_db.engine = "engine"
+        mock_ns.payload = {"url": "https://example.com/file.pdf"}
+        head_resp = MagicMock()
+        head_resp.status_code = 200
+        head_resp.content = b"pdf-content"
+        head_resp.request.method = "HEAD"
+        mock_proxy.head.return_value = head_resp
+        get_resp = MagicMock()
+        get_resp.content = b"pdf-content"
+        mock_proxy.get.return_value = get_resp
+
+        mock_guess.return_value = SimpleNamespace(
+            filename="file.pdf", extension="pdf", mimetype="application/pdf", size=100
+        )
+        mock_file_svc_cls.is_file_size_within_limit.return_value = True
+
+        from datetime import datetime
+
+        upload_file = SimpleNamespace(
+            id="f-1",
+            name="file.pdf",
+            size=100,
+            extension="pdf",
+            mime_type="application/pdf",
+            created_by="eu-1",
+            created_at=datetime(2024, 1, 1),
+        )
+        mock_file_svc_cls.return_value.upload_file.return_value = upload_file
+
+        with app.test_request_context("/remote-files/upload", method="POST"):
+            result, status = RemoteFileUploadApi().post(_app_model(), _end_user())
+
+        assert status == 201
+        assert result["id"] == "f-1"
+
+    @patch("controllers.web.remote_files.FileService.is_file_size_within_limit", return_value=False)
+    @patch("controllers.web.remote_files.helpers.guess_file_info_from_response")
+    @patch("controllers.web.remote_files.ssrf_proxy")
+    @patch("controllers.web.remote_files.web_ns")
+    def test_file_too_large(
+        self,
+        mock_ns: MagicMock,
+        mock_proxy: MagicMock,
+        mock_guess: MagicMock,
+        mock_size_check: MagicMock,
+        app: Flask,
+    ) -> None:
+        mock_ns.payload = {"url": "https://example.com/big.zip"}
+        head_resp = MagicMock()
+        head_resp.status_code = 200
+        mock_proxy.head.return_value = head_resp
+        mock_guess.return_value = SimpleNamespace(
+            filename="big.zip", extension="zip", mimetype="application/zip", size=999999999
+        )
+
+        with app.test_request_context("/remote-files/upload", method="POST"):
+            with pytest.raises(FileTooLargeError):
+                RemoteFileUploadApi().post(_app_model(), _end_user())
+
+    @patch("controllers.web.remote_files.ssrf_proxy")
+    @patch("controllers.web.remote_files.web_ns")
+    def test_fetch_failure_raises(self, mock_ns: MagicMock, mock_proxy: MagicMock, app: Flask) -> None:
+        import httpx
+
+        mock_ns.payload = {"url": "https://example.com/bad"}
+        mock_proxy.head.side_effect = httpx.RequestError("connection failed")
+
+        with app.test_request_context("/remote-files/upload", method="POST"):
+            with pytest.raises(RemoteFileUploadError):
+                RemoteFileUploadApi().post(_app_model(), _end_user())

api/tests/unit_tests/controllers/web/test_saved_message.py

@@ -0,0 +1,97 @@
+"""Unit tests for controllers.web.saved_message endpoints."""
+
+from __future__ import annotations
+
+from types import SimpleNamespace
+from unittest.mock import MagicMock, patch
+from uuid import uuid4
+
+import pytest
+from flask import Flask
+from werkzeug.exceptions import NotFound
+
+from controllers.web.error import NotCompletionAppError
+from controllers.web.saved_message import SavedMessageApi, SavedMessageListApi
+from services.errors.message import MessageNotExistsError
+
+
+def _completion_app() -> SimpleNamespace:
+    return SimpleNamespace(id="app-1", mode="completion")
+
+
+def _chat_app() -> SimpleNamespace:
+    return SimpleNamespace(id="app-1", mode="chat")
+
+
+def _end_user() -> SimpleNamespace:
+    return SimpleNamespace(id="eu-1")
+
+
+# ---------------------------------------------------------------------------
+# SavedMessageListApi (GET)
+# ---------------------------------------------------------------------------
+class TestSavedMessageListApiGet:
+    def test_non_completion_mode_raises(self, app: Flask) -> None:
+        with app.test_request_context("/saved-messages"):
+            with pytest.raises(NotCompletionAppError):
+                SavedMessageListApi().get(_chat_app(), _end_user())
+
+    @patch("controllers.web.saved_message.SavedMessageService.pagination_by_last_id")
+    def test_happy_path(self, mock_paginate: MagicMock, app: Flask) -> None:
+        mock_paginate.return_value = SimpleNamespace(limit=20, has_more=False, data=[])
+
+        with app.test_request_context("/saved-messages?limit=20"):
+            result = SavedMessageListApi().get(_completion_app(), _end_user())
+
+        assert result["limit"] == 20
+        assert result["has_more"] is False
+
+
+# ---------------------------------------------------------------------------
+# SavedMessageListApi (POST)
+# ---------------------------------------------------------------------------
+class TestSavedMessageListApiPost:
+    def test_non_completion_mode_raises(self, app: Flask) -> None:
+        with app.test_request_context("/saved-messages", method="POST"):
+            with pytest.raises(NotCompletionAppError):
+                SavedMessageListApi().post(_chat_app(), _end_user())
+
+    @patch("controllers.web.saved_message.SavedMessageService.save")
+    @patch("controllers.web.saved_message.web_ns")
+    def test_save_success(self, mock_ns: MagicMock, mock_save: MagicMock, app: Flask) -> None:
+        msg_id = str(uuid4())
+        mock_ns.payload = {"message_id": msg_id}
+
+        with app.test_request_context("/saved-messages", method="POST"):
+            result = SavedMessageListApi().post(_completion_app(), _end_user())
+
+        assert result["result"] == "success"
+
+    @patch("controllers.web.saved_message.SavedMessageService.save", side_effect=MessageNotExistsError())
+    @patch("controllers.web.saved_message.web_ns")
+    def test_save_not_found(self, mock_ns: MagicMock, mock_save: MagicMock, app: Flask) -> None:
+        mock_ns.payload = {"message_id": str(uuid4())}
+
+        with app.test_request_context("/saved-messages", method="POST"):
+            with pytest.raises(NotFound, match="Message Not Exists"):
+                SavedMessageListApi().post(_completion_app(), _end_user())
+
+
+# ---------------------------------------------------------------------------
+# SavedMessageApi (DELETE)
+# ---------------------------------------------------------------------------
+class TestSavedMessageApi:
+    def test_non_completion_mode_raises(self, app: Flask) -> None:
+        msg_id = uuid4()
+        with app.test_request_context(f"/saved-messages/{msg_id}", method="DELETE"):
+            with pytest.raises(NotCompletionAppError):
+                SavedMessageApi().delete(_chat_app(), _end_user(), msg_id)
+
+    @patch("controllers.web.saved_message.SavedMessageService.delete")
+    def test_delete_success(self, mock_delete: MagicMock, app: Flask) -> None:
+        msg_id = uuid4()
+        with app.test_request_context(f"/saved-messages/{msg_id}", method="DELETE"):
+            result, status = SavedMessageApi().delete(_completion_app(), _end_user(), msg_id)
+
+        assert status == 204
+        assert result["result"] == "success"

api/tests/unit_tests/controllers/web/test_site.py

@@ -0,0 +1,126 @@
+"""Unit tests for controllers.web.site endpoints."""
+
+from __future__ import annotations
+
+from types import SimpleNamespace
+from unittest.mock import MagicMock, patch
+
+import pytest
+from flask import Flask
+from werkzeug.exceptions import Forbidden
+
+from controllers.web.site import AppSiteApi, AppSiteInfo
+
+
+def _tenant(*, status: str = "normal") -> SimpleNamespace:
+    return SimpleNamespace(
+        id="tenant-1",
+        status=status,
+        plan="basic",
+        custom_config_dict={"remove_webapp_brand": False, "replace_webapp_logo": False},
+    )
+
+
+def _site() -> SimpleNamespace:
+    return SimpleNamespace(
+        title="Site",
+        icon_type="emoji",
+        icon="robot",
+        icon_background="#fff",
+        description="desc",
+        default_language="en",
+        chat_color_theme="light",
+        chat_color_theme_inverted=False,
+        copyright=None,
+        privacy_policy=None,
+        custom_disclaimer=None,
+        prompt_public=False,
+        show_workflow_steps=True,
+        use_icon_as_answer_icon=False,
+    )
+
+
+# ---------------------------------------------------------------------------
+# AppSiteApi
+# ---------------------------------------------------------------------------
+class TestAppSiteApi:
+    @patch("controllers.web.site.FeatureService.get_features")
+    @patch("controllers.web.site.db")
+    def test_happy_path(self, mock_db: MagicMock, mock_features: MagicMock, app: Flask) -> None:
+        app.config["RESTX_MASK_HEADER"] = "X-Fields"
+        mock_features.return_value = SimpleNamespace(can_replace_logo=False)
+        site_obj = _site()
+        mock_db.session.query.return_value.where.return_value.first.return_value = site_obj
+        tenant = _tenant()
+        app_model = SimpleNamespace(id="app-1", tenant_id="tenant-1", tenant=tenant, enable_site=True)
+        end_user = SimpleNamespace(id="eu-1")
+
+        with app.test_request_context("/site"):
+            result = AppSiteApi().get(app_model, end_user)
+
+        # marshal_with serializes AppSiteInfo to a dict
+        assert result["app_id"] == "app-1"
+        assert result["plan"] == "basic"
+        assert result["enable_site"] is True
+
+    @patch("controllers.web.site.db")
+    def test_missing_site_raises_forbidden(self, mock_db: MagicMock, app: Flask) -> None:
+        app.config["RESTX_MASK_HEADER"] = "X-Fields"
+        mock_db.session.query.return_value.where.return_value.first.return_value = None
+        tenant = _tenant()
+        app_model = SimpleNamespace(id="app-1", tenant_id="tenant-1", tenant=tenant)
+        end_user = SimpleNamespace(id="eu-1")
+
+        with app.test_request_context("/site"):
+            with pytest.raises(Forbidden):
+                AppSiteApi().get(app_model, end_user)
+
+    @patch("controllers.web.site.db")
+    def test_archived_tenant_raises_forbidden(self, mock_db: MagicMock, app: Flask) -> None:
+        app.config["RESTX_MASK_HEADER"] = "X-Fields"
+        from models.account import TenantStatus
+
+        mock_db.session.query.return_value.where.return_value.first.return_value = _site()
+        tenant = SimpleNamespace(
+            id="tenant-1",
+            status=TenantStatus.ARCHIVE,
+            plan="basic",
+            custom_config_dict={},
+        )
+        app_model = SimpleNamespace(id="app-1", tenant_id="tenant-1", tenant=tenant)
+        end_user = SimpleNamespace(id="eu-1")
+
+        with app.test_request_context("/site"):
+            with pytest.raises(Forbidden):
+                AppSiteApi().get(app_model, end_user)
+
+
+# ---------------------------------------------------------------------------
+# AppSiteInfo
+# ---------------------------------------------------------------------------
+class TestAppSiteInfo:
+    def test_basic_fields(self) -> None:
+        tenant = _tenant()
+        site_obj = _site()
+        info = AppSiteInfo(tenant, SimpleNamespace(id="app-1", enable_site=True), site_obj, "eu-1", False)
+
+        assert info.app_id == "app-1"
+        assert info.end_user_id == "eu-1"
+        assert info.enable_site is True
+        assert info.plan == "basic"
+        assert info.can_replace_logo is False
+        assert info.model_config is None
+
+    @patch("controllers.web.site.dify_config", SimpleNamespace(FILES_URL="https://files.example.com"))
+    def test_can_replace_logo_sets_custom_config(self) -> None:
+        tenant = SimpleNamespace(
+            id="tenant-1",
+            plan="pro",
+            custom_config_dict={"remove_webapp_brand": True, "replace_webapp_logo": True},
+        )
+        site_obj = _site()
+        info = AppSiteInfo(tenant, SimpleNamespace(id="app-1", enable_site=True), site_obj, "eu-1", True)
+
+        assert info.can_replace_logo is True
+        assert info.custom_config["remove_webapp_brand"] is True
+        assert "webapp-logo" in info.custom_config["replace_webapp_logo"]

api/tests/unit_tests/controllers/web/test_web_login.py

@@ -5,7 +5,8 @@ from unittest.mock import MagicMock, patch
 import pytest
 from flask import Flask
 
-from controllers.web.login import EmailCodeLoginApi, EmailCodeLoginSendEmailApi
+import services.errors.account
+from controllers.web.login import EmailCodeLoginApi, EmailCodeLoginSendEmailApi, LoginApi, LoginStatusApi, LogoutApi
 
 
 def encode_code(code: str) -> str:
@@ -89,3 +90,114 @@ class TestEmailCodeLoginApi:
         mock_revoke_token.assert_called_once_with("token-123")
         mock_login.assert_called_once()
         mock_reset_login_rate.assert_called_once_with("user@example.com")
+
+
+class TestLoginApi:
+    @patch("controllers.web.login.WebAppAuthService.login", return_value="access-tok")
+    @patch("controllers.web.login.WebAppAuthService.authenticate")
+    def test_login_success(self, mock_auth: MagicMock, mock_login: MagicMock, app: Flask) -> None:
+        mock_auth.return_value = MagicMock()
+
+        with app.test_request_context(
+            "/web/login",
+            method="POST",
+            json={"email": "user@example.com", "password": base64.b64encode(b"Valid1234").decode()},
+        ):
+            response = LoginApi().post()
+
+        assert response.get_json()["data"]["access_token"] == "access-tok"
+        mock_auth.assert_called_once()
+
+    @patch(
+        "controllers.web.login.WebAppAuthService.authenticate",
+        side_effect=services.errors.account.AccountLoginError(),
+    )
+    def test_login_banned_account(self, mock_auth: MagicMock, app: Flask) -> None:
+        from controllers.console.error import AccountBannedError
+
+        with app.test_request_context(
+            "/web/login",
+            method="POST",
+            json={"email": "user@example.com", "password": base64.b64encode(b"Valid1234").decode()},
+        ):
+            with pytest.raises(AccountBannedError):
+                LoginApi().post()
+
+    @patch(
+        "controllers.web.login.WebAppAuthService.authenticate",
+        side_effect=services.errors.account.AccountPasswordError(),
+    )
+    def test_login_wrong_password(self, mock_auth: MagicMock, app: Flask) -> None:
+        from controllers.console.auth.error import AuthenticationFailedError
+
+        with app.test_request_context(
+            "/web/login",
+            method="POST",
+            json={"email": "user@example.com", "password": base64.b64encode(b"Valid1234").decode()},
+        ):
+            with pytest.raises(AuthenticationFailedError):
+                LoginApi().post()
+
+
+class TestLoginStatusApi:
+    @patch("controllers.web.login.extract_webapp_access_token", return_value=None)
+    def test_no_app_code_returns_logged_in_false(self, mock_extract: MagicMock, app: Flask) -> None:
+        with app.test_request_context("/web/login/status"):
+            result = LoginStatusApi().get()
+
+        assert result["logged_in"] is False
+        assert result["app_logged_in"] is False
+
+    @patch("controllers.web.login.decode_jwt_token")
+    @patch("controllers.web.login.PassportService")
+    @patch("controllers.web.login.WebAppAuthService.is_app_require_permission_check", return_value=False)
+    @patch("controllers.web.login.AppService.get_app_id_by_code", return_value="app-1")
+    @patch("controllers.web.login.extract_webapp_access_token", return_value="tok")
+    def test_public_app_user_logged_in(
+        self,
+        mock_extract: MagicMock,
+        mock_app_id: MagicMock,
+        mock_perm: MagicMock,
+        mock_passport: MagicMock,
+        mock_decode: MagicMock,
+        app: Flask,
+    ) -> None:
+        mock_decode.return_value = (MagicMock(), MagicMock())
+
+        with app.test_request_context("/web/login/status?app_code=code1"):
+            result = LoginStatusApi().get()
+
+        assert result["logged_in"] is True
+        assert result["app_logged_in"] is True
+
+    @patch("controllers.web.login.decode_jwt_token", side_effect=Exception("bad"))
+    @patch("controllers.web.login.PassportService")
+    @patch("controllers.web.login.WebAppAuthService.is_app_require_permission_check", return_value=True)
+    @patch("controllers.web.login.AppService.get_app_id_by_code", return_value="app-1")
+    @patch("controllers.web.login.extract_webapp_access_token", return_value="tok")
+    def test_private_app_passport_fails(
+        self,
+        mock_extract: MagicMock,
+        mock_app_id: MagicMock,
+        mock_perm: MagicMock,
+        mock_passport_cls: MagicMock,
+        mock_decode: MagicMock,
+        app: Flask,
+    ) -> None:
+        mock_passport_cls.return_value.verify.side_effect = Exception("bad")
+
+        with app.test_request_context("/web/login/status?app_code=code1"):
+            result = LoginStatusApi().get()
+
+        assert result["logged_in"] is False
+        assert result["app_logged_in"] is False
+
+
+class TestLogoutApi:
+    @patch("controllers.web.login.clear_webapp_access_token_from_cookie")
+    def test_logout_success(self, mock_clear: MagicMock, app: Flask) -> None:
+        with app.test_request_context("/web/logout", method="POST"):
+            response = LogoutApi().post()
+
+        assert response.get_json() == {"result": "success"}
+        mock_clear.assert_called_once()

api/tests/unit_tests/controllers/web/test_web_passport.py

@@ -0,0 +1,192 @@
+"""Unit tests for controllers.web.passport — token issuance and enterprise auth exchange."""
+
+from __future__ import annotations
+
+from types import SimpleNamespace
+from unittest.mock import MagicMock, patch
+
+import pytest
+from flask import Flask
+from werkzeug.exceptions import NotFound, Unauthorized
+
+from controllers.web.error import WebAppAuthRequiredError
+from controllers.web.passport import (
+    PassportResource,
+    decode_enterprise_webapp_user_id,
+    exchange_token_for_existing_web_user,
+    generate_session_id,
+)
+from services.webapp_auth_service import WebAppAuthType
+
+
+# ---------------------------------------------------------------------------
+# decode_enterprise_webapp_user_id
+# ---------------------------------------------------------------------------
+class TestDecodeEnterpriseWebappUserId:
+    def test_none_token_returns_none(self) -> None:
+        assert decode_enterprise_webapp_user_id(None) is None
+
+    @patch("controllers.web.passport.PassportService")
+    def test_valid_token_returns_decoded(self, mock_passport_cls: MagicMock) -> None:
+        mock_passport_cls.return_value.verify.return_value = {
+            "token_source": "webapp_login_token",
+            "user_id": "u1",
+        }
+        result = decode_enterprise_webapp_user_id("valid-jwt")
+        assert result["user_id"] == "u1"
+
+    @patch("controllers.web.passport.PassportService")
+    def test_wrong_source_raises_unauthorized(self, mock_passport_cls: MagicMock) -> None:
+        mock_passport_cls.return_value.verify.return_value = {
+            "token_source": "other_source",
+        }
+        with pytest.raises(Unauthorized, match="Expected 'webapp_login_token'"):
+            decode_enterprise_webapp_user_id("bad-jwt")
+
+    @patch("controllers.web.passport.PassportService")
+    def test_missing_source_raises_unauthorized(self, mock_passport_cls: MagicMock) -> None:
+        mock_passport_cls.return_value.verify.return_value = {}
+        with pytest.raises(Unauthorized, match="Expected 'webapp_login_token'"):
+            decode_enterprise_webapp_user_id("no-source-jwt")
+
+
+# ---------------------------------------------------------------------------
+# generate_session_id
+# ---------------------------------------------------------------------------
+class TestGenerateSessionId:
+    @patch("controllers.web.passport.db")
+    def test_returns_unique_session_id(self, mock_db: MagicMock) -> None:
+        mock_db.session.scalar.return_value = 0
+        sid = generate_session_id()
+        assert isinstance(sid, str)
+        assert len(sid) == 36  # UUID format
+
+    @patch("controllers.web.passport.db")
+    def test_retries_on_collision(self, mock_db: MagicMock) -> None:
+        # First call returns count=1 (collision), second returns 0
+        mock_db.session.scalar.side_effect = [1, 0]
+        sid = generate_session_id()
+        assert isinstance(sid, str)
+        assert mock_db.session.scalar.call_count == 2
+
+
+# ---------------------------------------------------------------------------
+# exchange_token_for_existing_web_user
+# ---------------------------------------------------------------------------
+class TestExchangeTokenForExistingWebUser:
+    @patch("controllers.web.passport.PassportService")
+    @patch("controllers.web.passport.db")
+    def test_external_auth_type_mismatch_raises(self, mock_db: MagicMock, mock_passport_cls: MagicMock) -> None:
+        site = SimpleNamespace(code="code1", app_id="app-1")
+        app_model = SimpleNamespace(id="app-1", status="normal", enable_site=True, tenant_id="t1")
+        mock_db.session.scalar.side_effect = [site, app_model]
+
+        decoded = {"user_id": "u1", "auth_type": "internal"}  # mismatch: expected "external"
+        with pytest.raises(WebAppAuthRequiredError, match="external"):
+            exchange_token_for_existing_web_user(
+                app_code="code1", enterprise_user_decoded=decoded, auth_type=WebAppAuthType.EXTERNAL
+            )
+
+    @patch("controllers.web.passport.PassportService")
+    @patch("controllers.web.passport.db")
+    def test_internal_auth_type_mismatch_raises(self, mock_db: MagicMock, mock_passport_cls: MagicMock) -> None:
+        site = SimpleNamespace(code="code1", app_id="app-1")
+        app_model = SimpleNamespace(id="app-1", status="normal", enable_site=True, tenant_id="t1")
+        mock_db.session.scalar.side_effect = [site, app_model]
+
+        decoded = {"user_id": "u1", "auth_type": "external"}  # mismatch: expected "internal"
+        with pytest.raises(WebAppAuthRequiredError, match="internal"):
+            exchange_token_for_existing_web_user(
+                app_code="code1", enterprise_user_decoded=decoded, auth_type=WebAppAuthType.INTERNAL
+            )
+
+    @patch("controllers.web.passport.PassportService")
+    @patch("controllers.web.passport.db")
+    def test_site_not_found_raises(self, mock_db: MagicMock, mock_passport_cls: MagicMock) -> None:
+        mock_db.session.scalar.return_value = None
+        decoded = {"user_id": "u1", "auth_type": "external"}
+        with pytest.raises(NotFound):
+            exchange_token_for_existing_web_user(
+                app_code="code1", enterprise_user_decoded=decoded, auth_type=WebAppAuthType.EXTERNAL
+            )
+
+
+# ---------------------------------------------------------------------------
+# PassportResource.get
+# ---------------------------------------------------------------------------
+class TestPassportResource:
+    @patch("controllers.web.passport.FeatureService.get_system_features")
+    def test_missing_app_code_raises_unauthorized(self, mock_features: MagicMock, app: Flask) -> None:
+        mock_features.return_value = SimpleNamespace(webapp_auth=SimpleNamespace(enabled=False))
+        with app.test_request_context("/passport"):
+            with pytest.raises(Unauthorized, match="X-App-Code"):
+                PassportResource().get()
+
+    @patch("controllers.web.passport.PassportService")
+    @patch("controllers.web.passport.generate_session_id", return_value="new-sess-id")
+    @patch("controllers.web.passport.db")
+    @patch("controllers.web.passport.FeatureService.get_system_features")
+    def test_creates_new_end_user_when_no_user_id(
+        self,
+        mock_features: MagicMock,
+        mock_db: MagicMock,
+        mock_gen_session: MagicMock,
+        mock_passport_cls: MagicMock,
+        app: Flask,
+    ) -> None:
+        mock_features.return_value = SimpleNamespace(webapp_auth=SimpleNamespace(enabled=False))
+        site = SimpleNamespace(app_id="app-1", code="code1")
+        app_model = SimpleNamespace(id="app-1", status="normal", enable_site=True, tenant_id="t1")
+        mock_db.session.scalar.side_effect = [site, app_model]
+        mock_passport_cls.return_value.issue.return_value = "issued-token"
+
+        with app.test_request_context("/passport", headers={"X-App-Code": "code1"}):
+            response = PassportResource().get()
+
+        assert response.get_json()["access_token"] == "issued-token"
+        mock_db.session.add.assert_called_once()
+        mock_db.session.commit.assert_called_once()
+
+    @patch("controllers.web.passport.PassportService")
+    @patch("controllers.web.passport.db")
+    @patch("controllers.web.passport.FeatureService.get_system_features")
+    def test_reuses_existing_end_user_when_user_id_provided(
+        self,
+        mock_features: MagicMock,
+        mock_db: MagicMock,
+        mock_passport_cls: MagicMock,
+        app: Flask,
+    ) -> None:
+        mock_features.return_value = SimpleNamespace(webapp_auth=SimpleNamespace(enabled=False))
+        site = SimpleNamespace(app_id="app-1", code="code1")
+        app_model = SimpleNamespace(id="app-1", status="normal", enable_site=True, tenant_id="t1")
+        existing_user = SimpleNamespace(id="eu-1", session_id="sess-existing")
+        mock_db.session.scalar.side_effect = [site, app_model, existing_user]
+        mock_passport_cls.return_value.issue.return_value = "reused-token"
+
+        with app.test_request_context("/passport?user_id=sess-existing", headers={"X-App-Code": "code1"}):
+            response = PassportResource().get()
+
+        assert response.get_json()["access_token"] == "reused-token"
+        # Should not create a new end user
+        mock_db.session.add.assert_not_called()
+
+    @patch("controllers.web.passport.db")
+    @patch("controllers.web.passport.FeatureService.get_system_features")
+    def test_site_not_found_raises(self, mock_features: MagicMock, mock_db: MagicMock, app: Flask) -> None:
+        mock_features.return_value = SimpleNamespace(webapp_auth=SimpleNamespace(enabled=False))
+        mock_db.session.scalar.return_value = None
+        with app.test_request_context("/passport", headers={"X-App-Code": "code1"}):
+            with pytest.raises(NotFound):
+                PassportResource().get()
+
+    @patch("controllers.web.passport.db")
+    @patch("controllers.web.passport.FeatureService.get_system_features")
+    def test_disabled_app_raises_not_found(self, mock_features: MagicMock, mock_db: MagicMock, app: Flask) -> None:
+        mock_features.return_value = SimpleNamespace(webapp_auth=SimpleNamespace(enabled=False))
+        site = SimpleNamespace(app_id="app-1", code="code1")
+        disabled_app = SimpleNamespace(id="app-1", status="normal", enable_site=False)
+        mock_db.session.scalar.side_effect = [site, disabled_app]
+        with app.test_request_context("/passport", headers={"X-App-Code": "code1"}):
+            with pytest.raises(NotFound):
+                PassportResource().get()

api/tests/unit_tests/controllers/web/test_workflow.py

@@ -0,0 +1,95 @@
+"""Unit tests for controllers.web.workflow endpoints."""
+
+from __future__ import annotations
+
+from types import SimpleNamespace
+from unittest.mock import MagicMock, patch
+
+import pytest
+from flask import Flask
+
+from controllers.web.error import (
+    NotWorkflowAppError,
+    ProviderNotInitializeError,
+    ProviderQuotaExceededError,
+)
+from controllers.web.workflow import WorkflowRunApi, WorkflowTaskStopApi
+from core.errors.error import ProviderTokenNotInitError, QuotaExceededError
+
+
+def _workflow_app() -> SimpleNamespace:
+    return SimpleNamespace(id="app-1", mode="workflow")
+
+
+def _chat_app() -> SimpleNamespace:
+    return SimpleNamespace(id="app-1", mode="chat")
+
+
+def _end_user() -> SimpleNamespace:
+    return SimpleNamespace(id="eu-1")
+
+
+# ---------------------------------------------------------------------------
+# WorkflowRunApi
+# ---------------------------------------------------------------------------
+class TestWorkflowRunApi:
+    def test_wrong_mode_raises(self, app: Flask) -> None:
+        with app.test_request_context("/workflows/run", method="POST"):
+            with pytest.raises(NotWorkflowAppError):
+                WorkflowRunApi().post(_chat_app(), _end_user())
+
+    @patch("controllers.web.workflow.helper.compact_generate_response", return_value={"result": "ok"})
+    @patch("controllers.web.workflow.AppGenerateService.generate")
+    @patch("controllers.web.workflow.web_ns")
+    def test_happy_path(self, mock_ns: MagicMock, mock_gen: MagicMock, mock_compact: MagicMock, app: Flask) -> None:
+        mock_ns.payload = {"inputs": {"key": "val"}}
+        mock_gen.return_value = "response"
+
+        with app.test_request_context("/workflows/run", method="POST"):
+            result = WorkflowRunApi().post(_workflow_app(), _end_user())
+
+        assert result == {"result": "ok"}
+
+    @patch(
+        "controllers.web.workflow.AppGenerateService.generate",
+        side_effect=ProviderTokenNotInitError(description="not init"),
+    )
+    @patch("controllers.web.workflow.web_ns")
+    def test_provider_not_init(self, mock_ns: MagicMock, mock_gen: MagicMock, app: Flask) -> None:
+        mock_ns.payload = {"inputs": {}}
+
+        with app.test_request_context("/workflows/run", method="POST"):
+            with pytest.raises(ProviderNotInitializeError):
+                WorkflowRunApi().post(_workflow_app(), _end_user())
+
+    @patch(
+        "controllers.web.workflow.AppGenerateService.generate",
+        side_effect=QuotaExceededError(),
+    )
+    @patch("controllers.web.workflow.web_ns")
+    def test_quota_exceeded(self, mock_ns: MagicMock, mock_gen: MagicMock, app: Flask) -> None:
+        mock_ns.payload = {"inputs": {}}
+
+        with app.test_request_context("/workflows/run", method="POST"):
+            with pytest.raises(ProviderQuotaExceededError):
+                WorkflowRunApi().post(_workflow_app(), _end_user())
+
+
+# ---------------------------------------------------------------------------
+# WorkflowTaskStopApi
+# ---------------------------------------------------------------------------
+class TestWorkflowTaskStopApi:
+    def test_wrong_mode_raises(self, app: Flask) -> None:
+        with app.test_request_context("/workflows/tasks/task-1/stop", method="POST"):
+            with pytest.raises(NotWorkflowAppError):
+                WorkflowTaskStopApi().post(_chat_app(), _end_user(), "task-1")
+
+    @patch("controllers.web.workflow.GraphEngineManager.send_stop_command")
+    @patch("controllers.web.workflow.AppQueueManager.set_stop_flag_no_user_check")
+    def test_stop_calls_both_mechanisms(self, mock_legacy: MagicMock, mock_graph: MagicMock, app: Flask) -> None:
+        with app.test_request_context("/workflows/tasks/task-1/stop", method="POST"):
+            result = WorkflowTaskStopApi().post(_workflow_app(), _end_user(), "task-1")
+
+        assert result == {"result": "success"}
+        mock_legacy.assert_called_once_with("task-1")
+        mock_graph.assert_called_once_with("task-1")

api/tests/unit_tests/controllers/web/test_workflow_events.py

@@ -0,0 +1,127 @@
+"""Unit tests for controllers.web.workflow_events endpoints."""
+
+from __future__ import annotations
+
+from types import SimpleNamespace
+from unittest.mock import MagicMock, patch
+
+import pytest
+from flask import Flask
+
+from controllers.web.error import NotFoundError
+from controllers.web.workflow_events import WorkflowEventsApi
+from models.enums import CreatorUserRole
+
+
+def _workflow_app() -> SimpleNamespace:
+    return SimpleNamespace(id="app-1", tenant_id="tenant-1", mode="workflow")
+
+
+def _end_user() -> SimpleNamespace:
+    return SimpleNamespace(id="eu-1")
+
+
+# ---------------------------------------------------------------------------
+# WorkflowEventsApi
+# ---------------------------------------------------------------------------
+class TestWorkflowEventsApi:
+    @patch("controllers.web.workflow_events.DifyAPIRepositoryFactory")
+    @patch("controllers.web.workflow_events.db")
+    def test_workflow_run_not_found(self, mock_db: MagicMock, mock_factory: MagicMock, app: Flask) -> None:
+        mock_db.engine = "engine"
+        mock_repo = MagicMock()
+        mock_repo.get_workflow_run_by_id_and_tenant_id.return_value = None
+        mock_factory.create_api_workflow_run_repository.return_value = mock_repo
+
+        with app.test_request_context("/workflow/run-1/events"):
+            with pytest.raises(NotFoundError):
+                WorkflowEventsApi().get(_workflow_app(), _end_user(), "run-1")
+
+    @patch("controllers.web.workflow_events.DifyAPIRepositoryFactory")
+    @patch("controllers.web.workflow_events.db")
+    def test_workflow_run_wrong_app(self, mock_db: MagicMock, mock_factory: MagicMock, app: Flask) -> None:
+        mock_db.engine = "engine"
+        run = SimpleNamespace(
+            id="run-1",
+            app_id="other-app",
+            created_by_role=CreatorUserRole.END_USER,
+            created_by="eu-1",
+            finished_at=None,
+        )
+        mock_repo = MagicMock()
+        mock_repo.get_workflow_run_by_id_and_tenant_id.return_value = run
+        mock_factory.create_api_workflow_run_repository.return_value = mock_repo
+
+        with app.test_request_context("/workflow/run-1/events"):
+            with pytest.raises(NotFoundError):
+                WorkflowEventsApi().get(_workflow_app(), _end_user(), "run-1")
+
+    @patch("controllers.web.workflow_events.DifyAPIRepositoryFactory")
+    @patch("controllers.web.workflow_events.db")
+    def test_workflow_run_not_created_by_end_user(
+        self, mock_db: MagicMock, mock_factory: MagicMock, app: Flask
+    ) -> None:
+        mock_db.engine = "engine"
+        run = SimpleNamespace(
+            id="run-1",
+            app_id="app-1",
+            created_by_role=CreatorUserRole.ACCOUNT,
+            created_by="eu-1",
+            finished_at=None,
+        )
+        mock_repo = MagicMock()
+        mock_repo.get_workflow_run_by_id_and_tenant_id.return_value = run
+        mock_factory.create_api_workflow_run_repository.return_value = mock_repo
+
+        with app.test_request_context("/workflow/run-1/events"):
+            with pytest.raises(NotFoundError):
+                WorkflowEventsApi().get(_workflow_app(), _end_user(), "run-1")
+
+    @patch("controllers.web.workflow_events.DifyAPIRepositoryFactory")
+    @patch("controllers.web.workflow_events.db")
+    def test_workflow_run_wrong_end_user(self, mock_db: MagicMock, mock_factory: MagicMock, app: Flask) -> None:
+        mock_db.engine = "engine"
+        run = SimpleNamespace(
+            id="run-1",
+            app_id="app-1",
+            created_by_role=CreatorUserRole.END_USER,
+            created_by="other-user",
+            finished_at=None,
+        )
+        mock_repo = MagicMock()
+        mock_repo.get_workflow_run_by_id_and_tenant_id.return_value = run
+        mock_factory.create_api_workflow_run_repository.return_value = mock_repo
+
+        with app.test_request_context("/workflow/run-1/events"):
+            with pytest.raises(NotFoundError):
+                WorkflowEventsApi().get(_workflow_app(), _end_user(), "run-1")
+
+    @patch("controllers.web.workflow_events.WorkflowResponseConverter")
+    @patch("controllers.web.workflow_events.DifyAPIRepositoryFactory")
+    @patch("controllers.web.workflow_events.db")
+    def test_finished_run_returns_sse_response(
+        self, mock_db: MagicMock, mock_factory: MagicMock, mock_converter: MagicMock, app: Flask
+    ) -> None:
+        from datetime import datetime
+
+        mock_db.engine = "engine"
+        run = SimpleNamespace(
+            id="run-1",
+            app_id="app-1",
+            created_by_role=CreatorUserRole.END_USER,
+            created_by="eu-1",
+            finished_at=datetime(2024, 1, 1),
+        )
+        mock_repo = MagicMock()
+        mock_repo.get_workflow_run_by_id_and_tenant_id.return_value = run
+        mock_factory.create_api_workflow_run_repository.return_value = mock_repo
+
+        finish_response = MagicMock()
+        finish_response.model_dump.return_value = {"task_id": "run-1"}
+        finish_response.event.value = "workflow_finished"
+        mock_converter.workflow_run_result_to_finish_response.return_value = finish_response
+
+        with app.test_request_context("/workflow/run-1/events"):
+            response = WorkflowEventsApi().get(_workflow_app(), _end_user(), "run-1")
+
+        assert response.mimetype == "text/event-stream"

api/tests/unit_tests/controllers/web/test_wraps.py

@@ -0,0 +1,393 @@
+"""Unit tests for controllers.web.wraps — JWT auth decorator and validation helpers."""
+
+from __future__ import annotations
+
+from datetime import UTC, datetime, timedelta
+from types import SimpleNamespace
+from unittest.mock import MagicMock, patch
+
+import pytest
+from flask import Flask
+from werkzeug.exceptions import BadRequest, NotFound, Unauthorized
+
+from controllers.web.error import WebAppAuthAccessDeniedError, WebAppAuthRequiredError
+from controllers.web.wraps import (
+    _validate_user_accessibility,
+    _validate_webapp_token,
+    decode_jwt_token,
+)
+
+
+# ---------------------------------------------------------------------------
+# _validate_webapp_token
+# ---------------------------------------------------------------------------
+class TestValidateWebappToken:
+    def test_enterprise_enabled_and_app_auth_requires_webapp_source(self) -> None:
+        """When both flags are true, a non-webapp source must raise."""
+        decoded = {"token_source": "other"}
+        with pytest.raises(WebAppAuthRequiredError):
+            _validate_webapp_token(decoded, app_web_auth_enabled=True, system_webapp_auth_enabled=True)
+
+    def test_enterprise_enabled_and_app_auth_accepts_webapp_source(self) -> None:
+        decoded = {"token_source": "webapp"}
+        _validate_webapp_token(decoded, app_web_auth_enabled=True, system_webapp_auth_enabled=True)
+
+    def test_enterprise_enabled_and_app_auth_missing_source_raises(self) -> None:
+        decoded = {}
+        with pytest.raises(WebAppAuthRequiredError):
+            _validate_webapp_token(decoded, app_web_auth_enabled=True, system_webapp_auth_enabled=True)
+
+    def test_public_app_rejects_webapp_source(self) -> None:
+        """When auth is not required, a webapp-sourced token must be rejected."""
+        decoded = {"token_source": "webapp"}
+        with pytest.raises(Unauthorized):
+            _validate_webapp_token(decoded, app_web_auth_enabled=False, system_webapp_auth_enabled=False)
+
+    def test_public_app_accepts_non_webapp_source(self) -> None:
+        decoded = {"token_source": "other"}
+        _validate_webapp_token(decoded, app_web_auth_enabled=False, system_webapp_auth_enabled=False)
+
+    def test_public_app_accepts_no_source(self) -> None:
+        decoded = {}
+        _validate_webapp_token(decoded, app_web_auth_enabled=False, system_webapp_auth_enabled=False)
+
+    def test_system_enabled_but_app_public(self) -> None:
+        """system_webapp_auth_enabled=True but app is public — webapp source rejected."""
+        decoded = {"token_source": "webapp"}
+        with pytest.raises(Unauthorized):
+            _validate_webapp_token(decoded, app_web_auth_enabled=False, system_webapp_auth_enabled=True)
+
+
+# ---------------------------------------------------------------------------
+# _validate_user_accessibility
+# ---------------------------------------------------------------------------
+class TestValidateUserAccessibility:
+    def test_skips_when_auth_disabled(self) -> None:
+        """No checks when system or app auth is disabled."""
+        _validate_user_accessibility(
+            decoded={},
+            app_code="code",
+            app_web_auth_enabled=False,
+            system_webapp_auth_enabled=False,
+            webapp_settings=None,
+        )
+
+    def test_missing_user_id_raises(self) -> None:
+        decoded = {}
+        with pytest.raises(WebAppAuthRequiredError):
+            _validate_user_accessibility(
+                decoded=decoded,
+                app_code="code",
+                app_web_auth_enabled=True,
+                system_webapp_auth_enabled=True,
+                webapp_settings=SimpleNamespace(access_mode="internal"),
+            )
+
+    def test_missing_webapp_settings_raises(self) -> None:
+        decoded = {"user_id": "u1"}
+        with pytest.raises(WebAppAuthRequiredError, match="settings not found"):
+            _validate_user_accessibility(
+                decoded=decoded,
+                app_code="code",
+                app_web_auth_enabled=True,
+                system_webapp_auth_enabled=True,
+                webapp_settings=None,
+            )
+
+    def test_missing_auth_type_raises(self) -> None:
+        decoded = {"user_id": "u1", "granted_at": 1}
+        settings = SimpleNamespace(access_mode="public")
+        with pytest.raises(WebAppAuthAccessDeniedError, match="auth_type"):
+            _validate_user_accessibility(
+                decoded=decoded,
+                app_code="code",
+                app_web_auth_enabled=True,
+                system_webapp_auth_enabled=True,
+                webapp_settings=settings,
+            )
+
+    def test_missing_granted_at_raises(self) -> None:
+        decoded = {"user_id": "u1", "auth_type": "external"}
+        settings = SimpleNamespace(access_mode="public")
+        with pytest.raises(WebAppAuthAccessDeniedError, match="granted_at"):
+            _validate_user_accessibility(
+                decoded=decoded,
+                app_code="code",
+                app_web_auth_enabled=True,
+                system_webapp_auth_enabled=True,
+                webapp_settings=settings,
+            )
+
+    @patch("controllers.web.wraps.EnterpriseService.get_app_sso_settings_last_update_time")
+    @patch("controllers.web.wraps.WebAppAuthService.is_app_require_permission_check", return_value=False)
+    def test_external_auth_type_checks_sso_update_time(
+        self, mock_perm_check: MagicMock, mock_sso_time: MagicMock
+    ) -> None:
+        # granted_at is before SSO update time → denied
+        mock_sso_time.return_value = datetime.now(UTC)
+        old_granted = int((datetime.now(UTC) - timedelta(hours=1)).timestamp())
+        decoded = {"user_id": "u1", "auth_type": "external", "granted_at": old_granted}
+        settings = SimpleNamespace(access_mode="public")
+        with pytest.raises(WebAppAuthAccessDeniedError, match="SSO settings"):
+            _validate_user_accessibility(
+                decoded=decoded,
+                app_code="code",
+                app_web_auth_enabled=True,
+                system_webapp_auth_enabled=True,
+                webapp_settings=settings,
+            )
+
+    @patch("controllers.web.wraps.EnterpriseService.get_workspace_sso_settings_last_update_time")
+    @patch("controllers.web.wraps.WebAppAuthService.is_app_require_permission_check", return_value=False)
+    def test_internal_auth_type_checks_workspace_sso_update_time(
+        self, mock_perm_check: MagicMock, mock_workspace_sso: MagicMock
+    ) -> None:
+        mock_workspace_sso.return_value = datetime.now(UTC)
+        old_granted = int((datetime.now(UTC) - timedelta(hours=1)).timestamp())
+        decoded = {"user_id": "u1", "auth_type": "internal", "granted_at": old_granted}
+        settings = SimpleNamespace(access_mode="public")
+        with pytest.raises(WebAppAuthAccessDeniedError, match="SSO settings"):
+            _validate_user_accessibility(
+                decoded=decoded,
+                app_code="code",
+                app_web_auth_enabled=True,
+                system_webapp_auth_enabled=True,
+                webapp_settings=settings,
+            )
+
+    @patch("controllers.web.wraps.EnterpriseService.get_app_sso_settings_last_update_time")
+    @patch("controllers.web.wraps.WebAppAuthService.is_app_require_permission_check", return_value=False)
+    def test_external_auth_passes_when_granted_after_sso_update(
+        self, mock_perm_check: MagicMock, mock_sso_time: MagicMock
+    ) -> None:
+        mock_sso_time.return_value = datetime.now(UTC) - timedelta(hours=2)
+        recent_granted = int(datetime.now(UTC).timestamp())
+        decoded = {"user_id": "u1", "auth_type": "external", "granted_at": recent_granted}
+        settings = SimpleNamespace(access_mode="public")
+        # Should not raise
+        _validate_user_accessibility(
+            decoded=decoded,
+            app_code="code",
+            app_web_auth_enabled=True,
+            system_webapp_auth_enabled=True,
+            webapp_settings=settings,
+        )
+
+    @patch("controllers.web.wraps.EnterpriseService.WebAppAuth.is_user_allowed_to_access_webapp", return_value=False)
+    @patch("controllers.web.wraps.AppService.get_app_id_by_code", return_value="app-id-1")
+    @patch("controllers.web.wraps.WebAppAuthService.is_app_require_permission_check", return_value=True)
+    def test_permission_check_denies_unauthorized_user(
+        self, mock_perm: MagicMock, mock_app_id: MagicMock, mock_allowed: MagicMock
+    ) -> None:
+        decoded = {"user_id": "u1", "auth_type": "external", "granted_at": int(datetime.now(UTC).timestamp())}
+        settings = SimpleNamespace(access_mode="internal")
+        with pytest.raises(WebAppAuthAccessDeniedError):
+            _validate_user_accessibility(
+                decoded=decoded,
+                app_code="code",
+                app_web_auth_enabled=True,
+                system_webapp_auth_enabled=True,
+                webapp_settings=settings,
+            )
+
+
+# ---------------------------------------------------------------------------
+# decode_jwt_token
+# ---------------------------------------------------------------------------
+class TestDecodeJwtToken:
+    @patch("controllers.web.wraps._validate_user_accessibility")
+    @patch("controllers.web.wraps._validate_webapp_token")
+    @patch("controllers.web.wraps.EnterpriseService.WebAppAuth.get_app_access_mode_by_id")
+    @patch("controllers.web.wraps.AppService.get_app_id_by_code")
+    @patch("controllers.web.wraps.FeatureService.get_system_features")
+    @patch("controllers.web.wraps.PassportService")
+    @patch("controllers.web.wraps.extract_webapp_passport")
+    @patch("controllers.web.wraps.db")
+    def test_happy_path(
+        self,
+        mock_db: MagicMock,
+        mock_extract: MagicMock,
+        mock_passport_cls: MagicMock,
+        mock_features: MagicMock,
+        mock_app_id: MagicMock,
+        mock_access_mode: MagicMock,
+        mock_validate_token: MagicMock,
+        mock_validate_user: MagicMock,
+        app: Flask,
+    ) -> None:
+        mock_extract.return_value = "jwt-token"
+        mock_passport_cls.return_value.verify.return_value = {
+            "app_code": "code1",
+            "app_id": "app-1",
+            "end_user_id": "eu-1",
+        }
+        mock_features.return_value = SimpleNamespace(webapp_auth=SimpleNamespace(enabled=False))
+
+        app_model = SimpleNamespace(id="app-1", enable_site=True)
+        site = SimpleNamespace(code="code1")
+        end_user = SimpleNamespace(id="eu-1", session_id="sess-1")
+
+        # Configure session mock to return correct objects via scalar()
+        session_mock = MagicMock()
+        session_mock.scalar.side_effect = [app_model, site, end_user]
+        session_ctx = MagicMock()
+        session_ctx.__enter__ = MagicMock(return_value=session_mock)
+        session_ctx.__exit__ = MagicMock(return_value=False)
+        mock_db.engine = "engine"
+
+        with patch("controllers.web.wraps.Session", return_value=session_ctx):
+            with app.test_request_context("/", headers={"X-App-Code": "code1"}):
+                result_app, result_user = decode_jwt_token()
+
+        assert result_app.id == "app-1"
+        assert result_user.id == "eu-1"
+
+    @patch("controllers.web.wraps.FeatureService.get_system_features")
+    @patch("controllers.web.wraps.extract_webapp_passport")
+    def test_missing_token_raises_unauthorized(
+        self, mock_extract: MagicMock, mock_features: MagicMock, app: Flask
+    ) -> None:
+        mock_features.return_value = SimpleNamespace(webapp_auth=SimpleNamespace(enabled=False))
+        mock_extract.return_value = None
+
+        with app.test_request_context("/", headers={"X-App-Code": "code1"}):
+            with pytest.raises(Unauthorized):
+                decode_jwt_token()
+
+    @patch("controllers.web.wraps.FeatureService.get_system_features")
+    @patch("controllers.web.wraps.PassportService")
+    @patch("controllers.web.wraps.extract_webapp_passport")
+    @patch("controllers.web.wraps.db")
+    def test_missing_app_raises_not_found(
+        self,
+        mock_db: MagicMock,
+        mock_extract: MagicMock,
+        mock_passport_cls: MagicMock,
+        mock_features: MagicMock,
+        app: Flask,
+    ) -> None:
+        mock_extract.return_value = "jwt-token"
+        mock_passport_cls.return_value.verify.return_value = {
+            "app_code": "code1",
+            "app_id": "app-1",
+            "end_user_id": "eu-1",
+        }
+        mock_features.return_value = SimpleNamespace(webapp_auth=SimpleNamespace(enabled=False))
+
+        session_mock = MagicMock()
+        session_mock.scalar.return_value = None  # No app found
+        session_ctx = MagicMock()
+        session_ctx.__enter__ = MagicMock(return_value=session_mock)
+        session_ctx.__exit__ = MagicMock(return_value=False)
+        mock_db.engine = "engine"
+
+        with patch("controllers.web.wraps.Session", return_value=session_ctx):
+            with app.test_request_context("/", headers={"X-App-Code": "code1"}):
+                with pytest.raises(NotFound):
+                    decode_jwt_token()
+
+    @patch("controllers.web.wraps.FeatureService.get_system_features")
+    @patch("controllers.web.wraps.PassportService")
+    @patch("controllers.web.wraps.extract_webapp_passport")
+    @patch("controllers.web.wraps.db")
+    def test_disabled_site_raises_bad_request(
+        self,
+        mock_db: MagicMock,
+        mock_extract: MagicMock,
+        mock_passport_cls: MagicMock,
+        mock_features: MagicMock,
+        app: Flask,
+    ) -> None:
+        mock_extract.return_value = "jwt-token"
+        mock_passport_cls.return_value.verify.return_value = {
+            "app_code": "code1",
+            "app_id": "app-1",
+            "end_user_id": "eu-1",
+        }
+        mock_features.return_value = SimpleNamespace(webapp_auth=SimpleNamespace(enabled=False))
+
+        app_model = SimpleNamespace(id="app-1", enable_site=False)
+
+        session_mock = MagicMock()
+        # scalar calls: app_model, site (code found), then end_user
+        session_mock.scalar.side_effect = [app_model, SimpleNamespace(code="code1"), None]
+        session_ctx = MagicMock()
+        session_ctx.__enter__ = MagicMock(return_value=session_mock)
+        session_ctx.__exit__ = MagicMock(return_value=False)
+        mock_db.engine = "engine"
+
+        with patch("controllers.web.wraps.Session", return_value=session_ctx):
+            with app.test_request_context("/", headers={"X-App-Code": "code1"}):
+                with pytest.raises(BadRequest, match="Site is disabled"):
+                    decode_jwt_token()
+
+    @patch("controllers.web.wraps.FeatureService.get_system_features")
+    @patch("controllers.web.wraps.PassportService")
+    @patch("controllers.web.wraps.extract_webapp_passport")
+    @patch("controllers.web.wraps.db")
+    def test_missing_end_user_raises_not_found(
+        self,
+        mock_db: MagicMock,
+        mock_extract: MagicMock,
+        mock_passport_cls: MagicMock,
+        mock_features: MagicMock,
+        app: Flask,
+    ) -> None:
+        mock_extract.return_value = "jwt-token"
+        mock_passport_cls.return_value.verify.return_value = {
+            "app_code": "code1",
+            "app_id": "app-1",
+            "end_user_id": "eu-1",
+        }
+        mock_features.return_value = SimpleNamespace(webapp_auth=SimpleNamespace(enabled=False))
+
+        app_model = SimpleNamespace(id="app-1", enable_site=True)
+        site = SimpleNamespace(code="code1")
+
+        session_mock = MagicMock()
+        session_mock.scalar.side_effect = [app_model, site, None]  # end_user is None
+        session_ctx = MagicMock()
+        session_ctx.__enter__ = MagicMock(return_value=session_mock)
+        session_ctx.__exit__ = MagicMock(return_value=False)
+        mock_db.engine = "engine"
+
+        with patch("controllers.web.wraps.Session", return_value=session_ctx):
+            with app.test_request_context("/", headers={"X-App-Code": "code1"}):
+                with pytest.raises(NotFound):
+                    decode_jwt_token()
+
+    @patch("controllers.web.wraps.FeatureService.get_system_features")
+    @patch("controllers.web.wraps.PassportService")
+    @patch("controllers.web.wraps.extract_webapp_passport")
+    @patch("controllers.web.wraps.db")
+    def test_user_id_mismatch_raises_unauthorized(
+        self,
+        mock_db: MagicMock,
+        mock_extract: MagicMock,
+        mock_passport_cls: MagicMock,
+        mock_features: MagicMock,
+        app: Flask,
+    ) -> None:
+        mock_extract.return_value = "jwt-token"
+        mock_passport_cls.return_value.verify.return_value = {
+            "app_code": "code1",
+            "app_id": "app-1",
+            "end_user_id": "eu-1",
+        }
+        mock_features.return_value = SimpleNamespace(webapp_auth=SimpleNamespace(enabled=False))
+
+        app_model = SimpleNamespace(id="app-1", enable_site=True)
+        site = SimpleNamespace(code="code1")
+        end_user = SimpleNamespace(id="eu-1", session_id="sess-1")
+
+        session_mock = MagicMock()
+        session_mock.scalar.side_effect = [app_model, site, end_user]
+        session_ctx = MagicMock()
+        session_ctx.__enter__ = MagicMock(return_value=session_mock)
+        session_ctx.__exit__ = MagicMock(return_value=False)
+        mock_db.engine = "engine"
+
+        with patch("controllers.web.wraps.Session", return_value=session_ctx):
+            with app.test_request_context("/", headers={"X-App-Code": "code1"}):
+                with pytest.raises(Unauthorized, match="expired"):
+                    decode_jwt_token(user_id="different-user")

api/tests/unit_tests/core/workflow/nodes/knowledge_retrieval/test_knowledge_retrieval_node.py

@@ -8,7 +8,9 @@ from core.app.entities.app_invoke_entities import InvokeFrom, UserFrom
 from dify_graph.enums import WorkflowNodeExecutionStatus
 from dify_graph.model_runtime.entities.llm_entities import LLMUsage
 from dify_graph.nodes.knowledge_retrieval.entities import (
+    Condition,
     KnowledgeRetrievalNodeData,
+    MetadataFilteringCondition,
     MultipleRetrievalConfig,
     RerankingModelConfig,
     SingleRetrievalConfig,
@@ -593,3 +595,106 @@ class TestFetchDatasetRetriever:
 
         # Assert
         assert version == "1"
+
+    def test_resolve_metadata_filtering_conditions_templates(
+        self,
+        mock_graph_init_params,
+        mock_graph_runtime_state,
+        mock_rag_retrieval,
+    ):
+        """_resolve_metadata_filtering_conditions should expand {{#...#}} and keep numbers/None unchanged."""
+        # Arrange
+        node_id = str(uuid.uuid4())
+        config = {
+            "id": node_id,
+            "data": {
+                "title": "Knowledge Retrieval",
+                "type": "knowledge-retrieval",
+                "dataset_ids": [str(uuid.uuid4())],
+                "retrieval_mode": "multiple",
+            },
+        }
+        # Variable in pool used by template
+        mock_graph_runtime_state.variable_pool.add(["start", "query"], StringSegment(value="readme"))
+
+        node = KnowledgeRetrievalNode(
+            id=node_id,
+            config=config,
+            graph_init_params=mock_graph_init_params,
+            graph_runtime_state=mock_graph_runtime_state,
+            rag_retrieval=mock_rag_retrieval,
+        )
+
+        conditions = MetadataFilteringCondition(
+            logical_operator="and",
+            conditions=[
+                Condition(name="document_name", comparison_operator="is", value="{{#start.query#}}"),
+                Condition(name="tags", comparison_operator="in", value=["x", "{{#start.query#}}"]),
+                Condition(name="year", comparison_operator="=", value=2025),
+            ],
+        )
+
+        # Act
+        resolved = node._resolve_metadata_filtering_conditions(conditions)
+
+        # Assert
+        assert resolved.logical_operator == "and"
+        assert resolved.conditions[0].value == "readme"
+        assert isinstance(resolved.conditions[1].value, list)
+        assert resolved.conditions[1].value[1] == "readme"
+        assert resolved.conditions[2].value == 2025
+
+    def test_fetch_passes_resolved_metadata_conditions(
+        self,
+        mock_graph_init_params,
+        mock_graph_runtime_state,
+        mock_rag_retrieval,
+    ):
+        """_fetch_dataset_retriever should pass resolved metadata conditions into request."""
+        # Arrange
+        query = "hi"
+        variables = {"query": query}
+        mock_graph_runtime_state.variable_pool.add(["start", "q"], StringSegment(value="readme"))
+
+        node_data = KnowledgeRetrievalNodeData(
+            title="Knowledge Retrieval",
+            type="knowledge-retrieval",
+            dataset_ids=[str(uuid.uuid4())],
+            retrieval_mode="multiple",
+            multiple_retrieval_config=MultipleRetrievalConfig(
+                top_k=4,
+                score_threshold=0.0,
+                reranking_mode="reranking_model",
+                reranking_enable=True,
+                reranking_model=RerankingModelConfig(provider="cohere", model="rerank-v2"),
+            ),
+            metadata_filtering_mode="manual",
+            metadata_filtering_conditions=MetadataFilteringCondition(
+                logical_operator="and",
+                conditions=[
+                    Condition(name="document_name", comparison_operator="is", value="{{#start.q#}}"),
+                ],
+            ),
+        )
+
+        node_id = str(uuid.uuid4())
+        config = {"id": node_id, "data": node_data.model_dump()}
+        node = KnowledgeRetrievalNode(
+            id=node_id,
+            config=config,
+            graph_init_params=mock_graph_init_params,
+            graph_runtime_state=mock_graph_runtime_state,
+            rag_retrieval=mock_rag_retrieval,
+        )
+
+        mock_rag_retrieval.knowledge_retrieval.return_value = []
+        mock_rag_retrieval.llm_usage = LLMUsage.empty_usage()
+
+        # Act
+        node._fetch_dataset_retriever(node_data=node_data, variables=variables)
+
+        # Assert the passed request has resolved value
+        call_args = mock_rag_retrieval.knowledge_retrieval.call_args
+        request = call_args[1]["request"]
+        assert request.metadata_filtering_conditions is not None
+        assert request.metadata_filtering_conditions.conditions[0].value == "readme"

api/tests/unit_tests/core/workflow/nodes/test_document_extractor_node.py

@@ -16,6 +16,7 @@ from dify_graph.nodes.document_extractor.node import (
     _extract_text_from_excel,
     _extract_text_from_pdf,
     _extract_text_from_plain_text,
+    _normalize_docx_zip,
 )
 from dify_graph.variables import ArrayFileSegment
 from dify_graph.variables.segments import ArrayStringSegment
@@ -86,6 +87,38 @@ def test_run_invalid_variable_type(document_extractor_node, mock_graph_runtime_s
     assert "is not an ArrayFileSegment" in result.error
 
 
+def test_run_empty_file_list_returns_succeeded(document_extractor_node, mock_graph_runtime_state):
+    """Empty file list should return SUCCEEDED with empty documents and ArrayStringSegment([])."""
+    document_extractor_node.graph_runtime_state = mock_graph_runtime_state
+
+    # Provide an actual ArrayFileSegment with an empty list
+    mock_graph_runtime_state.variable_pool.get.return_value = ArrayFileSegment(value=[])
+
+    result = document_extractor_node._run()
+
+    assert isinstance(result, NodeRunResult)
+    assert result.status == WorkflowNodeExecutionStatus.SUCCEEDED, result.error
+    assert result.process_data.get("documents") == []
+    assert result.outputs["text"] == ArrayStringSegment(value=[])
+
+
+def test_run_none_only_file_list_returns_succeeded(document_extractor_node, mock_graph_runtime_state):
+    """A file list containing only None (e.g., [None]) should be filtered to [] and succeed."""
+    document_extractor_node.graph_runtime_state = mock_graph_runtime_state
+
+    # Use a Mock to bypass type validation for None entries in the list
+    afs = Mock(spec=ArrayFileSegment)
+    afs.value = [None]
+    mock_graph_runtime_state.variable_pool.get.return_value = afs
+
+    result = document_extractor_node._run()
+
+    assert isinstance(result, NodeRunResult)
+    assert result.status == WorkflowNodeExecutionStatus.SUCCEEDED, result.error
+    assert result.process_data.get("documents") == []
+    assert result.outputs["text"] == ArrayStringSegment(value=[])
+
+
 @pytest.mark.parametrize(
     ("mime_type", "file_content", "expected_text", "transfer_method", "extension"),
     [
@@ -385,3 +418,58 @@ def test_extract_text_from_excel_numeric_type_column(mock_excel_file):
     expected_manual = "| 1.0 | 1.1 |\n| --- | --- |\n| Test | Test |\n\n"
 
     assert expected_manual == result
+
+
+def _make_docx_zip(use_backslash: bool) -> bytes:
+    """Helper to build a minimal in-memory DOCX zip.
+
+    When use_backslash=True the ZIP entry names use backslash separators
+    (as produced by Evernote on Windows), otherwise forward slashes are used.
+    """
+    import zipfile
+
+    sep = "\\" if use_backslash else "/"
+    buf = io.BytesIO()
+    with zipfile.ZipFile(buf, "w", compression=zipfile.ZIP_DEFLATED) as zf:
+        zf.writestr("[Content_Types].xml", b"<Types/>")
+        zf.writestr(f"_rels{sep}.rels", b"<Relationships/>")
+        zf.writestr(f"word{sep}document.xml", b"<w:document/>")
+        zf.writestr(f"word{sep}_rels{sep}document.xml.rels", b"<Relationships/>")
+    return buf.getvalue()
+
+
+def test_normalize_docx_zip_replaces_backslashes():
+    """ZIP entries with backslash separators must be rewritten to forward slashes."""
+    import zipfile
+
+    malformed = _make_docx_zip(use_backslash=True)
+    fixed = _normalize_docx_zip(malformed)
+
+    with zipfile.ZipFile(io.BytesIO(fixed)) as zf:
+        names = zf.namelist()
+
+    assert "word/document.xml" in names
+    assert "word/_rels/document.xml.rels" in names
+    # No entry should contain a backslash after normalization
+    assert all("\\" not in name for name in names)
+
+
+def test_normalize_docx_zip_leaves_forward_slash_unchanged():
+    """ZIP entries that already use forward slashes must not be modified."""
+    import zipfile
+
+    normal = _make_docx_zip(use_backslash=False)
+    fixed = _normalize_docx_zip(normal)
+
+    with zipfile.ZipFile(io.BytesIO(fixed)) as zf:
+        names = zf.namelist()
+
+    assert "word/document.xml" in names
+    assert "word/_rels/document.xml.rels" in names
+
+
+def test_normalize_docx_zip_returns_original_on_bad_zip():
+    """Non-zip bytes must be returned as-is without raising."""
+    garbage = b"not a zip file at all"
+    result = _normalize_docx_zip(garbage)
+    assert result == garbage

api/tests/unit_tests/services/test_messages_clean_service.py

@@ -554,11 +554,9 @@ class TestMessagesCleanServiceFromDays:
             MessagesCleanService.from_days(policy=policy, days=-1)
 
         # Act
-        with patch("services.retention.conversation.messages_clean_service.datetime", autospec=True) as mock_datetime:
+        with patch("services.retention.conversation.messages_clean_service.naive_utc_now") as mock_now:
             fixed_now = datetime.datetime(2024, 6, 15, 14, 0, 0)
-            mock_datetime.datetime.now.return_value = fixed_now
-            mock_datetime.timedelta = datetime.timedelta
-
+            mock_now.return_value = fixed_now
             service = MessagesCleanService.from_days(policy=policy, days=0)
 
         # Assert
@@ -586,11 +584,9 @@ class TestMessagesCleanServiceFromDays:
         dry_run = True
 
         # Act
-        with patch("services.retention.conversation.messages_clean_service.datetime", autospec=True) as mock_datetime:
+        with patch("services.retention.conversation.messages_clean_service.naive_utc_now") as mock_now:
             fixed_now = datetime.datetime(2024, 6, 15, 10, 30, 0)
-            mock_datetime.datetime.now.return_value = fixed_now
-            mock_datetime.timedelta = datetime.timedelta
-
+            mock_now.return_value = fixed_now
             service = MessagesCleanService.from_days(
                 policy=policy,
                 days=days,
@@ -613,11 +609,9 @@ class TestMessagesCleanServiceFromDays:
         policy = BillingDisabledPolicy()
 
         # Act
-        with patch("services.retention.conversation.messages_clean_service.datetime", autospec=True) as mock_datetime:
+        with patch("services.retention.conversation.messages_clean_service.naive_utc_now") as mock_now:
             fixed_now = datetime.datetime(2024, 6, 15, 10, 30, 0)
-            mock_datetime.datetime.now.return_value = fixed_now
-            mock_datetime.timedelta = datetime.timedelta
-
+            mock_now.return_value = fixed_now
             service = MessagesCleanService.from_days(policy=policy)
 
         # Assert

scripts/stress-test/common/config_helper.py

@@ -6,6 +6,13 @@ from typing import Any
 
 
 class ConfigHelper:
+    _LEGACY_SECTION_MAP = {
+        "admin_config": "admin",
+        "token_config": "auth",
+        "app_config": "app",
+        "api_key_config": "api_key",
+    }
+
     """Helper class for reading and writing configuration files."""
 
     def __init__(self, base_dir: Path | None = None):
@@ -50,14 +57,8 @@ class ConfigHelper:
             Dictionary containing config data, or None if file doesn't exist
         """
         # Provide backward compatibility for old config names
-        if filename in ["admin_config", "token_config", "app_config", "api_key_config"]:
-            section_map = {
-                "admin_config": "admin",
-                "token_config": "auth",
-                "app_config": "app",
-                "api_key_config": "api_key",
-            }
-            return self.get_state_section(section_map[filename])
+        if filename in self._LEGACY_SECTION_MAP:
+            return self.get_state_section(self._LEGACY_SECTION_MAP[filename])
 
         config_path = self.get_config_path(filename)
 
@@ -85,14 +86,11 @@ class ConfigHelper:
             True if successful, False otherwise
         """
         # Provide backward compatibility for old config names
-        if filename in ["admin_config", "token_config", "app_config", "api_key_config"]:
-            section_map = {
-                "admin_config": "admin",
-                "token_config": "auth",
-                "app_config": "app",
-                "api_key_config": "api_key",
-            }
-            return self.update_state_section(section_map[filename], data)
+        if filename in self._LEGACY_SECTION_MAP:
+            return self.update_state_section(
+                self._LEGACY_SECTION_MAP[filename],
+                data,
+            )
 
         self.ensure_config_dir()
         config_path = self.get_config_path(filename)

web/AGENTS.md

@@ -2,6 +2,12 @@
 
 - Refer to the `./docs/test.md` and `./docs/lint.md` for detailed frontend workflow instructions.
 
+## Overlay Components (Mandatory)
+
+- `./docs/overlay-migration.md` is the source of truth for overlay-related work.
+- In new or modified code, use only overlay primitives from `@/app/components/base/ui/*`.
+- Do not introduce deprecated overlay imports from `@/app/components/base/*`; when touching legacy callers, prefer migrating them and keep the allowlist shrinking (never expanding).
+
 ## Automated Test Generation
 
 - Use `./docs/test.md` as the canonical instruction set for generating frontend automated tests.

web/app/(commonLayout)/app/(appDetailLayout)/[appId]/overview/chart-view.tsx

@@ -48,7 +48,7 @@ export default function ChartView({ appId, headerRight }: IChartViewProps) {
   return (
     <div>
       <div className="mb-4">
-        <div className="mb-2 text-text-primary system-xl-semibold">{t('appMenus.overview', { ns: 'common' })}</div>
+        <div className="system-xl-semibold mb-2 text-text-primary">{t('appMenus.overview', { ns: 'common' })}</div>
         <div className="flex items-center justify-between">
           {IS_CLOUD_EDITION
             ? (

web/app/(commonLayout)/app/(appDetailLayout)/[appId]/overview/time-range-picker/date-picker.tsx

@@ -30,7 +30,7 @@ const DatePicker: FC<Props> = ({
 
   const renderDate = useCallback(({ value, handleClickTrigger, isOpen }: TriggerProps) => {
     return (
-      <div className={cn('flex h-7 cursor-pointer items-center rounded-lg px-1 text-components-input-text-filled system-sm-regular hover:bg-state-base-hover', isOpen && 'bg-state-base-hover')} onClick={handleClickTrigger}>
+      <div className={cn('system-sm-regular flex h-7 cursor-pointer items-center rounded-lg px-1 text-components-input-text-filled hover:bg-state-base-hover', isOpen && 'bg-state-base-hover')} onClick={handleClickTrigger}>
         {value ? formatToLocalTime(value, locale, 'MMM D') : ''}
       </div>
     )
@@ -64,7 +64,7 @@ const DatePicker: FC<Props> = ({
         noConfirm
         getIsDateDisabled={startDateDisabled}
       />
-      <span className="text-text-tertiary system-sm-regular">-</span>
+      <span className="system-sm-regular text-text-tertiary">-</span>
       <Picker
         value={end}
         onChange={onEndChange}

web/app/(commonLayout)/app/(appDetailLayout)/[appId]/overview/time-range-picker/range-selector.tsx

@@ -45,7 +45,7 @@ const RangeSelector: FC<Props> = ({
   const renderTrigger = useCallback((item: Item | null, isOpen: boolean) => {
     return (
       <div className={cn('flex h-8 cursor-pointer items-center space-x-1.5 rounded-lg bg-components-input-bg-normal pl-3 pr-2', isOpen && 'bg-state-base-hover-alt')}>
-        <div className="text-components-input-text-filled system-sm-regular">{isCustomRange ? t('filter.period.custom', { ns: 'appLog' }) : item?.name}</div>
+        <div className="system-sm-regular text-components-input-text-filled">{isCustomRange ? t('filter.period.custom', { ns: 'appLog' }) : item?.name}</div>
         <RiArrowDownSLine className={cn('size-4 text-text-quaternary', isOpen && 'text-text-secondary')} />
       </div>
     )
@@ -57,13 +57,13 @@ const RangeSelector: FC<Props> = ({
         {selected && (
           <span
             className={cn(
-              'absolute left-2 top-[9px] flex items-center text-text-accent',
+              'absolute left-2 top-[9px] flex items-center  text-text-accent',
             )}
           >
             <RiCheckLine className="h-4 w-4" aria-hidden="true" />
           </span>
         )}
-        <span className={cn('block truncate system-md-regular')}>{item.name}</span>
+        <span className={cn('system-md-regular block truncate')}>{item.name}</span>
       </>
     )
   }, [])

web/app/(commonLayout)/app/(appDetailLayout)/[appId]/overview/tracing/config-popup.tsx

@@ -327,11 +327,11 @@ const ConfigPopup: FC<PopupProps> = ({
       <div className="flex items-center justify-between">
         <div className="flex items-center">
           <TracingIcon size="md" className="mr-2" />
-          <div className="text-text-primary title-2xl-semi-bold">{t(`${I18N_PREFIX}.tracing`, { ns: 'app' })}</div>
+          <div className="title-2xl-semi-bold text-text-primary">{t(`${I18N_PREFIX}.tracing`, { ns: 'app' })}</div>
         </div>
         <div className="flex items-center">
           <Indicator color={enabled ? 'green' : 'gray'} />
-          <div className={cn('ml-1 text-text-tertiary system-xs-semibold-uppercase', enabled && 'text-util-colors-green-green-600')}>
+          <div className={cn('system-xs-semibold-uppercase ml-1 text-text-tertiary', enabled && 'text-util-colors-green-green-600')}>
             {t(`${I18N_PREFIX}.${enabled ? 'enabled' : 'disabled'}`, { ns: 'app' })}
           </div>
           {!readOnly && (
@@ -350,7 +350,7 @@ const ConfigPopup: FC<PopupProps> = ({
         </div>
       </div>
 
-      <div className="mt-2 text-text-tertiary system-xs-regular">
+      <div className="system-xs-regular mt-2 text-text-tertiary">
         {t(`${I18N_PREFIX}.tracingDescription`, { ns: 'app' })}
       </div>
       <Divider className="my-3" />
@@ -358,7 +358,7 @@ const ConfigPopup: FC<PopupProps> = ({
         {(providerAllConfigured || providerAllNotConfigured)
           ? (
               <>
-                <div className="text-text-tertiary system-xs-medium-uppercase">{t(`${I18N_PREFIX}.configProviderTitle.${providerAllConfigured ? 'configured' : 'notConfigured'}`, { ns: 'app' })}</div>
+                <div className="system-xs-medium-uppercase text-text-tertiary">{t(`${I18N_PREFIX}.configProviderTitle.${providerAllConfigured ? 'configured' : 'notConfigured'}`, { ns: 'app' })}</div>
                 <div className="mt-2 max-h-96 space-y-2 overflow-y-auto">
                   {langfusePanel}
                   {langSmithPanel}
@@ -375,11 +375,11 @@ const ConfigPopup: FC<PopupProps> = ({
             )
           : (
               <>
-                <div className="text-text-tertiary system-xs-medium-uppercase">{t(`${I18N_PREFIX}.configProviderTitle.configured`, { ns: 'app' })}</div>
+                <div className="system-xs-medium-uppercase text-text-tertiary">{t(`${I18N_PREFIX}.configProviderTitle.configured`, { ns: 'app' })}</div>
                 <div className="mt-2 max-h-40 space-y-2 overflow-y-auto">
                   {configuredProviderPanel()}
                 </div>
-                <div className="mt-3 text-text-tertiary system-xs-medium-uppercase">{t(`${I18N_PREFIX}.configProviderTitle.moreProvider`, { ns: 'app' })}</div>
+                <div className="system-xs-medium-uppercase mt-3 text-text-tertiary">{t(`${I18N_PREFIX}.configProviderTitle.moreProvider`, { ns: 'app' })}</div>
                 <div className="mt-2 max-h-40 space-y-2 overflow-y-auto">
                   {moreProviderPanel()}
                 </div>

web/app/(commonLayout)/app/(appDetailLayout)/[appId]/overview/tracing/panel.tsx

@@ -254,7 +254,7 @@ const Panel: FC = () => {
             )}
           >
             <TracingIcon size="md" />
-            <div className="mx-2 text-text-secondary system-sm-semibold">{t(`${I18N_PREFIX}.title`, { ns: 'app' })}</div>
+            <div className="system-sm-semibold mx-2 text-text-secondary">{t(`${I18N_PREFIX}.title`, { ns: 'app' })}</div>
             <div className="rounded-md p-1">
               <RiEqualizer2Line className="h-4 w-4 text-text-tertiary" />
             </div>
@@ -294,7 +294,7 @@ const Panel: FC = () => {
           >
             <div className="ml-4 mr-1 flex items-center">
               <Indicator color={enabled ? 'green' : 'gray'} />
-              <div className="ml-1.5 text-text-tertiary system-xs-semibold-uppercase">
+              <div className="system-xs-semibold-uppercase ml-1.5 text-text-tertiary">
                 {t(`${I18N_PREFIX}.${enabled ? 'enabled' : 'disabled'}`, { ns: 'app' })}
               </div>
             </div>

web/app/(commonLayout)/app/(appDetailLayout)/[appId]/overview/tracing/provider-config-modal.tsx

@@ -302,7 +302,7 @@ const ProviderConfigModal: FC<Props> = ({
                   <div className="mx-2 max-h-[calc(100vh-120px)] w-[640px] overflow-y-auto rounded-2xl bg-components-panel-bg shadow-xl">
                     <div className="px-8 pt-8">
                       <div className="mb-4 flex items-center justify-between">
-                        <div className="text-text-primary title-2xl-semi-bold">
+                        <div className="title-2xl-semi-bold text-text-primary">
                           {t(`${I18N_PREFIX}.title`, { ns: 'app' })}
                           {t(`tracing.${type}.title`, { ns: 'app' })}
                         </div>

web/app/(commonLayout)/app/(appDetailLayout)/[appId]/overview/tracing/provider-panel.tsx

@@ -82,7 +82,7 @@ const ProviderPanel: FC<Props> = ({
       <div className="flex items-center justify-between space-x-1">
         <div className="flex items-center">
           <Icon className="h-6" />
-          {isChosen && <div className="ml-1 flex h-4 items-center rounded-[4px] border border-text-accent-secondary px-1 text-text-accent-secondary system-2xs-medium-uppercase">{t(`${I18N_PREFIX}.inUse`, { ns: 'app' })}</div>}
+          {isChosen && <div className="system-2xs-medium-uppercase ml-1 flex h-4 items-center rounded-[4px] border border-text-accent-secondary px-1 text-text-accent-secondary">{t(`${I18N_PREFIX}.inUse`, { ns: 'app' })}</div>}
         </div>
         {!readOnly && (
           <div className="flex items-center justify-between space-x-1">
@@ -102,7 +102,7 @@ const ProviderPanel: FC<Props> = ({
           </div>
         )}
       </div>
-      <div className="mt-2 text-text-tertiary system-xs-regular">
+      <div className="system-xs-regular mt-2 text-text-tertiary">
         {t(`${I18N_PREFIX}.${type}.description`, { ns: 'app' })}
       </div>
     </div>

web/app/(commonLayout)/datasets/(datasetDetailLayout)/[datasetId]/settings/page.tsx

@@ -7,8 +7,8 @@ const Settings = () => {
   return (
     <div className="h-full overflow-y-auto">
       <div className="flex flex-col gap-y-0.5 px-6 pb-2 pt-3">
-        <div className="text-text-primary system-xl-semibold">{t('title')}</div>
-        <div className="text-text-tertiary system-sm-regular">{t('desc')}</div>
+        <div className="system-xl-semibold text-text-primary">{t('title')}</div>
+        <div className="system-sm-regular text-text-tertiary">{t('desc')}</div>
       </div>
       <Form />
     </div>

web/app/(commonLayout)/layout.tsx

@@ -1,7 +1,6 @@
 import type { ReactNode } from 'react'
 import * as React from 'react'
 import { AppInitializer } from '@/app/components/app-initializer'
-import InSiteMessageNotification from '@/app/components/app/in-site-message/notification'
 import AmplitudeProvider from '@/app/components/base/amplitude'
 import GA, { GaType } from '@/app/components/base/ga'
 import Zendesk from '@/app/components/base/zendesk'
@@ -33,7 +32,6 @@ const Layout = ({ children }: { children: ReactNode }) => {
                 <RoleRouteGuard>
                   {children}
                 </RoleRouteGuard>
-                <InSiteMessageNotification />
                 <PartnerStack />
                 <ReadmePanel />
                 <GotoAnything />

web/app/(humanInputLayout)/form/[token]/form.tsx

@@ -106,17 +106,17 @@ const FormContent = () => {
               <RiCheckboxCircleFill className="h-8 w-8 text-text-success" />
             </div>
             <div className="grow">
-              <div className="text-text-primary title-4xl-semi-bold">{t('humanInput.thanks', { ns: 'share' })}</div>
-              <div className="text-text-primary title-4xl-semi-bold">{t('humanInput.recorded', { ns: 'share' })}</div>
+              <div className="title-4xl-semi-bold text-text-primary">{t('humanInput.thanks', { ns: 'share' })}</div>
+              <div className="title-4xl-semi-bold text-text-primary">{t('humanInput.recorded', { ns: 'share' })}</div>
             </div>
-            <div className="shrink-0 text-text-tertiary system-2xs-regular-uppercase">{t('humanInput.submissionID', { id: token, ns: 'share' })}</div>
+            <div className="system-2xs-regular-uppercase shrink-0 text-text-tertiary">{t('humanInput.submissionID', { id: token, ns: 'share' })}</div>
           </div>
           <div className="flex flex-row-reverse px-2 py-3">
             <div className={cn(
               'flex shrink-0 items-center gap-1.5 px-1',
             )}
             >
-              <div className="text-text-tertiary system-2xs-medium-uppercase">{t('chat.poweredBy', { ns: 'share' })}</div>
+              <div className="system-2xs-medium-uppercase text-text-tertiary">{t('chat.poweredBy', { ns: 'share' })}</div>
               <DifyLogo size="small" />
             </div>
           </div>
@@ -134,17 +134,17 @@ const FormContent = () => {
               <RiInformation2Fill className="h-8 w-8 text-text-accent" />
             </div>
             <div className="grow">
-              <div className="text-text-primary title-4xl-semi-bold">{t('humanInput.sorry', { ns: 'share' })}</div>
-              <div className="text-text-primary title-4xl-semi-bold">{t('humanInput.expired', { ns: 'share' })}</div>
+              <div className="title-4xl-semi-bold text-text-primary">{t('humanInput.sorry', { ns: 'share' })}</div>
+              <div className="title-4xl-semi-bold text-text-primary">{t('humanInput.expired', { ns: 'share' })}</div>
             </div>
-            <div className="shrink-0 text-text-tertiary system-2xs-regular-uppercase">{t('humanInput.submissionID', { id: token, ns: 'share' })}</div>
+            <div className="system-2xs-regular-uppercase shrink-0 text-text-tertiary">{t('humanInput.submissionID', { id: token, ns: 'share' })}</div>
           </div>
           <div className="flex flex-row-reverse px-2 py-3">
             <div className={cn(
               'flex shrink-0 items-center gap-1.5 px-1',
             )}
             >
-              <div className="text-text-tertiary system-2xs-medium-uppercase">{t('chat.poweredBy', { ns: 'share' })}</div>
+              <div className="system-2xs-medium-uppercase text-text-tertiary">{t('chat.poweredBy', { ns: 'share' })}</div>
               <DifyLogo size="small" />
             </div>
           </div>
@@ -162,17 +162,17 @@ const FormContent = () => {
               <RiInformation2Fill className="h-8 w-8 text-text-accent" />
             </div>
             <div className="grow">
-              <div className="text-text-primary title-4xl-semi-bold">{t('humanInput.sorry', { ns: 'share' })}</div>
-              <div className="text-text-primary title-4xl-semi-bold">{t('humanInput.completed', { ns: 'share' })}</div>
+              <div className="title-4xl-semi-bold text-text-primary">{t('humanInput.sorry', { ns: 'share' })}</div>
+              <div className="title-4xl-semi-bold text-text-primary">{t('humanInput.completed', { ns: 'share' })}</div>
             </div>
-            <div className="shrink-0 text-text-tertiary system-2xs-regular-uppercase">{t('humanInput.submissionID', { id: token, ns: 'share' })}</div>
+            <div className="system-2xs-regular-uppercase shrink-0 text-text-tertiary">{t('humanInput.submissionID', { id: token, ns: 'share' })}</div>
           </div>
           <div className="flex flex-row-reverse px-2 py-3">
             <div className={cn(
               'flex shrink-0 items-center gap-1.5 px-1',
             )}
             >
-              <div className="text-text-tertiary system-2xs-medium-uppercase">{t('chat.poweredBy', { ns: 'share' })}</div>
+              <div className="system-2xs-medium-uppercase text-text-tertiary">{t('chat.poweredBy', { ns: 'share' })}</div>
               <DifyLogo size="small" />
             </div>
           </div>
@@ -190,7 +190,7 @@ const FormContent = () => {
               <RiErrorWarningFill className="h-8 w-8 text-text-destructive" />
             </div>
             <div className="grow">
-              <div className="text-text-primary title-4xl-semi-bold">{t('humanInput.rateLimitExceeded', { ns: 'share' })}</div>
+              <div className="title-4xl-semi-bold text-text-primary">{t('humanInput.rateLimitExceeded', { ns: 'share' })}</div>
             </div>
           </div>
           <div className="flex flex-row-reverse px-2 py-3">
@@ -198,7 +198,7 @@ const FormContent = () => {
               'flex shrink-0 items-center gap-1.5 px-1',
             )}
             >
-              <div className="text-text-tertiary system-2xs-medium-uppercase">{t('chat.poweredBy', { ns: 'share' })}</div>
+              <div className="system-2xs-medium-uppercase text-text-tertiary">{t('chat.poweredBy', { ns: 'share' })}</div>
               <DifyLogo size="small" />
             </div>
           </div>
@@ -216,7 +216,7 @@ const FormContent = () => {
               <RiErrorWarningFill className="h-8 w-8 text-text-destructive" />
             </div>
             <div className="grow">
-              <div className="text-text-primary title-4xl-semi-bold">{t('humanInput.formNotFound', { ns: 'share' })}</div>
+              <div className="title-4xl-semi-bold text-text-primary">{t('humanInput.formNotFound', { ns: 'share' })}</div>
             </div>
           </div>
           <div className="flex flex-row-reverse px-2 py-3">
@@ -224,7 +224,7 @@ const FormContent = () => {
               'flex shrink-0 items-center gap-1.5 px-1',
             )}
             >
-              <div className="text-text-tertiary system-2xs-medium-uppercase">{t('chat.poweredBy', { ns: 'share' })}</div>
+              <div className="system-2xs-medium-uppercase text-text-tertiary">{t('chat.poweredBy', { ns: 'share' })}</div>
               <DifyLogo size="small" />
             </div>
           </div>
@@ -245,7 +245,7 @@ const FormContent = () => {
           background={site.icon_background}
           imageUrl={site.icon_url}
         />
-        <div className="grow text-text-primary system-xl-semibold">{site.title}</div>
+        <div className="system-xl-semibold grow text-text-primary">{site.title}</div>
       </div>
       <div className="h-0 w-full grow overflow-y-auto">
         <div className="border-components-divider-subtle rounded-[20px] border bg-chat-bubble-bg p-4 shadow-lg backdrop-blur-sm">
@@ -277,7 +277,7 @@ const FormContent = () => {
             'flex shrink-0 items-center gap-1.5 px-1',
           )}
           >
-            <div className="text-text-tertiary system-2xs-medium-uppercase">{t('chat.poweredBy', { ns: 'share' })}</div>
+            <div className="system-2xs-medium-uppercase text-text-tertiary">{t('chat.poweredBy', { ns: 'share' })}</div>
             <DifyLogo size="small" />
           </div>
         </div>

web/app/(shareLayout)/components/authenticated-layout.tsx

@@ -81,7 +81,7 @@ const AuthenticatedLayout = ({ children }: { children: React.ReactNode }) => {
     return (
       <div className="flex h-full flex-col items-center justify-center gap-y-2">
         <AppUnavailable className="h-auto w-auto" code={403} unknownReason="no permission." />
-        <span className="cursor-pointer text-text-tertiary system-sm-regular" onClick={backToHome}>{t('userProfile.logout', { ns: 'common' })}</span>
+        <span className="system-sm-regular cursor-pointer text-text-tertiary" onClick={backToHome}>{t('userProfile.logout', { ns: 'common' })}</span>
       </div>
     )
   }

web/app/(shareLayout)/components/splash.tsx

@@ -95,7 +95,7 @@ const Splash: FC<PropsWithChildren> = ({ children }) => {
     return (
       <div className="flex h-full flex-col items-center justify-center gap-y-4">
         <AppUnavailable className="h-auto w-auto" code={code || t('common.appUnavailable', { ns: 'share' })} unknownReason={message} />
-        <span className="cursor-pointer text-text-tertiary system-sm-regular" onClick={backToHome}>{code === '403' ? t('userProfile.logout', { ns: 'common' }) : t('login.backToHome', { ns: 'share' })}</span>
+        <span className="system-sm-regular cursor-pointer text-text-tertiary" onClick={backToHome}>{code === '403' ? t('userProfile.logout', { ns: 'common' }) : t('login.backToHome', { ns: 'share' })}</span>
       </div>
     )
   }

web/app/(shareLayout)/webapp-reset-password/check-code/page.tsx

@@ -69,8 +69,8 @@ export default function CheckCode() {
         <RiMailSendFill className="h-6 w-6 text-2xl" />
       </div>
       <div className="pb-4 pt-2">
-        <h2 className="text-text-primary title-4xl-semi-bold">{t('checkCode.checkYourEmail', { ns: 'login' })}</h2>
-        <p className="mt-2 text-text-secondary body-md-regular">
+        <h2 className="title-4xl-semi-bold text-text-primary">{t('checkCode.checkYourEmail', { ns: 'login' })}</h2>
+        <p className="body-md-regular mt-2 text-text-secondary">
           <span>
             {t('checkCode.tipsPrefix', { ns: 'login' })}
             <strong>{email}</strong>
@@ -82,7 +82,7 @@ export default function CheckCode() {
 
       <form action="">
         <input type="text" className="hidden" />
-        <label htmlFor="code" className="mb-1 text-text-secondary system-md-semibold">{t('checkCode.verificationCode', { ns: 'login' })}</label>
+        <label htmlFor="code" className="system-md-semibold mb-1 text-text-secondary">{t('checkCode.verificationCode', { ns: 'login' })}</label>
         <Input value={code} onChange={e => setVerifyCode(e.target.value)} maxLength={6} className="mt-1" placeholder={t('checkCode.verificationCodePlaceholder', { ns: 'login' }) || ''} />
         <Button loading={loading} disabled={loading} className="my-3 w-full" variant="primary" onClick={verify}>{t('checkCode.verify', { ns: 'login' })}</Button>
         <Countdown onResend={resendCode} />
@@ -94,7 +94,7 @@ export default function CheckCode() {
         <div className="bg-background-default-dimm inline-block rounded-full p-1">
           <RiArrowLeftLine size={12} />
         </div>
-        <span className="ml-2 system-xs-regular">{t('back', { ns: 'login' })}</span>
+        <span className="system-xs-regular ml-2">{t('back', { ns: 'login' })}</span>
       </div>
     </div>
   )

web/app/(shareLayout)/webapp-reset-password/layout.tsx

@@ -24,7 +24,7 @@ export default function SignInLayout({ children }: any) {
             </div>
           </div>
           {!systemFeatures.branding.enabled && (
-            <div className="px-8 py-6 text-text-tertiary system-xs-regular">
+            <div className="system-xs-regular px-8 py-6 text-text-tertiary">
               ©
               {' '}
               {new Date().getFullYear()}

web/app/(shareLayout)/webapp-reset-password/page.tsx

@@ -74,8 +74,8 @@ export default function CheckCode() {
         <RiLockPasswordLine className="h-6 w-6 text-2xl text-text-accent-light-mode-only" />
       </div>
       <div className="pb-4 pt-2">
-        <h2 className="text-text-primary title-4xl-semi-bold">{t('resetPassword', { ns: 'login' })}</h2>
-        <p className="mt-2 text-text-secondary body-md-regular">
+        <h2 className="title-4xl-semi-bold text-text-primary">{t('resetPassword', { ns: 'login' })}</h2>
+        <p className="body-md-regular mt-2 text-text-secondary">
           {t('resetPasswordDesc', { ns: 'login' })}
         </p>
       </div>
@@ -83,7 +83,7 @@ export default function CheckCode() {
       <form onSubmit={noop}>
         <input type="text" className="hidden" />
         <div className="mb-2">
-          <label htmlFor="email" className="my-2 text-text-secondary system-md-semibold">{t('email', { ns: 'login' })}</label>
+          <label htmlFor="email" className="system-md-semibold my-2 text-text-secondary">{t('email', { ns: 'login' })}</label>
           <div className="mt-1">
             <Input id="email" type="email" disabled={loading} value={email} placeholder={t('emailPlaceholder', { ns: 'login' }) as string} onChange={e => setEmail(e.target.value)} />
           </div>
@@ -99,7 +99,7 @@ export default function CheckCode() {
         <div className="inline-block rounded-full bg-background-default-dimmed p-1">
           <RiArrowLeftLine size={12} />
         </div>
-        <span className="ml-2 system-xs-regular">{t('backToLogin', { ns: 'login' })}</span>
+        <span className="system-xs-regular ml-2">{t('backToLogin', { ns: 'login' })}</span>
       </Link>
     </div>
   )

web/app/(shareLayout)/webapp-reset-password/set-password/page.tsx

@@ -91,10 +91,10 @@ const ChangePasswordForm = () => {
       {!showSuccess && (
         <div className="flex flex-col md:w-[400px]">
           <div className="mx-auto w-full">
-            <h2 className="text-text-primary title-4xl-semi-bold">
+            <h2 className="title-4xl-semi-bold text-text-primary">
               {t('changePassword', { ns: 'login' })}
             </h2>
-            <p className="mt-2 text-text-secondary body-md-regular">
+            <p className="body-md-regular mt-2 text-text-secondary">
               {t('changePasswordTip', { ns: 'login' })}
             </p>
           </div>
@@ -103,7 +103,7 @@ const ChangePasswordForm = () => {
             <div className="bg-white">
               {/* Password */}
               <div className="mb-5">
-                <label htmlFor="password" className="my-2 text-text-secondary system-md-semibold">
+                <label htmlFor="password" className="system-md-semibold my-2 text-text-secondary">
                   {t('account.newPassword', { ns: 'common' })}
                 </label>
                 <div className="relative mt-1">
@@ -125,11 +125,11 @@ const ChangePasswordForm = () => {
                     </Button>
                   </div>
                 </div>
-                <div className="mt-1 text-text-secondary body-xs-regular">{t('error.passwordInvalid', { ns: 'login' })}</div>
+                <div className="body-xs-regular mt-1 text-text-secondary">{t('error.passwordInvalid', { ns: 'login' })}</div>
               </div>
               {/* Confirm Password */}
               <div className="mb-5">
-                <label htmlFor="confirmPassword" className="my-2 text-text-secondary system-md-semibold">
+                <label htmlFor="confirmPassword" className="system-md-semibold my-2 text-text-secondary">
                   {t('account.confirmPassword', { ns: 'common' })}
                 </label>
                 <div className="relative mt-1">
@@ -170,7 +170,7 @@ const ChangePasswordForm = () => {
             <div className="mb-3 flex h-14 w-14 items-center justify-center rounded-2xl border border-components-panel-border-subtle font-bold shadow-lg">
               <RiCheckboxCircleFill className="h-6 w-6 text-text-success" />
             </div>
-            <h2 className="text-text-primary title-4xl-semi-bold">
+            <h2 className="title-4xl-semi-bold text-text-primary">
               {t('passwordChangedTip', { ns: 'login' })}
             </h2>
           </div>

web/app/(shareLayout)/webapp-signin/check-code/page.tsx

@@ -110,8 +110,8 @@ export default function CheckCode() {
         <RiMailSendFill className="h-6 w-6 text-2xl text-text-accent-light-mode-only" />
       </div>
       <div className="pb-4 pt-2">
-        <h2 className="text-text-primary title-4xl-semi-bold">{t('checkCode.checkYourEmail', { ns: 'login' })}</h2>
-        <p className="mt-2 text-text-secondary body-md-regular">
+        <h2 className="title-4xl-semi-bold text-text-primary">{t('checkCode.checkYourEmail', { ns: 'login' })}</h2>
+        <p className="body-md-regular mt-2 text-text-secondary">
           <span>
             {t('checkCode.tipsPrefix', { ns: 'login' })}
             <strong>{email}</strong>
@@ -122,7 +122,7 @@ export default function CheckCode() {
       </div>
 
       <form onSubmit={handleSubmit}>
-        <label htmlFor="code" className="mb-1 text-text-secondary system-md-semibold">{t('checkCode.verificationCode', { ns: 'login' })}</label>
+        <label htmlFor="code" className="system-md-semibold mb-1 text-text-secondary">{t('checkCode.verificationCode', { ns: 'login' })}</label>
         <Input
           ref={codeInputRef}
           id="code"
@@ -142,7 +142,7 @@ export default function CheckCode() {
         <div className="bg-background-default-dimm inline-block rounded-full p-1">
           <RiArrowLeftLine size={12} />
         </div>
-        <span className="ml-2 system-xs-regular">{t('back', { ns: 'login' })}</span>
+        <span className="system-xs-regular ml-2">{t('back', { ns: 'login' })}</span>
       </div>
     </div>
   )

web/app/(shareLayout)/webapp-signin/components/mail-and-code-auth.tsx

@@ -55,7 +55,7 @@ export default function MailAndCodeAuth() {
     <form onSubmit={noop}>
       <input type="text" className="hidden" />
       <div className="mb-2">
-        <label htmlFor="email" className="my-2 text-text-secondary system-md-semibold">{t('email', { ns: 'login' })}</label>
+        <label htmlFor="email" className="system-md-semibold my-2 text-text-secondary">{t('email', { ns: 'login' })}</label>
         <div className="mt-1">
           <Input id="email" type="email" value={email} placeholder={t('emailPlaceholder', { ns: 'login' }) as string} onChange={e => setEmail(e.target.value)} />
         </div>

web/app/(shareLayout)/webapp-signin/components/mail-and-password-auth.tsx

@@ -112,7 +112,7 @@ export default function MailAndPasswordAuth({ isEmailSetup }: MailAndPasswordAut
   return (
     <form onSubmit={noop}>
       <div className="mb-3">
-        <label htmlFor="email" className="my-2 text-text-secondary system-md-semibold">
+        <label htmlFor="email" className="system-md-semibold my-2 text-text-secondary">
           {t('email', { ns: 'login' })}
         </label>
         <div className="mt-1">
@@ -130,7 +130,7 @@ export default function MailAndPasswordAuth({ isEmailSetup }: MailAndPasswordAut
 
       <div className="mb-3">
         <label htmlFor="password" className="my-2 flex items-center justify-between">
-          <span className="text-text-secondary system-md-semibold">{t('password', { ns: 'login' })}</span>
+          <span className="system-md-semibold text-text-secondary">{t('password', { ns: 'login' })}</span>
           <Link
             href={`/webapp-reset-password?${searchParams.toString()}`}
             className={`system-xs-regular ${isEmailSetup ? 'text-components-button-secondary-accent-text' : 'pointer-events-none text-components-button-secondary-accent-text-disabled'}`}

web/app/(shareLayout)/webapp-signin/layout.tsx

@@ -21,7 +21,7 @@ export default function SignInLayout({ children }: PropsWithChildren) {
             </div>
           </div>
           {systemFeatures.branding.enabled === false && (
-            <div className="px-8 py-6 text-text-tertiary system-xs-regular">
+            <div className="system-xs-regular px-8 py-6 text-text-tertiary">
               ©
               {' '}
               {new Date().getFullYear()}

web/app/(shareLayout)/webapp-signin/normalForm.tsx

@@ -60,8 +60,8 @@ const NormalForm = () => {
               <RiContractLine className="h-5 w-5" />
               <RiErrorWarningFill className="absolute -right-1 -top-1 h-4 w-4 text-text-warning-secondary" />
             </div>
-            <p className="text-text-primary system-sm-medium">{t('licenseLost', { ns: 'login' })}</p>
-            <p className="mt-1 text-text-tertiary system-xs-regular">{t('licenseLostTip', { ns: 'login' })}</p>
+            <p className="system-sm-medium text-text-primary">{t('licenseLost', { ns: 'login' })}</p>
+            <p className="system-xs-regular mt-1 text-text-tertiary">{t('licenseLostTip', { ns: 'login' })}</p>
           </div>
         </div>
       </div>
@@ -76,8 +76,8 @@ const NormalForm = () => {
               <RiContractLine className="h-5 w-5" />
               <RiErrorWarningFill className="absolute -right-1 -top-1 h-4 w-4 text-text-warning-secondary" />
             </div>
-            <p className="text-text-primary system-sm-medium">{t('licenseExpired', { ns: 'login' })}</p>
-            <p className="mt-1 text-text-tertiary system-xs-regular">{t('licenseExpiredTip', { ns: 'login' })}</p>
+            <p className="system-sm-medium text-text-primary">{t('licenseExpired', { ns: 'login' })}</p>
+            <p className="system-xs-regular mt-1 text-text-tertiary">{t('licenseExpiredTip', { ns: 'login' })}</p>
           </div>
         </div>
       </div>
@@ -92,8 +92,8 @@ const NormalForm = () => {
               <RiContractLine className="h-5 w-5" />
               <RiErrorWarningFill className="absolute -right-1 -top-1 h-4 w-4 text-text-warning-secondary" />
             </div>
-            <p className="text-text-primary system-sm-medium">{t('licenseInactive', { ns: 'login' })}</p>
-            <p className="mt-1 text-text-tertiary system-xs-regular">{t('licenseInactiveTip', { ns: 'login' })}</p>
+            <p className="system-sm-medium text-text-primary">{t('licenseInactive', { ns: 'login' })}</p>
+            <p className="system-xs-regular mt-1 text-text-tertiary">{t('licenseInactiveTip', { ns: 'login' })}</p>
           </div>
         </div>
       </div>
@@ -104,8 +104,8 @@ const NormalForm = () => {
     <>
       <div className="mx-auto mt-8 w-full">
         <div className="mx-auto w-full">
-          <h2 className="text-text-primary title-4xl-semi-bold">{systemFeatures.branding.enabled ? t('pageTitleForE', { ns: 'login' }) : t('pageTitle', { ns: 'login' })}</h2>
-          <p className="mt-2 text-text-tertiary body-md-regular">{t('welcome', { ns: 'login' })}</p>
+          <h2 className="title-4xl-semi-bold text-text-primary">{systemFeatures.branding.enabled ? t('pageTitleForE', { ns: 'login' }) : t('pageTitle', { ns: 'login' })}</h2>
+          <p className="body-md-regular mt-2 text-text-tertiary">{t('welcome', { ns: 'login' })}</p>
         </div>
         <div className="relative">
           <div className="mt-6 flex flex-col gap-3">
@@ -122,7 +122,7 @@ const NormalForm = () => {
                 <div className="h-px w-full bg-gradient-to-r from-background-gradient-mask-transparent via-divider-regular to-background-gradient-mask-transparent"></div>
               </div>
               <div className="relative flex justify-center">
-                <span className="px-2 text-text-tertiary system-xs-medium-uppercase">{t('or', { ns: 'login' })}</span>
+                <span className="system-xs-medium-uppercase px-2 text-text-tertiary">{t('or', { ns: 'login' })}</span>
               </div>
             </div>
           )}
@@ -134,7 +134,7 @@ const NormalForm = () => {
                     <MailAndCodeAuth />
                     {systemFeatures.enable_email_password_login && (
                       <div className="cursor-pointer py-1 text-center" onClick={() => { updateAuthType('password') }}>
-                        <span className="text-components-button-secondary-accent-text system-xs-medium">{t('usePassword', { ns: 'login' })}</span>
+                        <span className="system-xs-medium text-components-button-secondary-accent-text">{t('usePassword', { ns: 'login' })}</span>
                       </div>
                     )}
                   </>
@@ -144,7 +144,7 @@ const NormalForm = () => {
                     <MailAndPasswordAuth isEmailSetup={systemFeatures.is_email_setup} />
                     {systemFeatures.enable_email_code_login && (
                       <div className="cursor-pointer py-1 text-center" onClick={() => { updateAuthType('code') }}>
-                        <span className="text-components-button-secondary-accent-text system-xs-medium">{t('useVerificationCode', { ns: 'login' })}</span>
+                        <span className="system-xs-medium text-components-button-secondary-accent-text">{t('useVerificationCode', { ns: 'login' })}</span>
                       </div>
                     )}
                   </>
@@ -158,8 +158,8 @@ const NormalForm = () => {
                 <div className="shadows-shadow-lg mb-2 flex h-10 w-10 items-center justify-center rounded-xl bg-components-card-bg shadow">
                   <RiDoorLockLine className="h-5 w-5" />
                 </div>
-                <p className="text-text-primary system-sm-medium">{t('noLoginMethod', { ns: 'login' })}</p>
-                <p className="mt-1 text-text-tertiary system-xs-regular">{t('noLoginMethodTip', { ns: 'login' })}</p>
+                <p className="system-sm-medium text-text-primary">{t('noLoginMethod', { ns: 'login' })}</p>
+                <p className="system-xs-regular mt-1 text-text-tertiary">{t('noLoginMethodTip', { ns: 'login' })}</p>
               </div>
               <div className="relative my-2 py-2">
                 <div className="absolute inset-0 flex items-center" aria-hidden="true">
@@ -170,11 +170,11 @@ const NormalForm = () => {
           )}
           {!systemFeatures.branding.enabled && (
             <>
-              <div className="mt-2 block w-full text-text-tertiary system-xs-regular">
+              <div className="system-xs-regular mt-2 block w-full text-text-tertiary">
                 {t('tosDesc', { ns: 'login' })}
               &nbsp;
                 <Link
-                  className="text-text-secondary system-xs-medium hover:underline"
+                  className="system-xs-medium text-text-secondary hover:underline"
                   target="_blank"
                   rel="noopener noreferrer"
                   href="https://dify.ai/terms"
@@ -183,7 +183,7 @@ const NormalForm = () => {
                 </Link>
               &nbsp;&&nbsp;
                 <Link
-                  className="text-text-secondary system-xs-medium hover:underline"
+                  className="system-xs-medium text-text-secondary hover:underline"
                   target="_blank"
                   rel="noopener noreferrer"
                   href="https://dify.ai/privacy"
@@ -192,11 +192,11 @@ const NormalForm = () => {
                 </Link>
               </div>
               {IS_CE_EDITION && (
-                <div className="w-hull mt-2 block text-text-tertiary system-xs-regular">
+                <div className="w-hull system-xs-regular mt-2 block text-text-tertiary">
                   {t('goToInit', { ns: 'login' })}
               &nbsp;
                   <Link
-                    className="text-text-secondary system-xs-medium hover:underline"
+                    className="system-xs-medium text-text-secondary hover:underline"
                     href="/install"
                   >
                     {t('setAdminAccount', { ns: 'login' })}

web/app/(shareLayout)/webapp-signin/page.tsx

@@ -45,7 +45,7 @@ const WebSSOForm: FC = () => {
   if (!systemFeatures.webapp_auth.enabled) {
     return (
       <div className="flex h-full items-center justify-center">
-        <p className="text-text-tertiary system-xs-regular">{t('webapp.disabled', { ns: 'login' })}</p>
+        <p className="system-xs-regular text-text-tertiary">{t('webapp.disabled', { ns: 'login' })}</p>
       </div>
     )
   }
@@ -63,7 +63,7 @@ const WebSSOForm: FC = () => {
   return (
     <div className="flex h-full flex-col items-center justify-center gap-y-4">
       <AppUnavailable className="h-auto w-auto" isUnknownReason={true} />
-      <span className="cursor-pointer text-text-tertiary system-sm-regular" onClick={backToHome}>{t('login.backToHome', { ns: 'share' })}</span>
+      <span className="system-sm-regular cursor-pointer text-text-tertiary" onClick={backToHome}>{t('login.backToHome', { ns: 'share' })}</span>
     </div>
   )
 }

web/app/account/(commonLayout)/account-page/AvatarWithEdit.tsx

@@ -160,7 +160,7 @@ const AvatarWithEdit = ({ onSave, ...props }: AvatarWithEditProps) => {
         isShow={isShowDeleteConfirm}
         onClose={() => setIsShowDeleteConfirm(false)}
       >
-        <div className="mb-3 text-text-primary title-2xl-semi-bold">{t('avatar.deleteTitle', { ns: 'common' })}</div>
+        <div className="title-2xl-semi-bold mb-3 text-text-primary">{t('avatar.deleteTitle', { ns: 'common' })}</div>
         <p className="mb-8 text-text-secondary">{t('avatar.deleteDescription', { ns: 'common' })}</p>
 
         <div className="flex w-full items-center justify-center gap-2">

web/app/account/(commonLayout)/account-page/email-change-modal.tsx

@@ -209,14 +209,14 @@ const EmailChangeModal = ({ onClose, email, show }: Props) => {
       </div>
       {step === STEP.start && (
         <>
-          <div className="pb-3 text-text-primary title-2xl-semi-bold">{t('account.changeEmail.title', { ns: 'common' })}</div>
+          <div className="title-2xl-semi-bold pb-3 text-text-primary">{t('account.changeEmail.title', { ns: 'common' })}</div>
           <div className="space-y-0.5 pb-2 pt-1">
-            <div className="text-text-warning body-md-medium">{t('account.changeEmail.authTip', { ns: 'common' })}</div>
-            <div className="text-text-secondary body-md-regular">
+            <div className="body-md-medium text-text-warning">{t('account.changeEmail.authTip', { ns: 'common' })}</div>
+            <div className="body-md-regular text-text-secondary">
               <Trans
                 i18nKey="account.changeEmail.content1"
                 ns="common"
-                components={{ email: <span className="text-text-primary body-md-medium"></span> }}
+                components={{ email: <span className="body-md-medium text-text-primary"></span> }}
                 values={{ email }}
               />
             </div>
@@ -241,19 +241,19 @@ const EmailChangeModal = ({ onClose, email, show }: Props) => {
       )}
       {step === STEP.verifyOrigin && (
         <>
-          <div className="pb-3 text-text-primary title-2xl-semi-bold">{t('account.changeEmail.verifyEmail', { ns: 'common' })}</div>
+          <div className="title-2xl-semi-bold pb-3 text-text-primary">{t('account.changeEmail.verifyEmail', { ns: 'common' })}</div>
           <div className="space-y-0.5 pb-2 pt-1">
-            <div className="text-text-secondary body-md-regular">
+            <div className="body-md-regular text-text-secondary">
               <Trans
                 i18nKey="account.changeEmail.content2"
                 ns="common"
-                components={{ email: <span className="text-text-primary body-md-medium"></span> }}
+                components={{ email: <span className="body-md-medium text-text-primary"></span> }}
                 values={{ email }}
               />
             </div>
           </div>
           <div className="pt-3">
-            <div className="mb-1 flex h-6 items-center text-text-secondary system-sm-medium">{t('account.changeEmail.codeLabel', { ns: 'common' })}</div>
+            <div className="system-sm-medium mb-1 flex h-6 items-center text-text-secondary">{t('account.changeEmail.codeLabel', { ns: 'common' })}</div>
             <Input
               className="!w-full"
               placeholder={t('account.changeEmail.codePlaceholder', { ns: 'common' })}
@@ -278,25 +278,25 @@ const EmailChangeModal = ({ onClose, email, show }: Props) => {
               {t('operation.cancel', { ns: 'common' })}
             </Button>
           </div>
-          <div className="mt-3 flex items-center gap-1 text-text-tertiary system-xs-regular">
+          <div className="system-xs-regular mt-3 flex items-center gap-1 text-text-tertiary">
             <span>{t('account.changeEmail.resendTip', { ns: 'common' })}</span>
             {time > 0 && (
               <span>{t('account.changeEmail.resendCount', { ns: 'common', count: time })}</span>
             )}
             {!time && (
-              <span onClick={sendCodeToOriginEmail} className="cursor-pointer text-text-accent-secondary system-xs-medium">{t('account.changeEmail.resend', { ns: 'common' })}</span>
+              <span onClick={sendCodeToOriginEmail} className="system-xs-medium cursor-pointer text-text-accent-secondary">{t('account.changeEmail.resend', { ns: 'common' })}</span>
             )}
           </div>
         </>
       )}
       {step === STEP.newEmail && (
         <>
-          <div className="pb-3 text-text-primary title-2xl-semi-bold">{t('account.changeEmail.newEmail', { ns: 'common' })}</div>
+          <div className="title-2xl-semi-bold pb-3 text-text-primary">{t('account.changeEmail.newEmail', { ns: 'common' })}</div>
           <div className="space-y-0.5 pb-2 pt-1">
-            <div className="text-text-secondary body-md-regular">{t('account.changeEmail.content3', { ns: 'common' })}</div>
+            <div className="body-md-regular text-text-secondary">{t('account.changeEmail.content3', { ns: 'common' })}</div>
           </div>
           <div className="pt-3">
-            <div className="mb-1 flex h-6 items-center text-text-secondary system-sm-medium">{t('account.changeEmail.emailLabel', { ns: 'common' })}</div>
+            <div className="system-sm-medium mb-1 flex h-6 items-center text-text-secondary">{t('account.changeEmail.emailLabel', { ns: 'common' })}</div>
             <Input
               className="!w-full"
               placeholder={t('account.changeEmail.emailPlaceholder', { ns: 'common' })}
@@ -305,10 +305,10 @@ const EmailChangeModal = ({ onClose, email, show }: Props) => {
               destructive={newEmailExited || unAvailableEmail}
             />
             {newEmailExited && (
-              <div className="mt-1 py-0.5 text-text-destructive body-xs-regular">{t('account.changeEmail.existingEmail', { ns: 'common' })}</div>
+              <div className="body-xs-regular mt-1 py-0.5 text-text-destructive">{t('account.changeEmail.existingEmail', { ns: 'common' })}</div>
             )}
             {unAvailableEmail && (
-              <div className="mt-1 py-0.5 text-text-destructive body-xs-regular">{t('account.changeEmail.unAvailableEmail', { ns: 'common' })}</div>
+              <div className="body-xs-regular mt-1 py-0.5 text-text-destructive">{t('account.changeEmail.unAvailableEmail', { ns: 'common' })}</div>
             )}
           </div>
           <div className="mt-3 space-y-2">
@@ -331,19 +331,19 @@ const EmailChangeModal = ({ onClose, email, show }: Props) => {
       )}
       {step === STEP.verifyNew && (
         <>
-          <div className="pb-3 text-text-primary title-2xl-semi-bold">{t('account.changeEmail.verifyNew', { ns: 'common' })}</div>
+          <div className="title-2xl-semi-bold pb-3 text-text-primary">{t('account.changeEmail.verifyNew', { ns: 'common' })}</div>
           <div className="space-y-0.5 pb-2 pt-1">
-            <div className="text-text-secondary body-md-regular">
+            <div className="body-md-regular text-text-secondary">
               <Trans
                 i18nKey="account.changeEmail.content4"
                 ns="common"
-                components={{ email: <span className="text-text-primary body-md-medium"></span> }}
+                components={{ email: <span className="body-md-medium text-text-primary"></span> }}
                 values={{ email: mail }}
               />
             </div>
           </div>
           <div className="pt-3">
-            <div className="mb-1 flex h-6 items-center text-text-secondary system-sm-medium">{t('account.changeEmail.codeLabel', { ns: 'common' })}</div>
+            <div className="system-sm-medium mb-1 flex h-6 items-center text-text-secondary">{t('account.changeEmail.codeLabel', { ns: 'common' })}</div>
             <Input
               className="!w-full"
               placeholder={t('account.changeEmail.codePlaceholder', { ns: 'common' })}
@@ -368,13 +368,13 @@ const EmailChangeModal = ({ onClose, email, show }: Props) => {
               {t('operation.cancel', { ns: 'common' })}
             </Button>
           </div>
-          <div className="mt-3 flex items-center gap-1 text-text-tertiary system-xs-regular">
+          <div className="system-xs-regular mt-3 flex items-center gap-1 text-text-tertiary">
             <span>{t('account.changeEmail.resendTip', { ns: 'common' })}</span>
             {time > 0 && (
               <span>{t('account.changeEmail.resendCount', { ns: 'common', count: time })}</span>
             )}
             {!time && (
-              <span onClick={sendCodeToNewEmail} className="cursor-pointer text-text-accent-secondary system-xs-medium">{t('account.changeEmail.resend', { ns: 'common' })}</span>
+              <span onClick={sendCodeToNewEmail} className="system-xs-medium cursor-pointer text-text-accent-secondary">{t('account.changeEmail.resend', { ns: 'common' })}</span>
             )}
           </div>
         </>

web/app/account/(commonLayout)/account-page/index.tsx

@@ -138,7 +138,7 @@ export default function AccountPage() {
             imageUrl={icon_url}
           />
         </div>
-        <div className="mt-[3px] text-text-secondary system-sm-medium">{item.name}</div>
+        <div className="system-sm-medium mt-[3px] text-text-secondary">{item.name}</div>
       </div>
     )
   }
@@ -146,12 +146,12 @@ export default function AccountPage() {
   return (
     <>
       <div className="pb-3 pt-2">
-        <h4 className="text-text-primary title-2xl-semi-bold">{t('account.myAccount', { ns: 'common' })}</h4>
+        <h4 className="title-2xl-semi-bold text-text-primary">{t('account.myAccount', { ns: 'common' })}</h4>
       </div>
       <div className="mb-8 flex items-center rounded-xl bg-gradient-to-r from-background-gradient-bg-fill-chat-bg-2 to-background-gradient-bg-fill-chat-bg-1 p-6">
         <AvatarWithEdit avatar={userProfile.avatar_url} name={userProfile.name} onSave={mutateUserProfile} size={64} />
         <div className="ml-4">
-          <p className="text-text-primary system-xl-semibold">
+          <p className="system-xl-semibold text-text-primary">
             {userProfile.name}
             {isEducationAccount && (
               <PremiumBadge size="s" color="blue" className="ml-1 !px-2">
@@ -160,16 +160,16 @@ export default function AccountPage() {
               </PremiumBadge>
             )}
           </p>
-          <p className="text-text-tertiary system-xs-regular">{userProfile.email}</p>
+          <p className="system-xs-regular text-text-tertiary">{userProfile.email}</p>
         </div>
       </div>
       <div className="mb-8">
         <div className={titleClassName}>{t('account.name', { ns: 'common' })}</div>
         <div className="mt-2 flex w-full items-center justify-between gap-2">
-          <div className="flex-1 rounded-lg bg-components-input-bg-normal p-2 text-components-input-text-filled system-sm-regular">
+          <div className="system-sm-regular flex-1 rounded-lg bg-components-input-bg-normal p-2 text-components-input-text-filled ">
             <span className="pl-1">{userProfile.name}</span>
           </div>
-          <div className="cursor-pointer rounded-lg bg-components-button-tertiary-bg px-3 py-2 text-components-button-tertiary-text system-sm-medium" onClick={handleEditName}>
+          <div className="system-sm-medium cursor-pointer rounded-lg bg-components-button-tertiary-bg px-3 py-2 text-components-button-tertiary-text" onClick={handleEditName}>
             {t('operation.edit', { ns: 'common' })}
           </div>
         </div>
@@ -177,11 +177,11 @@ export default function AccountPage() {
       <div className="mb-8">
         <div className={titleClassName}>{t('account.email', { ns: 'common' })}</div>
         <div className="mt-2 flex w-full items-center justify-between gap-2">
-          <div className="flex-1 rounded-lg bg-components-input-bg-normal p-2 text-components-input-text-filled system-sm-regular">
+          <div className="system-sm-regular flex-1 rounded-lg bg-components-input-bg-normal p-2 text-components-input-text-filled ">
             <span className="pl-1">{userProfile.email}</span>
           </div>
           {systemFeatures.enable_change_email && (
-            <div className="cursor-pointer rounded-lg bg-components-button-tertiary-bg px-3 py-2 text-components-button-tertiary-text system-sm-medium" onClick={() => setShowUpdateEmail(true)}>
+            <div className="system-sm-medium cursor-pointer rounded-lg bg-components-button-tertiary-bg px-3 py-2 text-components-button-tertiary-text" onClick={() => setShowUpdateEmail(true)}>
               {t('operation.change', { ns: 'common' })}
             </div>
           )}
@@ -191,8 +191,8 @@ export default function AccountPage() {
         systemFeatures.enable_email_password_login && (
           <div className="mb-8 flex justify-between gap-2">
             <div>
-              <div className="mb-1 text-text-secondary system-sm-semibold">{t('account.password', { ns: 'common' })}</div>
-              <div className="mb-2 text-text-tertiary body-xs-regular">{t('account.passwordTip', { ns: 'common' })}</div>
+              <div className="system-sm-semibold mb-1 text-text-secondary">{t('account.password', { ns: 'common' })}</div>
+              <div className="body-xs-regular mb-2 text-text-tertiary">{t('account.passwordTip', { ns: 'common' })}</div>
             </div>
             <Button onClick={() => setEditPasswordModalVisible(true)}>{userProfile.is_password_set ? t('account.resetPassword', { ns: 'common' }) : t('account.setPassword', { ns: 'common' })}</Button>
           </div>
@@ -219,7 +219,7 @@ export default function AccountPage() {
             onClose={() => setEditNameModalVisible(false)}
             className="!w-[420px] !p-6"
           >
-            <div className="mb-6 text-text-primary title-2xl-semi-bold">{t('account.editName', { ns: 'common' })}</div>
+            <div className="title-2xl-semi-bold mb-6 text-text-primary">{t('account.editName', { ns: 'common' })}</div>
             <div className={titleClassName}>{t('account.name', { ns: 'common' })}</div>
             <Input
               className="mt-2"
@@ -249,7 +249,7 @@ export default function AccountPage() {
             }}
             className="!w-[420px] !p-6"
           >
-            <div className="mb-6 text-text-primary title-2xl-semi-bold">{userProfile.is_password_set ? t('account.resetPassword', { ns: 'common' }) : t('account.setPassword', { ns: 'common' })}</div>
+            <div className="title-2xl-semi-bold mb-6 text-text-primary">{userProfile.is_password_set ? t('account.resetPassword', { ns: 'common' }) : t('account.setPassword', { ns: 'common' })}</div>
             {userProfile.is_password_set && (
               <>
                 <div className={titleClassName}>{t('account.currentPassword', { ns: 'common' })}</div>
@@ -272,7 +272,7 @@ export default function AccountPage() {
                 </div>
               </>
             )}
-            <div className="mt-8 text-text-secondary system-sm-semibold">
+            <div className="system-sm-semibold mt-8 text-text-secondary">
               {userProfile.is_password_set ? t('account.newPassword', { ns: 'common' }) : t('account.password', { ns: 'common' })}
             </div>
             <div className="relative mt-2">
@@ -291,7 +291,7 @@ export default function AccountPage() {
                 </Button>
               </div>
             </div>
-            <div className="mt-8 text-text-secondary system-sm-semibold">{t('account.confirmPassword', { ns: 'common' })}</div>
+            <div className="system-sm-semibold mt-8 text-text-secondary">{t('account.confirmPassword', { ns: 'common' })}</div>
             <div className="relative mt-2">
               <Input
                 type={showConfirmPassword ? 'text' : 'password'}

web/app/account/(commonLayout)/avatar.tsx

@@ -73,7 +73,7 @@ export default function AppSelector() {
                   <div className="p-1">
                     <div className="flex flex-nowrap items-center px-3 py-2">
                       <div className="grow">
-                        <div className="break-all text-text-primary system-md-medium">
+                        <div className="system-md-medium break-all text-text-primary">
                           {userProfile.name}
                           {isEducationAccount && (
                             <PremiumBadge size="s" color="blue" className="ml-1 !px-2">
@@ -82,7 +82,7 @@ export default function AppSelector() {
                             </PremiumBadge>
                           )}
                         </div>
-                        <div className="break-all text-text-tertiary system-xs-regular">{userProfile.email}</div>
+                        <div className="system-xs-regular break-all text-text-tertiary">{userProfile.email}</div>
                       </div>
                       <Avatar avatar={userProfile.avatar_url} name={userProfile.name} size={32} />
                     </div>

web/app/account/(commonLayout)/delete-account/components/check-email.tsx

@@ -30,14 +30,14 @@ export default function CheckEmail(props: DeleteAccountProps) {
 
   return (
     <>
-      <div className="py-1 text-text-destructive body-md-medium">
+      <div className="body-md-medium py-1 text-text-destructive">
         {t('account.deleteTip', { ns: 'common' })}
       </div>
-      <div className="pb-2 pt-1 text-text-secondary body-md-regular">
+      <div className="body-md-regular pb-2 pt-1 text-text-secondary">
         {t('account.deletePrivacyLinkTip', { ns: 'common' })}
         <Link href="https://dify.ai/privacy" className="text-text-accent">{t('account.deletePrivacyLink', { ns: 'common' })}</Link>
       </div>
-      <label className="mb-1 mt-3 flex h-6 items-center text-text-secondary system-sm-semibold">{t('account.deleteLabel', { ns: 'common' })}</label>
+      <label className="system-sm-semibold mb-1 mt-3 flex h-6 items-center text-text-secondary">{t('account.deleteLabel', { ns: 'common' })}</label>
       <Input
         placeholder={t('account.deletePlaceholder', { ns: 'common' }) as string}
         onChange={(e) => {

web/app/account/(commonLayout)/delete-account/components/feed-back.tsx

@@ -54,7 +54,7 @@ export default function FeedBack(props: DeleteAccountProps) {
       className="max-w-[480px]"
       footer={false}
     >
-      <label className="mb-1 mt-3 flex items-center text-text-secondary system-sm-semibold">{t('account.feedbackLabel', { ns: 'common' })}</label>
+      <label className="system-sm-semibold mb-1 mt-3 flex items-center text-text-secondary">{t('account.feedbackLabel', { ns: 'common' })}</label>
       <Textarea
         rows={6}
         value={userFeedback}

web/app/account/(commonLayout)/delete-account/components/verify-email.tsx

@@ -36,14 +36,14 @@ export default function VerifyEmail(props: DeleteAccountProps) {
   }, [emailToken, verificationCode, confirmDeleteAccount, props])
   return (
     <>
-      <div className="pt-1 text-text-destructive body-md-medium">
+      <div className="body-md-medium pt-1 text-text-destructive">
         {t('account.deleteTip', { ns: 'common' })}
       </div>
-      <div className="pb-2 pt-1 text-text-secondary body-md-regular">
+      <div className="body-md-regular pb-2 pt-1 text-text-secondary">
         {t('account.deletePrivacyLinkTip', { ns: 'common' })}
         <Link href="https://dify.ai/privacy" className="text-text-accent">{t('account.deletePrivacyLink', { ns: 'common' })}</Link>
       </div>
-      <label className="mb-1 mt-3 flex h-6 items-center text-text-secondary system-sm-semibold">{t('account.verificationLabel', { ns: 'common' })}</label>
+      <label className="system-sm-semibold mb-1 mt-3 flex h-6 items-center text-text-secondary">{t('account.verificationLabel', { ns: 'common' })}</label>
       <Input
         minLength={6}
         maxLength={6}

web/app/account/(commonLayout)/header.tsx

@@ -32,10 +32,10 @@ const Header = () => {
             : <DifyLogo />}
         </div>
         <div className="h-4 w-[1px] origin-center rotate-[11.31deg] bg-divider-regular" />
-        <p className="relative mt-[-2px] text-text-primary title-3xl-semi-bold">{t('account.account', { ns: 'common' })}</p>
+        <p className="title-3xl-semi-bold relative mt-[-2px] text-text-primary">{t('account.account', { ns: 'common' })}</p>
       </div>
       <div className="flex shrink-0 items-center gap-3">
-        <Button className="gap-2 px-3 py-2 system-sm-medium" onClick={goToStudio}>
+        <Button className="system-sm-medium gap-2 px-3 py-2" onClick={goToStudio}>
           <RiRobot2Line className="h-4 w-4" />
           <p>{t('account.studio', { ns: 'common' })}</p>
           <RiArrowRightUpLine className="h-4 w-4" />

web/app/components/app/annotation/add-annotation-modal/edit-item/index.tsx

@@ -31,7 +31,7 @@ const EditItem: FC<Props> = ({
         {avatar}
       </div>
       <div className="grow">
-        <div className="mb-1 text-text-primary system-xs-semibold">{name}</div>
+        <div className="system-xs-semibold mb-1 text-text-primary">{name}</div>
         <Textarea
           value={content}
           onChange={(e: React.ChangeEvent<HTMLTextAreaElement>) => onChange(e.target.value)}

web/app/components/app/annotation/add-annotation-modal/index.tsx

@@ -99,7 +99,7 @@ const AddAnnotationModal: FC<Props> = ({
                   <AnnotationFull />
                 </div>
               )}
-              <div className="flex h-16 items-center justify-between rounded-bl-xl rounded-br-xl border-t border-divider-subtle bg-background-section-burn px-4 text-text-tertiary system-sm-medium">
+              <div className="system-sm-medium flex h-16 items-center justify-between rounded-bl-xl rounded-br-xl border-t border-divider-subtle bg-background-section-burn px-4 text-text-tertiary">
                 <div
                   className="flex items-center space-x-2"
                 >

web/app/components/app/annotation/batch-add-annotation-modal/csv-downloader.tsx

@@ -33,7 +33,7 @@ const CSVDownload: FC = () => {
 
   return (
     <div className="mt-6">
-      <div className="text-text-primary system-sm-medium">{t('generation.csvStructureTitle', { ns: 'share' })}</div>
+      <div className="system-sm-medium text-text-primary">{t('generation.csvStructureTitle', { ns: 'share' })}</div>
       <div className="mt-2 max-h-[500px] overflow-auto">
         <table className="w-full table-fixed border-separate border-spacing-0 rounded-lg border border-divider-regular text-xs">
           <thead className="text-text-tertiary">
@@ -77,7 +77,7 @@ const CSVDownload: FC = () => {
         bom={true}
         data={getTemplate()}
       >
-        <div className="flex h-[18px] items-center space-x-1 text-text-accent system-xs-medium">
+        <div className="system-xs-medium flex h-[18px] items-center space-x-1 text-text-accent">
           <DownloadIcon className="mr-1 h-3 w-3" />
           {t('batchModal.template', { ns: 'appAnnotation' })}
         </div>

web/app/components/app/annotation/batch-add-annotation-modal/csv-uploader.tsx

@@ -94,7 +94,7 @@ const CSVUploader: FC<Props> = ({
       />
       <div ref={dropRef}>
         {!file && (
-          <div className={cn('flex h-20 items-center rounded-xl border border-dashed border-components-dropzone-border bg-components-dropzone-bg system-sm-regular', dragging && 'border border-components-dropzone-border-accent bg-components-dropzone-bg-accent')}>
+          <div className={cn('system-sm-regular flex h-20 items-center rounded-xl border border-dashed border-components-dropzone-border bg-components-dropzone-bg', dragging && 'border border-components-dropzone-border-accent bg-components-dropzone-bg-accent')}>
             <div className="flex w-full items-center justify-center space-x-2">
               <CSVIcon className="shrink-0" />
               <div className="text-text-tertiary">

web/app/components/app/annotation/batch-add-annotation-modal/index.tsx

@@ -90,7 +90,7 @@ const BatchModal: FC<IBatchModalProps> = ({
 
   return (
     <Modal isShow={isShow} onClose={noop} className="!max-w-[520px] !rounded-xl px-8 py-6">
-      <div className="relative pb-1 text-text-primary system-xl-medium">{t('batchModal.title', { ns: 'appAnnotation' })}</div>
+      <div className="system-xl-medium relative pb-1 text-text-primary">{t('batchModal.title', { ns: 'appAnnotation' })}</div>
       <div className="absolute right-4 top-4 cursor-pointer p-2" onClick={onCancel}>
         <RiCloseLine className="h-4 w-4 text-text-tertiary" />
       </div>
@@ -107,7 +107,7 @@ const BatchModal: FC<IBatchModalProps> = ({
       )}
 
       <div className="mt-[28px] flex justify-end pt-6">
-        <Button className="mr-2 text-text-tertiary system-sm-medium" onClick={onCancel}>
+        <Button className="system-sm-medium mr-2 text-text-tertiary" onClick={onCancel}>
           {t('batchModal.cancel', { ns: 'appAnnotation' })}
         </Button>
         <Button

web/app/components/app/annotation/edit-annotation-modal/edit-item/index.tsx

@@ -21,7 +21,7 @@ type Props = {
 }
 
 export const EditTitle: FC<{ className?: string, title: string }> = ({ className, title }) => (
-  <div className={cn(className, 'flex h-[18px] items-center text-text-tertiary system-xs-medium')}>
+  <div className={cn(className, 'system-xs-medium flex h-[18px] items-center text-text-tertiary')}>
     <RiEditFill className="mr-1 h-3.5 w-3.5" />
     <div>{title}</div>
     <div
@@ -75,21 +75,21 @@ const EditItem: FC<Props> = ({
         {avatar}
       </div>
       <div className="grow">
-        <div className="mb-1 text-text-primary system-xs-semibold">{name}</div>
-        <div className="text-text-primary system-sm-regular">{content}</div>
+        <div className="system-xs-semibold mb-1 text-text-primary">{name}</div>
+        <div className="system-sm-regular text-text-primary">{content}</div>
         {!isEdit
           ? (
               <div>
                 {showNewContent && (
                   <div className="mt-3">
                     <EditTitle title={editTitle} />
-                    <div className="mt-1 text-text-primary system-sm-regular">{newContent}</div>
+                    <div className="system-sm-regular mt-1 text-text-primary">{newContent}</div>
                   </div>
                 )}
                 <div className="mt-2 flex items-center">
                   {!readonly && (
                     <div
-                      className="flex cursor-pointer items-center space-x-1 text-text-accent system-xs-medium"
+                      className="system-xs-medium flex cursor-pointer items-center space-x-1 text-text-accent"
                       onClick={() => {
                         setIsEdit(true)
                       }}
@@ -100,7 +100,7 @@ const EditItem: FC<Props> = ({
                   )}
 
                   {showNewContent && (
-                    <div className="ml-2 flex items-center text-text-tertiary system-xs-medium">
+                    <div className="system-xs-medium ml-2 flex items-center text-text-tertiary">
                       <div className="mr-2">·</div>
                       <div
                         className="flex cursor-pointer items-center space-x-1"

web/app/components/app/annotation/edit-annotation-modal/index.tsx

@@ -136,7 +136,7 @@ const EditAnnotationModal: FC<Props> = ({
             {
               annotationId
                 ? (
-                    <div className="flex h-16 items-center justify-between rounded-bl-xl rounded-br-xl border-t border-divider-subtle bg-background-section-burn px-4 text-text-tertiary system-sm-medium">
+                    <div className="system-sm-medium flex h-16 items-center justify-between rounded-bl-xl rounded-br-xl border-t border-divider-subtle bg-background-section-burn px-4 text-text-tertiary">
                       <div
                         className="flex cursor-pointer items-center space-x-2 pl-3"
                         onClick={() => setShowModal(true)}

web/app/components/app/annotation/empty-element.tsx

@@ -17,11 +17,11 @@ const EmptyElement: FC = () => {
   return (
     <div className="flex h-full items-center justify-center">
       <div className="box-border h-fit w-[560px] rounded-2xl bg-background-section-burn px-5 py-4">
-        <span className="text-text-secondary system-md-semibold">
+        <span className="system-md-semibold text-text-secondary">
           {t('noData.title', { ns: 'appAnnotation' })}
           <ThreeDotsIcon className="relative -left-1.5 -top-3 inline" />
         </span>
-        <div className="mt-2 text-text-tertiary system-sm-regular">
+        <div className="system-sm-regular mt-2 text-text-tertiary">
           {t('noData.description', { ns: 'appAnnotation' })}
         </div>
       </div>

web/app/components/app/annotation/header-opts/index.tsx

@@ -103,12 +103,12 @@ const HeaderOptions: FC<Props> = ({
           }}
         >
           <FilePlus02 className="h-4 w-4 text-text-tertiary" />
-          <span className="grow text-left text-text-secondary system-sm-regular">{t('table.header.bulkImport', { ns: 'appAnnotation' })}</span>
+          <span className="system-sm-regular grow text-left text-text-secondary">{t('table.header.bulkImport', { ns: 'appAnnotation' })}</span>
         </button>
         <Menu as="div" className="relative h-full w-full">
           <MenuButton className="mx-1 flex h-9 w-[calc(100%_-_8px)] cursor-pointer items-center space-x-2 rounded-lg px-3 py-2 hover:bg-components-panel-on-panel-item-bg-hover disabled:opacity-50">
             <FileDownload02 className="h-4 w-4 text-text-tertiary" />
-            <span className="grow text-left text-text-secondary system-sm-regular">{t('table.header.bulkExport', { ns: 'appAnnotation' })}</span>
+            <span className="system-sm-regular grow text-left text-text-secondary">{t('table.header.bulkExport', { ns: 'appAnnotation' })}</span>
             <ChevronRight className="h-[14px] w-[14px] shrink-0 text-text-tertiary" />
           </MenuButton>
           <Transition
@@ -135,11 +135,11 @@ const HeaderOptions: FC<Props> = ({
                 ]}
               >
                 <button type="button" disabled={annotationUnavailable} className="mx-1 flex h-9 w-[calc(100%_-_8px)] cursor-pointer items-center space-x-2 rounded-lg px-3 py-2 hover:bg-components-panel-on-panel-item-bg-hover disabled:opacity-50">
-                  <span className="grow text-left text-text-secondary system-sm-regular">CSV</span>
+                  <span className="system-sm-regular grow text-left text-text-secondary">CSV</span>
                 </button>
               </CSVDownloader>
               <button type="button" disabled={annotationUnavailable} className={cn('mx-1 flex h-9 w-[calc(100%_-_8px)] cursor-pointer items-center space-x-2 rounded-lg px-3 py-2 hover:bg-components-panel-on-panel-item-bg-hover disabled:opacity-50', '!border-0')} onClick={JSONLOutput}>
-                <span className="grow text-left text-text-secondary system-sm-regular">JSONL</span>
+                <span className="system-sm-regular grow text-left text-text-secondary">JSONL</span>
               </button>
             </MenuItems>
           </Transition>
@@ -150,7 +150,7 @@ const HeaderOptions: FC<Props> = ({
           className="mx-1 flex h-9 w-[calc(100%_-_8px)] cursor-pointer items-center space-x-2 rounded-lg px-3 py-2 text-red-600 hover:bg-red-50 disabled:opacity-50"
         >
           <RiDeleteBinLine className="h-4 w-4" />
-          <span className="grow text-left system-sm-regular">
+          <span className="system-sm-regular grow text-left">
             {t('table.header.clearAll', { ns: 'appAnnotation' })}
           </span>
         </button>

web/app/components/app/annotation/list.tsx

@@ -58,7 +58,7 @@ const List: FC<Props> = ({
     <>
       <div className="relative mt-2 grow overflow-x-auto">
         <table className={cn('w-full min-w-[440px] border-collapse border-0')}>
-          <thead className="text-text-tertiary system-xs-medium-uppercase">
+          <thead className="system-xs-medium-uppercase text-text-tertiary">
             <tr>
               <td className="w-12 whitespace-nowrap rounded-l-lg bg-background-section-burn px-2">
                 <Checkbox
@@ -75,7 +75,7 @@ const List: FC<Props> = ({
               <td className="w-[96px] whitespace-nowrap rounded-r-lg bg-background-section-burn py-1.5 pl-3">{t('table.header.actions', { ns: 'appAnnotation' })}</td>
             </tr>
           </thead>
-          <tbody className="text-text-secondary system-sm-regular">
+          <tbody className="system-sm-regular text-text-secondary">
             {list.map(item => (
               <tr
                 key={item.id}

web/app/components/app/annotation/view-annotation-modal/hit-history-no-data.tsx

@@ -11,7 +11,7 @@ const HitHistoryNoData: FC = () => {
       <div className="inline-block rounded-lg border border-divider-subtle p-3">
         <ClockFastForward className="h-5 w-5 text-text-tertiary" />
       </div>
-      <div className="text-text-tertiary system-sm-regular">{t('viewModal.noHitHistory', { ns: 'appAnnotation' })}</div>
+      <div className="system-sm-regular text-text-tertiary">{t('viewModal.noHitHistory', { ns: 'appAnnotation' })}</div>
     </div>
   )
 }

web/app/components/app/annotation/view-annotation-modal/index.tsx

@@ -137,7 +137,7 @@ const ViewAnnotationModal: FC<Props> = ({
     : (
         <div>
           <table className={cn('w-full min-w-[440px] border-collapse border-0')}>
-            <thead className="text-text-tertiary system-xs-medium-uppercase">
+            <thead className="system-xs-medium-uppercase text-text-tertiary">
               <tr>
                 <td className="w-5 whitespace-nowrap rounded-l-lg bg-background-section-burn pl-2 pr-1">{t('hitHistoryTable.query', { ns: 'appAnnotation' })}</td>
                 <td className="whitespace-nowrap bg-background-section-burn py-1.5 pl-3">{t('hitHistoryTable.match', { ns: 'appAnnotation' })}</td>
@@ -147,7 +147,7 @@ const ViewAnnotationModal: FC<Props> = ({
                 <td className="w-[160px] whitespace-nowrap rounded-r-lg bg-background-section-burn py-1.5 pl-3">{t('hitHistoryTable.time', { ns: 'appAnnotation' })}</td>
               </tr>
             </thead>
-            <tbody className="text-text-secondary system-sm-regular">
+            <tbody className="system-sm-regular text-text-secondary">
               {hitHistoryList.map(item => (
                 <tr
                   key={item.id}
@@ -226,7 +226,7 @@ const ViewAnnotationModal: FC<Props> = ({
         )}
         foot={id
           ? (
-              <div className="flex h-16 items-center justify-between rounded-bl-xl rounded-br-xl border-t border-divider-subtle bg-background-section-burn px-4 text-text-tertiary system-sm-medium">
+              <div className="system-sm-medium flex h-16 items-center justify-between rounded-bl-xl rounded-br-xl border-t border-divider-subtle bg-background-section-burn px-4 text-text-tertiary">
                 <div
                   className="flex cursor-pointer items-center space-x-2 pl-3"
                   onClick={() => setShowModal(true)}

web/app/components/app/app-access-control/add-member-or-group-pop.tsx

@@ -76,7 +76,7 @@ export default function AddMemberOrGroupDialog() {
                     )
                   : (
                       <div className="flex h-7 items-center justify-center px-2 py-0.5">
-                        <span className="text-text-tertiary system-xs-regular">{t('accessControlDialog.operateGroupAndMember.noResult', { ns: 'app' })}</span>
+                        <span className="system-xs-regular text-text-tertiary">{t('accessControlDialog.operateGroupAndMember.noResult', { ns: 'app' })}</span>
                       </div>
                     )
           }
@@ -115,10 +115,10 @@ function SelectedGroupsBreadCrumb() {
   }, [setSelectedGroupsForBreadcrumb])
   return (
     <div className="flex h-7 items-center gap-x-0.5 px-2 py-0.5">
-      <span className={cn('text-text-tertiary system-xs-regular', selectedGroupsForBreadcrumb.length > 0 && 'cursor-pointer text-text-accent')} onClick={handleReset}>{t('accessControlDialog.operateGroupAndMember.allMembers', { ns: 'app' })}</span>
+      <span className={cn('system-xs-regular text-text-tertiary', selectedGroupsForBreadcrumb.length > 0 && 'cursor-pointer text-text-accent')} onClick={handleReset}>{t('accessControlDialog.operateGroupAndMember.allMembers', { ns: 'app' })}</span>
       {selectedGroupsForBreadcrumb.map((group, index) => {
         return (
-          <div key={index} className="flex items-center gap-x-0.5 text-text-tertiary system-xs-regular">
+          <div key={index} className="system-xs-regular flex items-center gap-x-0.5 text-text-tertiary">
             <span>/</span>
             <span className={index === selectedGroupsForBreadcrumb.length - 1 ? '' : 'cursor-pointer text-text-accent'} onClick={() => handleBreadCrumbClick(index)}>{group.name}</span>
           </div>
@@ -161,8 +161,8 @@ function GroupItem({ group }: GroupItemProps) {
             <RiOrganizationChart className="h-[14px] w-[14px] text-components-avatar-shape-fill-stop-0" />
           </div>
         </div>
-        <p className="mr-1 text-text-secondary system-sm-medium">{group.name}</p>
-        <p className="text-text-tertiary system-xs-regular">{group.groupSize}</p>
+        <p className="system-sm-medium mr-1 text-text-secondary">{group.name}</p>
+        <p className="system-xs-regular text-text-tertiary">{group.groupSize}</p>
       </div>
       <Button
         size="small"
@@ -206,16 +206,16 @@ function MemberItem({ member }: MemberItemProps) {
             <Avatar className="h-[14px] w-[14px]" textClassName="text-[12px]" avatar={null} name={member.name} />
           </div>
         </div>
-        <p className="mr-1 text-text-secondary system-sm-medium">{member.name}</p>
+        <p className="system-sm-medium mr-1 text-text-secondary">{member.name}</p>
         {currentUser.email === member.email && (
-          <p className="text-text-tertiary system-xs-regular">
+          <p className="system-xs-regular text-text-tertiary">
             (
             {t('you', { ns: 'common' })}
             )
           </p>
         )}
       </div>
-      <p className="text-text-quaternary system-xs-regular">{member.email}</p>
+      <p className="system-xs-regular text-text-quaternary">{member.email}</p>
     </BaseItem>
   )
 }

web/app/components/app/app-access-control/index.tsx

@@ -68,18 +68,18 @@ export default function AccessControl(props: AccessControlProps) {
     <AccessControlDialog show onClose={onClose}>
       <div className="flex flex-col gap-y-3">
         <div className="pb-3 pl-6 pr-14 pt-6">
-          <DialogTitle className="text-text-primary title-2xl-semi-bold">{t('accessControlDialog.title', { ns: 'app' })}</DialogTitle>
-          <DialogDescription className="mt-1 text-text-tertiary system-xs-regular">{t('accessControlDialog.description', { ns: 'app' })}</DialogDescription>
+          <DialogTitle className="title-2xl-semi-bold text-text-primary">{t('accessControlDialog.title', { ns: 'app' })}</DialogTitle>
+          <DialogDescription className="system-xs-regular mt-1 text-text-tertiary">{t('accessControlDialog.description', { ns: 'app' })}</DialogDescription>
         </div>
         <div className="flex flex-col gap-y-1 px-6 pb-3">
           <div className="leading-6">
-            <p className="text-text-tertiary system-sm-medium">{t('accessControlDialog.accessLabel', { ns: 'app' })}</p>
+            <p className="system-sm-medium text-text-tertiary">{t('accessControlDialog.accessLabel', { ns: 'app' })}</p>
           </div>
           <AccessControlItem type={AccessMode.ORGANIZATION}>
             <div className="flex items-center p-3">
               <div className="flex grow items-center gap-x-2">
                 <RiBuildingLine className="h-4 w-4 text-text-primary" />
-                <p className="text-text-primary system-sm-medium">{t('accessControlDialog.accessItems.organization', { ns: 'app' })}</p>
+                <p className="system-sm-medium text-text-primary">{t('accessControlDialog.accessItems.organization', { ns: 'app' })}</p>
               </div>
             </div>
           </AccessControlItem>
@@ -90,7 +90,7 @@ export default function AccessControl(props: AccessControlProps) {
             <div className="flex items-center p-3">
               <div className="flex grow items-center gap-x-2">
                 <RiVerifiedBadgeLine className="h-4 w-4 text-text-primary" />
-                <p className="text-text-primary system-sm-medium">{t('accessControlDialog.accessItems.external', { ns: 'app' })}</p>
+                <p className="system-sm-medium text-text-primary">{t('accessControlDialog.accessItems.external', { ns: 'app' })}</p>
               </div>
               {!hideTip && <WebAppSSONotEnabledTip />}
             </div>
@@ -98,7 +98,7 @@ export default function AccessControl(props: AccessControlProps) {
           <AccessControlItem type={AccessMode.PUBLIC}>
             <div className="flex items-center gap-x-2 p-3">
               <RiGlobalLine className="h-4 w-4 text-text-primary" />
-              <p className="text-text-primary system-sm-medium">{t('accessControlDialog.accessItems.anyone', { ns: 'app' })}</p>
+              <p className="system-sm-medium text-text-primary">{t('accessControlDialog.accessItems.anyone', { ns: 'app' })}</p>
             </div>
           </AccessControlItem>
         </div>

web/app/components/app/app-access-control/specific-groups-or-members.tsx

@@ -29,7 +29,7 @@ export default function SpecificGroupsOrMembers() {
       <div className="flex items-center p-3">
         <div className="flex grow items-center gap-x-2">
           <RiLockLine className="h-4 w-4 text-text-primary" />
-          <p className="text-text-primary system-sm-medium">{t('accessControlDialog.accessItems.specific', { ns: 'app' })}</p>
+          <p className="system-sm-medium text-text-primary">{t('accessControlDialog.accessItems.specific', { ns: 'app' })}</p>
         </div>
       </div>
     )
@@ -40,7 +40,7 @@ export default function SpecificGroupsOrMembers() {
       <div className="flex items-center gap-x-1 p-3">
         <div className="flex grow items-center gap-x-1">
           <RiLockLine className="h-4 w-4 text-text-primary" />
-          <p className="text-text-primary system-sm-medium">{t('accessControlDialog.accessItems.specific', { ns: 'app' })}</p>
+          <p className="system-sm-medium text-text-primary">{t('accessControlDialog.accessItems.specific', { ns: 'app' })}</p>
         </div>
         <div className="flex items-center gap-x-1">
           <AddMemberOrGroupDialog />
@@ -60,14 +60,14 @@ function RenderGroupsAndMembers() {
   const specificGroups = useAccessControlStore(s => s.specificGroups)
   const specificMembers = useAccessControlStore(s => s.specificMembers)
   if (specificGroups.length <= 0 && specificMembers.length <= 0)
-    return <div className="px-2 pb-1.5 pt-5"><p className="text-center text-text-tertiary system-xs-regular">{t('accessControlDialog.noGroupsOrMembers', { ns: 'app' })}</p></div>
+    return <div className="px-2 pb-1.5 pt-5"><p className="system-xs-regular text-center text-text-tertiary">{t('accessControlDialog.noGroupsOrMembers', { ns: 'app' })}</p></div>
   return (
     <>
-      <p className="sticky top-0 text-text-tertiary system-2xs-medium-uppercase">{t('accessControlDialog.groups', { ns: 'app', count: specificGroups.length ?? 0 })}</p>
+      <p className="system-2xs-medium-uppercase sticky top-0 text-text-tertiary">{t('accessControlDialog.groups', { ns: 'app', count: specificGroups.length ?? 0 })}</p>
       <div className="flex flex-row flex-wrap gap-1">
         {specificGroups.map((group, index) => <GroupItem key={index} group={group} />)}
       </div>
-      <p className="sticky top-0 text-text-tertiary system-2xs-medium-uppercase">{t('accessControlDialog.members', { ns: 'app', count: specificMembers.length ?? 0 })}</p>
+      <p className="system-2xs-medium-uppercase sticky top-0 text-text-tertiary">{t('accessControlDialog.members', { ns: 'app', count: specificMembers.length ?? 0 })}</p>
       <div className="flex flex-row flex-wrap gap-1">
         {specificMembers.map((member, index) => <MemberItem key={index} member={member} />)}
       </div>
@@ -89,8 +89,8 @@ function GroupItem({ group }: GroupItemProps) {
       icon={<RiOrganizationChart className="h-[14px] w-[14px] text-components-avatar-shape-fill-stop-0" />}
       onRemove={handleRemoveGroup}
     >
-      <p className="text-text-primary system-xs-regular">{group.name}</p>
-      <p className="text-text-tertiary system-xs-regular">{group.groupSize}</p>
+      <p className="system-xs-regular text-text-primary">{group.name}</p>
+      <p className="system-xs-regular text-text-tertiary">{group.groupSize}</p>
     </BaseItem>
   )
 }
@@ -109,7 +109,7 @@ function MemberItem({ member }: MemberItemProps) {
       icon={<Avatar className="h-[14px] w-[14px]" textClassName="text-[12px]" avatar={null} name={member.name} />}
       onRemove={handleRemoveMember}
     >
-      <p className="text-text-primary system-xs-regular">{member.name}</p>
+      <p className="system-xs-regular text-text-primary">{member.name}</p>
     </BaseItem>
   )
 }

web/app/components/app/app-publisher/suggested-action.tsx

@@ -24,7 +24,7 @@ const SuggestedAction = ({ icon, link, disabled, children, className, onClick, .
       {...props}
     >
       <div className="relative h-4 w-4">{icon}</div>
-      <div className="shrink grow basis-0 system-sm-medium">{children}</div>
+      <div className="system-sm-medium shrink grow basis-0">{children}</div>
       <RiArrowRightUpLine className="h-3.5 w-3.5" />
     </a>
   )

web/app/components/app/app-publisher/version-info-modal.tsx

@@ -74,7 +74,7 @@ const VersionInfoModal: FC<VersionInfoModalProps> = ({
   return (
     <Modal className="p-0" isShow={isOpen} onClose={onClose}>
       <div className="relative w-full p-6 pb-4 pr-14">
-        <div className="text-text-primary title-2xl-semi-bold first-letter:capitalize">
+        <div className="title-2xl-semi-bold text-text-primary first-letter:capitalize">
           {versionInfo?.marked_name ? t('versionHistory.editVersionInfo', { ns: 'workflow' }) : t('versionHistory.nameThisVersion', { ns: 'workflow' })}
         </div>
         <div className="absolute right-5 top-5 flex h-8 w-8 cursor-pointer items-center justify-center p-1.5" onClick={onClose}>
@@ -83,7 +83,7 @@ const VersionInfoModal: FC<VersionInfoModalProps> = ({
       </div>
       <div className="flex flex-col gap-y-4 px-6 py-3">
         <div className="flex flex-col gap-y-1">
-          <div className="flex h-6 items-center text-text-secondary system-sm-semibold">
+          <div className="system-sm-semibold flex h-6 items-center text-text-secondary">
             {t('versionHistory.editField.title', { ns: 'workflow' })}
           </div>
           <Input
@@ -94,7 +94,7 @@ const VersionInfoModal: FC<VersionInfoModalProps> = ({
           />
         </div>
         <div className="flex flex-col gap-y-1">
-          <div className="flex h-6 items-center text-text-secondary system-sm-semibold">
+          <div className="system-sm-semibold flex h-6 items-center text-text-secondary">
             {t('versionHistory.editField.releaseNotes', { ns: 'workflow' })}
           </div>
           <Textarea

web/app/components/app/configuration/base/feature-panel/index.tsx

@@ -29,7 +29,7 @@ const FeaturePanel: FC<IFeaturePanelProps> = ({
         <div className="flex h-8 items-center justify-between">
           <div className="flex shrink-0 items-center space-x-1">
             {!!headerIcon && <div className="flex h-6 w-6 items-center justify-center">{headerIcon}</div>}
-            <div className="text-text-secondary system-sm-semibold">{title}</div>
+            <div className="system-sm-semibold text-text-secondary">{title}</div>
           </div>
           <div className="flex items-center gap-2">
             {!!headerRight && <div>{headerRight}</div>}

web/app/components/app/configuration/config-prompt/confirm-add-var/index.tsx

@@ -35,7 +35,7 @@ const ConfirmAddVar: FC<IConfirmAddVarProps> = ({
   // }, mainContentRef)
   return (
     <div
-      className="absolute inset-0 flex items-center justify-center rounded-xl"
+      className="absolute inset-0  flex items-center justify-center rounded-xl"
       style={{
         backgroundColor: 'rgba(35, 56, 118, 0.2)',
       }}

web/app/components/app/configuration/config-prompt/message-type-selector.tsx

@@ -28,7 +28,7 @@ const MessageTypeSelector: FC<Props> = ({
         className={cn(showOption && 'bg-indigo-100', 'flex h-7 cursor-pointer items-center space-x-0.5 rounded-lg pl-1.5 pr-1 text-indigo-800')}
       >
         <div className="text-sm font-semibold uppercase">{value}</div>
-        <ChevronSelectorVertical className="h-3 w-3" />
+        <ChevronSelectorVertical className="h-3 w-3 " />
       </div>
       {showOption && (
         <div className="absolute top-[30px] z-10 rounded-lg border border-components-panel-border bg-components-panel-bg p-1 shadow-lg">

web/app/components/app/configuration/config-prompt/simple-prompt-input.tsx

@@ -178,7 +178,7 @@ const Prompt: FC<ISimplePromptInput> = ({
         {!noTitle && (
           <div className="flex h-11 items-center justify-between pl-3 pr-2.5">
             <div className="flex items-center space-x-1">
-              <div className="h2 text-text-secondary system-sm-semibold-uppercase">{mode !== AppModeEnum.COMPLETION ? t('chatSubTitle', { ns: 'appDebug' }) : t('completionSubTitle', { ns: 'appDebug' })}</div>
+              <div className="h2 system-sm-semibold-uppercase text-text-secondary">{mode !== AppModeEnum.COMPLETION ? t('chatSubTitle', { ns: 'appDebug' }) : t('completionSubTitle', { ns: 'appDebug' })}</div>
               {!readonly && (
                 <Tooltip
                   popupContent={(

web/app/components/app/configuration/config-var/config-modal/index.tsx

@@ -482,12 +482,12 @@ const ConfigModal: FC<IConfigModalProps> = ({
 
           <div className="!mt-5 flex h-6 items-center space-x-2">
             <Checkbox checked={tempPayload.required} disabled={tempPayload.hide} onCheck={() => handlePayloadChange('required')(!tempPayload.required)} />
-            <span className="text-text-secondary system-sm-semibold">{t('variableConfig.required', { ns: 'appDebug' })}</span>
+            <span className="system-sm-semibold text-text-secondary">{t('variableConfig.required', { ns: 'appDebug' })}</span>
           </div>
 
           <div className="!mt-5 flex h-6 items-center space-x-2">
             <Checkbox checked={tempPayload.hide} disabled={tempPayload.required} onCheck={() => handlePayloadChange('hide')(!tempPayload.hide)} />
-            <span className="text-text-secondary system-sm-semibold">{t('variableConfig.hide', { ns: 'appDebug' })}</span>
+            <span className="system-sm-semibold text-text-secondary">{t('variableConfig.hide', { ns: 'appDebug' })}</span>
           </div>
         </div>
       </div>

web/app/components/app/configuration/config-var/config-select/index.tsx

@@ -87,10 +87,10 @@ const ConfigSelect: FC<IConfigSelectProps> = ({
 
       <div
         onClick={() => { onChange([...options, '']) }}
-        className="mt-1 flex h-9 cursor-pointer items-center gap-2 rounded-lg bg-components-button-tertiary-bg px-3 text-components-button-tertiary-text hover:bg-components-button-tertiary-bg-hover"
+        className="mt-1 flex h-9 cursor-pointer items-center gap-2 rounded-lg bg-components-button-tertiary-bg px-3  text-components-button-tertiary-text hover:bg-components-button-tertiary-bg-hover"
       >
         <RiAddLine className="h-4 w-4" />
-        <div className="text-[13px] system-sm-medium">{t('variableConfig.addOption', { ns: 'appDebug' })}</div>
+        <div className="system-sm-medium text-[13px]">{t('variableConfig.addOption', { ns: 'appDebug' })}</div>
       </div>
     </div>
   )

web/app/components/app/configuration/config-var/input-type-icon.tsx

@@ -11,7 +11,7 @@ export type IInputTypeIconProps = {
 }
 
 const IconMap = (type: IInputTypeIconProps['type'], className: string) => {
-  const classNames = `h-3.5 w-3.5 ${className}`
+  const classNames = `w-3.5 h-3.5 ${className}`
   const icons = {
     string: (
       <InputVarTypeIcon type={InputVarType.textInput} className={classNames} />

web/app/components/app/configuration/config-var/select-type-item/index.tsx

@@ -33,7 +33,7 @@ const SelectTypeItem: FC<ISelectTypeItemProps> = ({
     <div
       className={cn(
         'flex h-[58px] flex-col items-center justify-center space-y-1 rounded-lg border border-components-option-card-option-border bg-components-option-card-option-bg text-text-secondary',
-        selected ? 'border-[1.5px] border-components-option-card-option-selected-border bg-components-option-card-option-selected-bg shadow-xs system-xs-medium' : 'cursor-pointer system-xs-regular hover:border-components-option-card-option-border-hover hover:bg-components-option-card-option-bg-hover hover:shadow-xs',
+        selected ? 'system-xs-medium border-[1.5px] border-components-option-card-option-selected-border bg-components-option-card-option-selected-bg shadow-xs' : ' system-xs-regular cursor-pointer hover:border-components-option-card-option-border-hover hover:bg-components-option-card-option-bg-hover hover:shadow-xs',
       )}
       onClick={onClick}
     >

web/app/components/app/configuration/config-var/var-item.tsx

@@ -46,15 +46,15 @@ const VarItem: FC<ItemProps> = ({
       )}
       <div className="flex w-0 grow items-center">
         <div className="truncate" title={`${name} · ${label}`}>
-          <span className="text-text-secondary system-sm-medium">{name}</span>
-          <span className="px-1 text-text-quaternary system-xs-regular">·</span>
-          <span className="text-text-tertiary system-xs-medium">{label}</span>
+          <span className="system-sm-medium text-text-secondary">{name}</span>
+          <span className="system-xs-regular px-1 text-text-quaternary">·</span>
+          <span className="system-xs-medium text-text-tertiary">{label}</span>
         </div>
       </div>
       <div className="shrink-0">
         <div className={cn('flex items-center', !readonly && 'group-hover:hidden')}>
           {required && <Badge text="required" />}
-          <span className="pl-2 pr-1 text-text-tertiary system-xs-regular">{type}</span>
+          <span className="system-xs-regular pl-2 pr-1 text-text-tertiary">{type}</span>
           <IconTypeIcon type={type as IInputTypeIconProps['type']} className="text-text-tertiary" />
         </div>
         <div className={cn('hidden items-center justify-end rounded-lg', !readonly && 'group-hover:flex')}>
@@ -66,7 +66,7 @@ const VarItem: FC<ItemProps> = ({
           </div>
           <div
             data-testid="var-item-delete-btn"
-            className="flex h-6 w-6 cursor-pointer items-center justify-center text-text-tertiary hover:text-text-destructive"
+            className="flex h-6 w-6 cursor-pointer items-center  justify-center text-text-tertiary hover:text-text-destructive"
             onClick={onRemove}
             onMouseOver={() => setIsDeleting(true)}
             onMouseLeave={() => setIsDeleting(false)}