Docs: Update version references to v0.25.1 in READMEs and docs (#14488 )

### What problem does this PR solve? - Update version tags in README files (including translations) from v0.25.0 to v0.25.1 - Modify Docker image references and documentation to reflect new version - Update version badges and image descriptions - Maintain consistency across all language variants of README files ### Type of change - [x] Documentation Update
Fix: The GraphRAG icon is not displaying. (#14514 )
2026-06-30 07:51:10 +08:00 · 2026-04-30 10:49:26 +08:00 · 2026-04-30 10:44:05 +08:00 · 2026-04-30 10:35:03 +08:00 · 2026-04-29 22:10:24 +08:00 · 2026-04-29 21:09:54 +08:00
2167 changed files with 320492 additions and 107814 deletions
--- a/.agents/rules/named.md
+++ b/.agents/rules/named.md
@@ -0,0 +1,192 @@
+# Go Naming Best Practices
+
+## 1. Package Naming
+
+- **All lowercase, no underscores**: `package user`, not `package userService` or `package user_service`
+- **Short and meaningful**: `package http`, `package json`, `package dao`
+- **Avoid plurals**: `package user` not `package users`
+- **Avoid generic names**: Avoid `package util`, `package common`, `package base`
+
+```go
+// Recommended
+package user
+package handler
+package service
+
+// Not recommended
+package UserService
+package user_service
+package utils
+```
+
+## 2. File Naming
+
+- **All lowercase, underscore separated**: `user_handler.go`, `user_service.go`
+- **Test files**: `user_handler_test.go`
+- **Platform-specific**: `user_linux.go`, `user_windows.go`
+
+```
+user/
+├── user_handler.go
+├── user_service.go
+├── user_dao.go
+└── user_test.go
+```
+
+## 3. Directory Naming
+
+- **All lowercase, no underscores or hyphens**: `internal/`, `pkg/`, `cmd/`
+- **Short and descriptive**: `handler/`, `service/`, `dao/`
+
+```
+project/
+├── cmd/                    # Main entry point
+│   └── server_main.go
+├── internal/               # Private code
+│   ├── handler/
+│   ├── service/
+│   ├── dao/
+│   ├── model/
+│   └── middleware/
+├── pkg/                    # Public code
+└── api/                    # API definitions
+```
+
+## 4. Interface Naming
+
+- **Single-method interfaces end with "-er"**: `Reader`, `Writer`, `Handler`
+- **Verb form**: `Reader`, `Executor`, `Validator`
+
+```go
+// Recommended
+type Reader interface {
+    Read(p []byte) (n int, err error)
+}
+
+type UserService interface {
+    Register(req *RegisterRequest) (*User, error)
+    Login(req *LoginRequest) (*User, error)
+}
+
+// Not recommended
+type UserInterface interface {}
+type IUserService interface {}
+```
+
+## 5. Struct Naming
+
+- **CamelCase**: `UserService`, `UserHandler`
+- **Avoid redundant prefixes**: `User` not `UserModel`
+
+```go
+// Recommended
+type UserService struct {}
+type UserHandler struct {}
+type RegisterRequest struct {}
+
+// Not recommended
+type user_service struct {}
+type SUserService struct {}
+type UserModel struct {}
+```
+
+## 6. Method/Function Naming
+
+- **CamelCase**
+- **Start with verb**: `GetUser`, `CreateUser`, `DeleteUser`
+- **Boolean returns use Is/Has/Can prefix**: `IsValid`, `HasPermission`
+
+```go
+// Recommended
+func (s *UserService) Register(req *RegisterRequest) (*User, error)
+func (s *UserService) GetUserByID(id uint) (*User, error)
+func (s *UserService) IsEmailExists(email string) bool
+
+// Not recommended
+func (s *UserService) register_user()
+func (s *UserService) get_user_by_id()
+func (s *UserService) CheckEmailExists() // Should use Is/Has
+```
+
+## 7. Constant Naming
+
+- **CamelCase**: `const MaxRetryCount = 3`
+- **Enum constants**: `const StatusActive = "active"`
+
+```go
+// Recommended
+const (
+    StatusActive   = "1"
+    StatusInactive = "0"
+    MaxRetryCount  = 3
+)
+
+// Not recommended
+const (
+    STATUS_ACTIVE = "1"  // Not all uppercase
+    status_active = "1"  // Not all lowercase
+)
+```
+
+## 8. Error Variable Naming
+
+- **Start with "Err"**: `ErrNotFound`, `ErrInvalidInput`
+
+```go
+// Recommended
+var (
+    ErrNotFound      = errors.New("not found")
+    ErrInvalidInput  = errors.New("invalid input")
+    ErrUnauthorized  = errors.New("unauthorized")
+)
+```
+
+## 9. Acronyms Keep Consistent Case
+
+```go
+// Recommended
+type HTTPHandler struct {}
+var URL string
+func GetHTTPClient() {}
+func ParseJSON() {}
+
+// Not recommended
+type HttpHandler struct {}
+var Url string
+func GetHttpClient() {}
+```
+
+## 10. Project Structure Naming
+
+```
+project-name/
+├── cmd/                    # Main programs
+│   └── app_name/
+│       └── main.go
+├── internal/               # Private code
+│   ├── handler/           # HTTP handlers
+│   ├── service/           # Business logic
+│   ├── repository/        # Data access
+│   ├── model/             # Data models
+│   └── config/            # Configuration
+├── pkg/                    # Public code
+├── api/                    # API definitions
+├── configs/               # Config files
+├── scripts/               # Scripts
+├── docs/                  # Documentation
+├── go.mod
+└── go.sum
+```
+
+## Summary Table
+
+| Type           | Rule                                | Example             |
+| -------------- | ----------------------------------- | ------------------- |
+| Package        | All lowercase, no underscores       | `package user`      |
+| File           | All lowercase, underscore separated | `user_service.go`   |
+| Directory      | All lowercase, no separators        | `internal/handler/` |
+| Struct         | CamelCase, capitalized first letter | `UserService`       |
+| Interface      | CamelCase, -er suffix               | `Reader`, `Writer`  |
+| Method         | CamelCase, verb prefix              | `GetUserByID`       |
+| Constant       | CamelCase                           | `MaxRetryCount`     |
+| Error Variable | Err prefix                          | `ErrNotFound`       |
--- a/.agents/skills/go-naming/SKILL.md
+++ b/.agents/skills/go-naming/SKILL.md
@@ -0,0 +1,6 @@
+---
+name: go-naming
+description: Go naming conventions and best practices. Use this skill when working with Go code and need to name packages, files, directories, structs, interfaces, functions, variables, or constants. Provides comprehensive naming guidelines following Go community standards.
+---
+
+Strictly follow the naming conventions in [rules/named.md](rules/named.md)
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -1 +1,22 @@
-Refer to [AGENTS.MD](../AGENTS.md) for all repo instructions.
+# Project instructions for Copilot
+
+## How to run (minimum)
+- Install:
+  - python -m venv .venv && source .venv/bin/activate
+  - pip install -r requirements.txt
+- Run:
+  - (fill) e.g. uvicorn app.main:app --reload
+- Verify:
+  - (fill) curl http://127.0.0.1:8000/health
+
+## Project layout (what matters)
+- app/: API entrypoints + routers
+- services/: business logic
+- configs/: config loading (.env)
+- docs/: documents
+- tests/: pytest
+
+## Conventions
+- Prefer small, incremental changes.
+- Add logging for new flows.
+- Add/adjust tests for behavior changes.
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -23,7 +23,7 @@ concurrency:

 jobs:
  release:
-    runs-on: [ "self-hosted", "ragflow-test" ]
+    runs-on: [ "self-hosted", "ragflow-release" ]
    steps:
      - name: Ensure workspace ownership
        run: echo "chown -R ${USER} ${GITHUB_WORKSPACE}" && sudo chown -R ${USER} ${GITHUB_WORKSPACE}
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -86,6 +86,9 @@ jobs:
            mkdir -p ${RUNNER_WORKSPACE_PREFIX}/artifacts/${GITHUB_REPOSITORY}
            echo "${PR_SHA} ${GITHUB_RUN_ID}" > ${PR_SHA_FP}
          fi
+          ARTIFACTS_DIR=${RUNNER_WORKSPACE_PREFIX}/artifacts/${GITHUB_REPOSITORY}/${GITHUB_RUN_ID}
+          echo "ARTIFACTS_DIR=${ARTIFACTS_DIR}" >> ${GITHUB_ENV}
+          rm -rf ${ARTIFACTS_DIR} && mkdir -p ${ARTIFACTS_DIR}

      # https://github.com/astral-sh/ruff-action
      - name: Static check with Ruff
@@ -126,20 +129,24 @@ jobs:
            fi
          fi

-      - name: Run unit test
+      - name: Build ragflow go server
        run: |
-          uv sync --python 3.12 --group test --frozen
-          source .venv/bin/activate
-          which pytest || echo "pytest not in PATH"
-          echo "Start to run unit test"
-          python3 run_tests.py
+          BUILDER_CONTAINER=ragflow_build_$(od -An -N4 -tx4 /dev/urandom | tr -d ' ')
+          echo "BUILDER_CONTAINER=${BUILDER_CONTAINER}" >> ${GITHUB_ENV}
+          TZ=${TZ:-$(readlink -f /etc/localtime | awk -F '/zoneinfo/' '{print $2}')}
+          sudo docker run --privileged -d --name ${BUILDER_CONTAINER} -e TZ=${TZ} -e UV_INDEX=https://mirrors.aliyun.com/pypi/simple -v ${PWD}:/ragflow -v ${PWD}/internal/cpp/resource:/usr/share/infinity/resource infiniflow/infinity_builder:ubuntu22_clang20
+          sudo docker exec ${BUILDER_CONTAINER} bash -c "git config --global safe.directory \"*\" && cd /ragflow && ./build.sh --cpp"
+          ./build.sh --go
+          if [[ -n "${BUILDER_CONTAINER}" ]]; then
+            sudo docker rm -f -v "${BUILDER_CONTAINER}"
+          fi

      - name: Build ragflow:nightly
        run: |
          RUNNER_WORKSPACE_PREFIX=${RUNNER_WORKSPACE_PREFIX:-${HOME}}
          RAGFLOW_IMAGE=infiniflow/ragflow:${GITHUB_RUN_ID}
          echo "RAGFLOW_IMAGE=${RAGFLOW_IMAGE}" >> ${GITHUB_ENV}
-          sudo docker pull ubuntu:22.04
+          sudo docker pull ubuntu:24.04
          sudo DOCKER_BUILDKIT=1 docker build --build-arg NEED_MIRROR=1 --build-arg HTTPS_PROXY=${HTTPS_PROXY} --build-arg HTTP_PROXY=${HTTP_PROXY} -f Dockerfile -t ${RAGFLOW_IMAGE} .
          if [[ ${GITHUB_EVENT_NAME} == "schedule" ]]; then
            export HTTP_API_TEST_LEVEL=p3
@@ -149,125 +156,450 @@ jobs:
          echo "HTTP_API_TEST_LEVEL=${HTTP_API_TEST_LEVEL}" >> ${GITHUB_ENV}
          echo "RAGFLOW_CONTAINER=${GITHUB_RUN_ID}-ragflow-cpu-1" >> ${GITHUB_ENV}

-      - name: Start ragflow:nightly
+      - name: Run unit test
+        run: |
+          uv sync --python 3.12 --group test --frozen
+          source .venv/bin/activate
+          which pytest || echo "pytest not in PATH"
+          echo "Start to run unit test"
+          python3 run_tests.py -i
+
+      - name: Prepare function test environment
+        working-directory: docker
        run: |
          # Determine runner number (default to 1 if not found)
-          RUNNER_NUM=$(sudo docker inspect $(hostname) --format '{{index .Config.Labels "com.docker.compose.container-number"}}' 2>/dev/null || true)
-          RUNNER_NUM=${RUNNER_NUM:-1}
+               RUNNER_NUM=$(sudo docker inspect $(hostname) --format '{{index .Config.Labels "com.docker.compose.container-number"}}' 2>/dev/null || true)
+               RUNNER_NUM=${RUNNER_NUM:-1}

          # Compute port numbers using bash arithmetic
-          ES_PORT=$((1200 + RUNNER_NUM * 10))
-          OS_PORT=$((1201 + RUNNER_NUM * 10))
-          INFINITY_THRIFT_PORT=$((23817 + RUNNER_NUM * 10))
-          INFINITY_HTTP_PORT=$((23820 + RUNNER_NUM * 10))
-          INFINITY_PSQL_PORT=$((5432 + RUNNER_NUM * 10))
-          MYSQL_PORT=$((5455 + RUNNER_NUM * 10))
-          MINIO_PORT=$((9000 + RUNNER_NUM * 10))
-          MINIO_CONSOLE_PORT=$((9001 + RUNNER_NUM * 10))
-          REDIS_PORT=$((6379 + RUNNER_NUM * 10))
-          TEI_PORT=$((6380 + RUNNER_NUM * 10))
-          KIBANA_PORT=$((6601 + RUNNER_NUM * 10))
-          SVR_HTTP_PORT=$((9380 + RUNNER_NUM * 10))
-          ADMIN_SVR_HTTP_PORT=$((9381 + RUNNER_NUM * 10))
-          SVR_MCP_PORT=$((9382 + RUNNER_NUM * 10))
-          SANDBOX_EXECUTOR_MANAGER_PORT=$((9385 + RUNNER_NUM * 10))
-          SVR_WEB_HTTP_PORT=$((80 + RUNNER_NUM * 10))
-          SVR_WEB_HTTPS_PORT=$((443 + RUNNER_NUM * 10))
+               ES_PORT=$((1200 + RUNNER_NUM * 10))
+               OS_PORT=$((1201 + RUNNER_NUM * 10))
+               INFINITY_THRIFT_PORT=$((23817 + RUNNER_NUM * 10))
+               INFINITY_HTTP_PORT=$((23820 + RUNNER_NUM * 10))
+               INFINITY_PSQL_PORT=$((5432 + RUNNER_NUM * 10))
+               EXPOSE_MYSQL_PORT=$((5455 + RUNNER_NUM * 10))
+               MINIO_PORT=$((9000 + RUNNER_NUM * 10))
+               MINIO_CONSOLE_PORT=$((9001 + RUNNER_NUM * 10))
+               REDIS_PORT=$((6379 + RUNNER_NUM * 10))
+               TEI_PORT=$((6380 + RUNNER_NUM * 10))
+               KIBANA_PORT=$((6601 + RUNNER_NUM * 10))
+               SVR_HTTP_PORT=$((9380 + RUNNER_NUM * 10))
+               ADMIN_SVR_HTTP_PORT=$((9381 + RUNNER_NUM * 10))
+               SVR_MCP_PORT=$((9382 + RUNNER_NUM * 10))
+               GO_HTTP_PORT=$((9384 + RUNNER_NUM * 10))
+               GO_ADMIN_PORT=$((9383 + RUNNER_NUM * 10))
+               SANDBOX_EXECUTOR_MANAGER_PORT=$((9385 + RUNNER_NUM * 10))
+               SVR_WEB_HTTP_PORT=$((80 + RUNNER_NUM * 10))
+               SVR_WEB_HTTPS_PORT=$((443 + RUNNER_NUM * 10))

-          # Persist computed ports into docker/.env so docker-compose uses the correct host bindings
-          echo "" >> docker/.env
-          echo -e "ES_PORT=${ES_PORT}" >> docker/.env
-          echo -e "OS_PORT=${OS_PORT}" >> docker/.env
-          echo -e "INFINITY_THRIFT_PORT=${INFINITY_THRIFT_PORT}" >> docker/.env
-          echo -e "INFINITY_HTTP_PORT=${INFINITY_HTTP_PORT}" >> docker/.env
-          echo -e "INFINITY_PSQL_PORT=${INFINITY_PSQL_PORT}" >> docker/.env
-          echo -e "MYSQL_PORT=${MYSQL_PORT}" >> docker/.env
-          echo -e "MINIO_PORT=${MINIO_PORT}" >> docker/.env
-          echo -e "MINIO_CONSOLE_PORT=${MINIO_CONSOLE_PORT}" >> docker/.env
-          echo -e "REDIS_PORT=${REDIS_PORT}" >> docker/.env
-          echo -e "TEI_PORT=${TEI_PORT}" >> docker/.env
-          echo -e "KIBANA_PORT=${KIBANA_PORT}" >> docker/.env
-          echo -e "SVR_HTTP_PORT=${SVR_HTTP_PORT}" >> docker/.env
-          echo -e "ADMIN_SVR_HTTP_PORT=${ADMIN_SVR_HTTP_PORT}" >> docker/.env
-          echo -e "SVR_MCP_PORT=${SVR_MCP_PORT}" >> docker/.env
-          echo -e "SANDBOX_EXECUTOR_MANAGER_PORT=${SANDBOX_EXECUTOR_MANAGER_PORT}" >> docker/.env
-          echo -e "SVR_WEB_HTTP_PORT=${SVR_WEB_HTTP_PORT}" >> docker/.env
-          echo -e "SVR_WEB_HTTPS_PORT=${SVR_WEB_HTTPS_PORT}" >> docker/.env
+          # Persist computed ports into .env so docker-compose uses the correct host bindings
+               echo "" >> .env
+               echo -e "ES_PORT=${ES_PORT}" >> .env
+               echo -e "OS_PORT=${OS_PORT}" >> .env
+               echo -e "INFINITY_THRIFT_PORT=${INFINITY_THRIFT_PORT}" >> .env
+               echo -e "INFINITY_HTTP_PORT=${INFINITY_HTTP_PORT}" >> .env
+               echo -e "INFINITY_PSQL_PORT=${INFINITY_PSQL_PORT}" >> .env
+               echo -e "EXPOSE_MYSQL_PORT=${EXPOSE_MYSQL_PORT}" >> .env
+               echo -e "MINIO_PORT=${MINIO_PORT}" >> .env
+               echo -e "MINIO_CONSOLE_PORT=${MINIO_CONSOLE_PORT}" >> .env
+               echo -e "REDIS_PORT=${REDIS_PORT}" >> .env
+               echo -e "TEI_PORT=${TEI_PORT}" >> .env
+               echo -e "KIBANA_PORT=${KIBANA_PORT}" >> .env
+               echo -e "SVR_HTTP_PORT=${SVR_HTTP_PORT}" >> .env
+               echo -e "ADMIN_SVR_HTTP_PORT=${ADMIN_SVR_HTTP_PORT}" >> .env
+               echo -e "SVR_MCP_PORT=${SVR_MCP_PORT}" >> .env
+               echo -e "GO_HTTP_PORT=${GO_HTTP_PORT}" >> .env
+               echo -e "GO_ADMIN_PORT=${GO_ADMIN_PORT}" >> .env
+               echo -e "SANDBOX_EXECUTOR_MANAGER_PORT=${SANDBOX_EXECUTOR_MANAGER_PORT}" >> .env
+               echo -e "SVR_WEB_HTTP_PORT=${SVR_WEB_HTTP_PORT}" >> .env
+               echo -e "SVR_WEB_HTTPS_PORT=${SVR_WEB_HTTPS_PORT}" >> .env
+               
+               echo -e "COMPOSE_PROFILES=\${COMPOSE_PROFILES},tei-cpu" >> .env
+               echo -e "TEI_MODEL=BAAI/bge-small-en-v1.5" >> .env
+               echo -e "RAGFLOW_IMAGE=${RAGFLOW_IMAGE}" >> .env
+               echo "HOST_ADDRESS=http://host.docker.internal:${SVR_HTTP_PORT}" >> ${GITHUB_ENV}

-          echo -e "COMPOSE_PROFILES=\${COMPOSE_PROFILES},tei-cpu" >> docker/.env
-          echo -e "TEI_MODEL=BAAI/bge-small-en-v1.5" >> docker/.env
-          echo -e "RAGFLOW_IMAGE=${RAGFLOW_IMAGE}" >> docker/.env
-          echo "HOST_ADDRESS=http://host.docker.internal:${SVR_HTTP_PORT}" >> ${GITHUB_ENV}
+               # Patch entrypoint.sh for coverage
+               sed -i '/"\$PY" api\/ragflow_server.py \${INIT_SUPERUSER_ARGS} &/c\   echo "Ensuring coverage is installed..."\n      "$PY" -m pip install coverage -i https://mirrors.aliyun.com/pypi/simple\n     export COVERAGE_FILE=/ragflow/logs/.coverage\n        echo "Starting ragflow_server with coverage..."\n        "$PY" -m coverage run --source=./api/apps --omit="*/tests/*,*/migrations/*" -a api/ragflow_server.py ${INIT_SUPERUSER_ARGS} &' ./entrypoint.sh
+               cd ..
+               uv sync --python 3.12 --group test --frozen && uv pip install -e sdk/python

-          sudo docker compose -f docker/docker-compose.yml -p ${GITHUB_RUN_ID} up -d
-          uv sync --python 3.12 --only-group test --no-default-groups --frozen && uv pip install sdk/python --group test

-      - name: Run sdk tests against Elasticsearch
+      - name: Start ragflow:nightly for Infinity
        run: |
-          export http_proxy=""; export https_proxy=""; export no_proxy=""; export HTTP_PROXY=""; export HTTPS_PROXY=""; export NO_PROXY=""
-          until sudo docker exec ${RAGFLOW_CONTAINER} curl -s --connect-timeout 5 ${HOST_ADDRESS}/v1/system/ping > /dev/null; do
-            echo "Waiting for service to be available..."
-            sleep 5
-          done
-          source .venv/bin/activate && set -o pipefail; pytest -s --tb=short --level=${HTTP_API_TEST_LEVEL} test/testcases/test_sdk_api 2>&1 | tee es_sdk_test.log
-
-      - name: Run frontend api tests against Elasticsearch
-        run: |
-          export http_proxy=""; export https_proxy=""; export no_proxy=""; export HTTP_PROXY=""; export HTTPS_PROXY=""; export NO_PROXY=""
-          until sudo docker exec ${RAGFLOW_CONTAINER} curl -s --connect-timeout 5 ${HOST_ADDRESS}/v1/system/ping > /dev/null; do
-            echo "Waiting for service to be available..."
-            sleep 5
-          done
-          source .venv/bin/activate && set -o pipefail; pytest -s --tb=short sdk/python/test/test_frontend_api/get_email.py sdk/python/test/test_frontend_api/test_dataset.py 2>&1 | tee es_api_test.log
-          
-      - name: Run http api tests against Elasticsearch
-        run: |
-          export http_proxy=""; export https_proxy=""; export no_proxy=""; export HTTP_PROXY=""; export HTTPS_PROXY=""; export NO_PROXY=""
-          until sudo docker exec ${RAGFLOW_CONTAINER} curl -s --connect-timeout 5 ${HOST_ADDRESS}/v1/system/ping > /dev/null; do
-            echo "Waiting for service to be available..."
-            sleep 5
-          done
-          source .venv/bin/activate && set -o pipefail; pytest -s --tb=short --level=${HTTP_API_TEST_LEVEL} test/testcases/test_http_api 2>&1 | tee es_http_api_test.log
-
-      - name: Stop ragflow:nightly
-        if: always()  # always run this step even if previous steps failed
-        run: |
-          sudo docker compose -f docker/docker-compose.yml -p ${GITHUB_RUN_ID} down -v || true
-          sudo docker ps -a --filter "label=com.docker.compose.project=${GITHUB_RUN_ID}" -q | xargs -r sudo docker rm -f
-
-      - name: Start ragflow:nightly
-        run: |
-          sed -i '1i DOC_ENGINE=infinity' docker/.env
+          sed -i 's/^DOC_ENGINE=.*$/DOC_ENGINE=infinity/' docker/.env
          sudo docker compose -f docker/docker-compose.yml -p ${GITHUB_RUN_ID} up -d

      - name: Run sdk tests against Infinity
        run: |
          export http_proxy=""; export https_proxy=""; export no_proxy=""; export HTTP_PROXY=""; export HTTPS_PROXY=""; export NO_PROXY=""
-          until sudo docker exec ${RAGFLOW_CONTAINER} curl -s --connect-timeout 5 ${HOST_ADDRESS}/v1/system/ping > /dev/null; do
-            echo "Waiting for service to be available..."
+          until sudo docker exec ${RAGFLOW_CONTAINER} curl -s --connect-timeout 5 ${HOST_ADDRESS}/v1/system/ping > /dev/null 2>&1; do
+            echo "Waiting for service to be available... (last exit code: $?)"
            sleep 5
          done
-          source .venv/bin/activate && set -o pipefail; DOC_ENGINE=infinity pytest -s --tb=short --level=${HTTP_API_TEST_LEVEL} test/testcases/test_sdk_api 2>&1 | tee infinity_sdk_test.log
+          echo "Start to run test sdk on Infinity"
+          source .venv/bin/activate && set -o pipefail; DOC_ENGINE=infinity pytest -s --tb=short --level=${HTTP_API_TEST_LEVEL} --junitxml=pytest-infinity-sdk.xml --cov=sdk/python/ragflow_sdk --cov-branch --cov-report=xml:coverage-infinity-sdk.xml test/testcases/test_sdk_api 2>&1 | tee infinity_sdk_test.log

-      - name: Run frontend api tests against Infinity
+      - name: Run web api tests against Infinity
        run: |
          export http_proxy=""; export https_proxy=""; export no_proxy=""; export HTTP_PROXY=""; export HTTPS_PROXY=""; export NO_PROXY=""
-          until sudo docker exec ${RAGFLOW_CONTAINER} curl -s --connect-timeout 5 ${HOST_ADDRESS}/v1/system/ping > /dev/null; do
-            echo "Waiting for service to be available..."
+          until sudo docker exec ${RAGFLOW_CONTAINER} curl -s --connect-timeout 5 ${HOST_ADDRESS}/v1/system/ping > /dev/null 2>&1; do
+            echo "Waiting for service to be available... (last exit code: $?)"
            sleep 5
          done
-          source .venv/bin/activate && set -o pipefail; DOC_ENGINE=infinity pytest -s --tb=short sdk/python/test/test_frontend_api/get_email.py sdk/python/test/test_frontend_api/test_dataset.py 2>&1 | tee infinity_api_test.log
+          source .venv/bin/activate && set -o pipefail; DOC_ENGINE=infinity pytest -s --tb=short --level=${HTTP_API_TEST_LEVEL} test/testcases/test_web_api/test_chunk_feedback 2>&1 | tee infinity_web_api_test.log

      - name: Run http api tests against Infinity
        run: |
          export http_proxy=""; export https_proxy=""; export no_proxy=""; export HTTP_PROXY=""; export HTTPS_PROXY=""; export NO_PROXY=""
-          until sudo docker exec ${RAGFLOW_CONTAINER} curl -s --connect-timeout 5 ${HOST_ADDRESS}/v1/system/ping > /dev/null; do
-            echo "Waiting for service to be available..."
+          until sudo docker exec ${RAGFLOW_CONTAINER} curl -s --connect-timeout 5 ${HOST_ADDRESS}/v1/system/ping > /dev/null 2>&1; do
+            echo "Waiting for service to be available... (last exit code: $?)"
            sleep 5
          done
          source .venv/bin/activate && set -o pipefail; DOC_ENGINE=infinity pytest -s --tb=short --level=${HTTP_API_TEST_LEVEL} test/testcases/test_http_api 2>&1 | tee infinity_http_api_test.log

-      - name: Stop ragflow:nightly
+      - name: RAGFlow CLI retrieval test Infinity
+        env:
+          PYTHONPATH: ${{ github.workspace }}
+        run: |
+          set -euo pipefail
+          source .venv/bin/activate
+
+          export http_proxy=""; export https_proxy=""; export no_proxy=""; export HTTP_PROXY=""; export HTTPS_PROXY=""; export NO_PROXY=""
+
+          EMAIL="ci-${GITHUB_RUN_ID}@example.com"
+          PASS="ci-pass-${GITHUB_RUN_ID}"
+          DATASET="ci_dataset_${GITHUB_RUN_ID}"
+
+          CLI="python admin/client/ragflow_cli.py"
+
+          LOG_FILE="infinity_cli_test.log"
+          : > "${LOG_FILE}"
+
+          ERROR_RE='Traceback|ModuleNotFoundError|ImportError|Parse error|Bad response|Fail to|code:\\s*[1-9]'
+          run_cli() {
+            local logfile="$1"
+            shift
+            local allow_re=""
+            if [[ "${1:-}" == "--allow" ]]; then
+              allow_re="$2"
+              shift 2
+            fi
+            local cmd_display="$*"
+            echo "===== $(date -u +\"%Y-%m-%dT%H:%M:%SZ\") CMD: ${cmd_display} =====" | tee -a "${logfile}"
+            local tmp_log
+            tmp_log="$(mktemp)"
+            set +e
+            timeout 500s "$@" 2>&1 | tee "${tmp_log}"
+            local status=${PIPESTATUS[0]}
+            set -e
+            cat "${tmp_log}" >> "${logfile}"
+            if grep -qiE "${ERROR_RE}" "${tmp_log}"; then
+              if [[ -n "${allow_re}" ]] && grep -qiE "${allow_re}" "${tmp_log}"; then
+                echo "Allowed CLI error markers in ${logfile}"
+                rm -f "${tmp_log}"
+                return 0
+              fi
+              echo "Detected CLI error markers in ${logfile}"
+              rm -f "${tmp_log}"
+              exit 1
+            fi
+            rm -f "${tmp_log}"
+            return ${status}
+          }
+
+          set -a
+          source docker/.env
+          set +a
+
+          HOST_ADDRESS="http://host.docker.internal:${SVR_HTTP_PORT}"
+          USER_HOST="$(echo "${HOST_ADDRESS}" | sed -E 's#^https?://([^:/]+).*#\1#')"
+          USER_PORT="${SVR_HTTP_PORT}"
+          ADMIN_HOST="${USER_HOST}"
+          ADMIN_PORT="${ADMIN_SVR_HTTP_PORT}"
+
+          until sudo docker exec ${RAGFLOW_CONTAINER} curl -s --connect-timeout 5 ${HOST_ADDRESS}/v1/system/ping > /dev/null 2>&1; do
+            echo "Waiting for service to be available... (last exit code: $?)"
+            sleep 5
+          done
+
+          admin_ready=0
+          for i in $(seq 1 30); do
+            if run_cli "${LOG_FILE}" $CLI --type admin --host "$ADMIN_HOST" --port "$ADMIN_PORT" --username "admin@ragflow.io" --password "admin" command "ping"; then
+              admin_ready=1
+              break
+            fi
+            sleep 1
+          done
+          if [[ "${admin_ready}" -ne 1 ]]; then
+            echo "Admin service did not become ready"
+            exit 1
+          fi
+
+          run_cli "${LOG_FILE}" $CLI --type admin --host "$ADMIN_HOST" --port "$ADMIN_PORT" --username "admin@ragflow.io" --password "admin" command "show version"
+          ALLOW_USER_EXISTS_RE='already exists|already exist|duplicate|already.*registered|exist(s)?'
+          run_cli "${LOG_FILE}" --allow "${ALLOW_USER_EXISTS_RE}" $CLI --type admin --host "$ADMIN_HOST" --port "$ADMIN_PORT" --username "admin@ragflow.io" --password "admin" command "create user '$EMAIL' '$PASS'"
+
+          user_ready=0
+          for i in $(seq 1 30); do
+            if run_cli "${LOG_FILE}" $CLI --type user --host "$USER_HOST" --port "$USER_PORT" --username "$EMAIL" --password "$PASS" command "ping"; then
+              user_ready=1
+              break
+            fi
+            sleep 1
+          done
+          if [[ "${user_ready}" -ne 1 ]]; then
+            echo "User service did not become ready"
+            exit 1
+          fi
+
+          run_cli "${LOG_FILE}" $CLI --type user --host "$USER_HOST" --port "$USER_PORT" --username "$EMAIL" --password "$PASS" command "show version"
+          run_cli "${LOG_FILE}" $CLI --type user --host "$USER_HOST" --port "$USER_PORT" --username "$EMAIL" --password "$PASS" command "create dataset '$DATASET' with embedding 'BAAI/bge-small-en-v1.5@Builtin' parser 'auto'"
+          run_cli "${LOG_FILE}" $CLI --type user --host "$USER_HOST" --port "$USER_PORT" --username "$EMAIL" --password "$PASS" command "import 'test/benchmark/test_docs/Doc1.pdf,test/benchmark/test_docs/Doc2.pdf' into dataset '$DATASET'"
+          run_cli "${LOG_FILE}" $CLI --type user --host "$USER_HOST" --port "$USER_PORT" --username "$EMAIL" --password "$PASS" command "parse dataset '$DATASET' sync"
+          run_cli "${LOG_FILE}" $CLI --type user --host "$USER_HOST" --port "$USER_PORT" --username "$EMAIL" --password "$PASS" command "Benchmark 16 100 search 'what are these documents about' on datasets '$DATASET'"
+
+      - name: Stop ragflow to save coverage Infinity
+        if: ${{ !cancelled() }}
+        run: |
+          # Send SIGINT to ragflow_server.py to trigger coverage save
+          PID=$(sudo docker exec ${RAGFLOW_CONTAINER} ps aux | grep "ragflow_server.py" | grep -v grep | awk '{print $2}' | head -n 1)
+          if [ -n "$PID" ]; then
+            echo "Sending SIGINT to ragflow_server.py (PID: $PID)..."
+            sudo docker exec ${RAGFLOW_CONTAINER} kill -INT $PID
+            # Wait for process to exit and coverage file to be written
+            sleep 10
+          else
+            echo "ragflow_server.py not found!"
+          fi
+          sudo docker compose -f docker/docker-compose.yml -p ${GITHUB_RUN_ID} stop
+
+      - name: Generate server coverage report Infinity
+        if: ${{ !cancelled() }}
+        run: |
+          # .coverage file should be in docker/ragflow-logs/.coverage
+          if [ -f docker/ragflow-logs/.coverage ]; then
+            echo "Found .coverage file"
+            cp docker/ragflow-logs/.coverage .coverage
+            source .venv/bin/activate
+            # Create .coveragerc to map container paths to host paths
+            echo "[paths]" > .coveragerc
+            echo "source =" >> .coveragerc
+            echo "    ." >> .coveragerc
+            echo "    /ragflow" >> .coveragerc
+            coverage xml -o coverage-infinity-server.xml
+            rm .coveragerc
+          else
+            echo ".coverage file not found!"
+          fi
+
+      - name: Upload coverage reports to Codecov
+        uses: codecov/codecov-action@v5
+        if: ${{ !cancelled() }}
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          fail_ci_if_error: false
+
+      - name: Collect ragflow log Infinity
+        if: ${{ !cancelled() }}
+        run: |
+          if [ -d docker/ragflow-logs ]; then
+            cp -r docker/ragflow-logs ${ARTIFACTS_DIR}/ragflow-logs-infinity
+            echo "ragflow log" && tail -n 200 docker/ragflow-logs/ragflow_server.log || true
+          else
+            echo "No docker/ragflow-logs directory found; skipping log collection"
+          fi
+          sudo rm -rf docker/ragflow-logs || true
+
+      - name: Stop ragflow:nightly for Infinity
+        if: always()  # always run this step even if previous steps failed
+        run: |
+          # Sometimes `docker compose down` fail due to hang container, heavy load etc. Need to remove such containers to release resources(for example, listen ports).
+          sudo docker compose -f docker/docker-compose.yml -p ${GITHUB_RUN_ID} down -v || true
+          sudo docker ps -a --filter "label=com.docker.compose.project=${GITHUB_RUN_ID}" -q | xargs -r sudo docker rm -f
+
+      - name: Start ragflow:nightly for Elasticsearch
+        run: |
+          sed -i 's/^DOC_ENGINE=.*$/DOC_ENGINE=elasticsearch/' docker/.env
+          sudo docker compose -f docker/docker-compose.yml -p ${GITHUB_RUN_ID} up -d
+
+      - name: Run sdk tests against Elasticsearch
+        run: |
+          export http_proxy=""; export https_proxy=""; export no_proxy=""; export HTTP_PROXY=""; export HTTPS_PROXY=""; export NO_PROXY=""
+          until sudo docker exec ${RAGFLOW_CONTAINER} curl -s --connect-timeout 5 ${HOST_ADDRESS}/v1/system/ping > /dev/null 2>&1; do
+            echo "Waiting for service to be available... (last exit code: $?)"
+            sleep 5
+          done
+          echo "Start to run test sdk on Elasticsearch"
+          source .venv/bin/activate && set -o pipefail; pytest -s --tb=short --level=${HTTP_API_TEST_LEVEL} --junitxml=pytest-infinity-sdk.xml --cov=sdk/python/ragflow_sdk --cov-branch --cov-report=xml:coverage-es-sdk.xml test/testcases/test_sdk_api 2>&1 | tee es_sdk_test.log
+
+      - name: Run web api tests against Elasticsearch
+        run: |
+          export http_proxy=""; export https_proxy=""; export no_proxy=""; export HTTP_PROXY=""; export HTTPS_PROXY=""; export NO_PROXY=""
+          until sudo docker exec ${RAGFLOW_CONTAINER} curl -s --connect-timeout 5 ${HOST_ADDRESS}/v1/system/ping > /dev/null 2>&1; do
+            echo "Waiting for service to be available... (last exit code: $?)"
+            sleep 5
+          done
+          source .venv/bin/activate && set -o pipefail; pytest -s --tb=short --level=${HTTP_API_TEST_LEVEL} test/testcases/test_web_api 2>&1 | tee es_web_api_test.log
+
+      - name: Run http api tests against Elasticsearch
+        run: |
+          export http_proxy=""; export https_proxy=""; export no_proxy=""; export HTTP_PROXY=""; export HTTPS_PROXY=""; export NO_PROXY=""
+          until sudo docker exec ${RAGFLOW_CONTAINER} curl -s --connect-timeout 5 ${HOST_ADDRESS}/v1/system/ping > /dev/null 2>&1; do
+            echo "Waiting for service to be available... (last exit code: $?)"
+            sleep 5
+          done
+          source .venv/bin/activate && set -o pipefail; pytest -s --tb=short --level=${HTTP_API_TEST_LEVEL} test/testcases/test_http_api 2>&1 | tee es_http_api_test.log
+
+      - name: RAGFlow CLI retrieval test Elasticsearch
+        env:
+          PYTHONPATH: ${{ github.workspace }}
+        run: |
+          set -euo pipefail
+          source .venv/bin/activate
+
+          export http_proxy=""; export https_proxy=""; export no_proxy=""; export HTTP_PROXY=""; export HTTPS_PROXY=""; export NO_PROXY=""
+
+          EMAIL="ci-${GITHUB_RUN_ID}@example.com"
+          PASS="ci-pass-${GITHUB_RUN_ID}"
+          DATASET="ci_dataset_${GITHUB_RUN_ID}"
+
+          CLI="python admin/client/ragflow_cli.py"
+
+          LOG_FILE="es_cli_test.log"
+          : > "${LOG_FILE}"
+
+          ERROR_RE='Traceback|ModuleNotFoundError|ImportError|Parse error|Bad response|Fail to|code:\\s*[1-9]'
+          run_cli() {
+            local logfile="$1"
+            shift
+            local allow_re=""
+            if [[ "${1:-}" == "--allow" ]]; then
+              allow_re="$2"
+              shift 2
+            fi
+            local cmd_display="$*"
+            echo "===== $(date -u +\"%Y-%m-%dT%H:%M:%SZ\") CMD: ${cmd_display} =====" | tee -a "${logfile}"
+            local tmp_log
+            tmp_log="$(mktemp)"
+            set +e
+            timeout 500s "$@" 2>&1 | tee "${tmp_log}"
+            local status=${PIPESTATUS[0]}
+            set -e
+            cat "${tmp_log}" >> "${logfile}"
+            if grep -qiE "${ERROR_RE}" "${tmp_log}"; then
+              if [[ -n "${allow_re}" ]] && grep -qiE "${allow_re}" "${tmp_log}"; then
+                echo "Allowed CLI error markers in ${logfile}"
+                rm -f "${tmp_log}"
+                return 0
+              fi
+              echo "Detected CLI error markers in ${logfile}"
+              rm -f "${tmp_log}"
+              exit 1
+            fi
+            rm -f "${tmp_log}"
+            return ${status}
+          }
+
+          set -a
+          source docker/.env
+          set +a
+
+          HOST_ADDRESS="http://host.docker.internal:${SVR_HTTP_PORT}"
+          USER_HOST="$(echo "${HOST_ADDRESS}" | sed -E 's#^https?://([^:/]+).*#\1#')"
+          USER_PORT="${SVR_HTTP_PORT}"
+          ADMIN_HOST="${USER_HOST}"
+          ADMIN_PORT="${ADMIN_SVR_HTTP_PORT}"
+
+          until sudo docker exec ${RAGFLOW_CONTAINER} curl -s --connect-timeout 5 ${HOST_ADDRESS}/v1/system/ping > /dev/null 2>&1; do
+            echo "Waiting for service to be available... (last exit code: $?)"
+            sleep 5
+          done
+
+          admin_ready=0
+          for i in $(seq 1 30); do
+            if run_cli "${LOG_FILE}" $CLI --type admin --host "$ADMIN_HOST" --port "$ADMIN_PORT" --username "admin@ragflow.io" --password "admin" command "ping"; then
+              admin_ready=1
+              break
+            fi
+            sleep 1
+          done
+          if [[ "${admin_ready}" -ne 1 ]]; then
+            echo "Admin service did not become ready"
+            exit 1
+          fi
+
+          run_cli "${LOG_FILE}" $CLI --type admin --host "$ADMIN_HOST" --port "$ADMIN_PORT" --username "admin@ragflow.io" --password "admin" command "show version"
+          ALLOW_USER_EXISTS_RE='already exists|already exist|duplicate|already.*registered|exist(s)?'
+          run_cli "${LOG_FILE}" --allow "${ALLOW_USER_EXISTS_RE}" $CLI --type admin --host "$ADMIN_HOST" --port "$ADMIN_PORT" --username "admin@ragflow.io" --password "admin" command "create user '$EMAIL' '$PASS'"
+
+          user_ready=0
+          for i in $(seq 1 30); do
+            if run_cli "${LOG_FILE}" $CLI --type user --host "$USER_HOST" --port "$USER_PORT" --username "$EMAIL" --password "$PASS" command "ping"; then
+              user_ready=1
+              break
+            fi
+            sleep 1
+          done
+          if [[ "${user_ready}" -ne 1 ]]; then
+            echo "User service did not become ready"
+            exit 1
+          fi
+
+          run_cli "${LOG_FILE}" $CLI --type user --host "$USER_HOST" --port "$USER_PORT" --username "$EMAIL" --password "$PASS" command "show version"
+          run_cli "${LOG_FILE}" $CLI --type user --host "$USER_HOST" --port "$USER_PORT" --username "$EMAIL" --password "$PASS" command "create dataset '$DATASET' with embedding 'BAAI/bge-small-en-v1.5@Builtin' parser 'auto'"
+          run_cli "${LOG_FILE}" $CLI --type user --host "$USER_HOST" --port "$USER_PORT" --username "$EMAIL" --password "$PASS" command "import 'test/benchmark/test_docs/Doc1.pdf,test/benchmark/test_docs/Doc2.pdf' into dataset '$DATASET'"
+          run_cli "${LOG_FILE}" $CLI --type user --host "$USER_HOST" --port "$USER_PORT" --username "$EMAIL" --password "$PASS" command "parse dataset '$DATASET' sync"
+          run_cli "${LOG_FILE}" $CLI --type user --host "$USER_HOST" --port "$USER_PORT" --username "$EMAIL" --password "$PASS" command "Benchmark 16 100 search 'what are these documents about' on datasets '$DATASET'"
+
+      - name: Stop ragflow to save coverage Elasticsearch
+        if: ${{ !cancelled() }}
+        run: |
+          # Send SIGINT to ragflow_server.py to trigger coverage save
+          PID=$(sudo docker exec ${RAGFLOW_CONTAINER} ps aux | grep "ragflow_server.py" | grep -v grep | awk '{print $2}' | head -n 1)
+          if [ -n "$PID" ]; then
+            echo "Sending SIGINT to ragflow_server.py (PID: $PID)..."
+            sudo docker exec ${RAGFLOW_CONTAINER} kill -INT $PID
+            # Wait for process to exit and coverage file to be written
+            sleep 10
+          else
+            echo "ragflow_server.py not found!"
+          fi
+          sudo docker compose -f docker/docker-compose.yml -p ${GITHUB_RUN_ID} stop
+
+      - name: Generate server coverage report Elasticsearch
+        if: ${{ !cancelled() }}
+        run: |
+          # .coverage file should be in docker/ragflow-logs/.coverage
+          if [ -f docker/ragflow-logs/.coverage ]; then
+            echo "Found .coverage file"
+            cp docker/ragflow-logs/.coverage .coverage
+            source .venv/bin/activate
+            # Create .coveragerc to map container paths to host paths
+            echo "[paths]" > .coveragerc
+            echo "source =" >> .coveragerc
+            echo "    ." >> .coveragerc
+            echo "    /ragflow" >> .coveragerc
+            coverage xml -o coverage-es-server.xml
+            rm .coveragerc
+            # Clean up for next run
+            sudo rm docker/ragflow-logs/.coverage
+          else
+            echo ".coverage file not found!"
+          fi
+          
+      - name: Collect ragflow log Elasticsearch
+        if: ${{ !cancelled() }}
+        run: |
+          if [ -d docker/ragflow-logs ]; then
+            cp -r docker/ragflow-logs ${ARTIFACTS_DIR}/ragflow-logs-es
+            echo "ragflow log" && tail -n 200 docker/ragflow-logs/ragflow_server.log || true
+          else
+            echo "No docker/ragflow-logs directory found; skipping log collection"
+          fi
+          sudo rm -rf docker/ragflow-logs || true
+
+      - name: Stop ragflow:nightly for Elasticsearch
        if: always()  # always run this step even if previous steps failed
        run: |
          # Sometimes `docker compose down` fail due to hang container, heavy load etc. Need to remove such containers to release resources(for example, listen ports).
--- a/.gitignore
+++ b/.gitignore
@@ -7,7 +7,7 @@ hudet/
 cv/
 layout_app.py
 api/flask_session
-
+venv/
 # Remove Cargo.lock from gitignore if creating an executable, leave it for libraries
 # More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html
 Cargo.lock
@@ -44,6 +44,7 @@ cl100k_base.tiktoken
 chrome*
 huggingface.co/
 nltk_data/
+uv-x86_64*.tar.gz

 # Exclude hash-like temporary files like 9b5ad71b2ce5302211f9c61530b329a4922fc6a4
 *[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]*
@@ -51,6 +52,13 @@ nltk_data/
 .venv
 docker/data

+# OceanBase data and conf
+docker/oceanbase/conf
+docker/oceanbase/data
+
+# SeekDB data and conf
+docker/seekdb
+

 #--------------------------------------------------#
 # The following was generated with gitignore.nvim: #
@@ -197,4 +205,30 @@ ragflow_cli.egg-info
 backup


-.hypothesis
+*huqie.txt
+
+.hypothesis
+
+
+# Added by cargo
+
+/target
+
+# Do not include in PR (local dev / build artifacts)
+ragflow.egg-info/
+uv-aarch64*.tar.gz
+uv-aarch64-unknown-linux-gnu.tar.gz
+docker/launch_backend_service_windows.sh
+
+# C++ build directories
+internal/cpp/build/
+internal/cpp/cmake-build-release/
+internal/cpp/cmake-build-debug/
+
+# Trae IDE config
+.trae/
+
+# Go server build output
+bin/*
+!bin/.gitkeep
+.claude/settings.local.json
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -35,7 +35,7 @@ The project uses **uv** for dependency management.
 1. **Setup Environment**:
   ```bash
   uv sync --python 3.12 --all-extras
-   uv run download_deps.py
+   uv run python3 download_deps.py
   ```

 2. **Run Server**:
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -5,14 +5,16 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
 ## Project Overview

 RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine based on deep document understanding. It's a full-stack application with:
+
 - Python backend (Flask-based API server)
- React/TypeScript frontend (built with UmiJS)
+- React/TypeScript frontend (built with vitejs)
 - Microservices architecture with Docker deployment
 - Multiple data stores (MySQL, Elasticsearch/Infinity, Redis, MinIO)

 ## Architecture

 ### Backend (`/api/`)
+
 - **Main Server**: `api/ragflow_server.py` - Flask application entry point
 - **Apps**: Modular Flask blueprints in `api/apps/` for different functionalities:
  - `kb_app.py` - Knowledge base management
@@ -24,29 +26,33 @@ RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine based on d
 - **Models**: Database models in `api/db/db_models.py`

 ### Core Processing (`/rag/`)
+
 - **Document Processing**: `deepdoc/` - PDF parsing, OCR, layout analysis
 - **LLM Integration**: `rag/llm/` - Model abstractions for chat, embedding, reranking
 - **RAG Pipeline**: `rag/flow/` - Chunking, parsing, tokenization
- **Graph RAG**: `graphrag/` - Knowledge graph construction and querying
+- **Graph RAG**: `rag/graphrag/` - Knowledge graph construction and querying

 ### Agent System (`/agent/`)
+
 - **Components**: Modular workflow components (LLM, retrieval, categorize, etc.)
 - **Templates**: Pre-built agent workflows in `agent/templates/`
 - **Tools**: External API integrations (Tavily, Wikipedia, SQL execution, etc.)

 ### Frontend (`/web/`)
- React/TypeScript with UmiJS framework
- Ant Design + shadcn/ui components
+
+- React/TypeScript with vitejs framework
+- shadcn/ui components
 - State management with Zustand
 - Tailwind CSS for styling

 ## Common Development Commands

 ### Backend Development
+
 ```bash
 # Install Python dependencies
 uv sync --python 3.12 --all-extras
-uv run download_deps.py
+uv run python3 download_deps.py
 pre-commit install

 # Start dependent services
@@ -66,6 +72,7 @@ ruff format
 ```

 ### Frontend Development
+
 ```bash
 cd web
 npm install
@@ -76,6 +83,7 @@ npm run test       # Jest tests
 ```

 ### Docker Development
+
 ```bash
 # Full stack with Docker
 cd docker
@@ -104,6 +112,7 @@ docker build --platform linux/amd64 -f Dockerfile -t infiniflow/ragflow:nightly
 ## Database Engines

 RAGFlow supports switching between Elasticsearch (default) and Infinity:
+
 - Set `DOC_ENGINE=infinity` in `docker/.env` to use Infinity
 - Requires container restart: `docker compose down -v && docker compose up -d`

@@ -113,4 +122,13 @@ RAGFlow supports switching between Elasticsearch (default) and Infinity:
 - Node.js >=18.20.4
 - Docker & Docker Compose
 - uv package manager
- 16GB+ RAM, 50GB+ disk space
+- 16GB+ RAM, 50GB+ disk space
+
+1. Think before acting. Read existing files before writing code.
+2. Be concise in output but thorough in reasoning.
+3. Prefer editing over rewriting whole files.
+4. Do not re-read files you have already read.
+5. Test your code before declaring done.
+6. No sycophantic openers or closing fluff.
+7. Keep solutions simple and direct.
+8. User instructions always override this file.
--- a/103
+++ b/103
@@ -7,7 +7,7 @@ ARG NEED_MIRROR=0

 WORKDIR /ragflow

-# Copy models downloaded via download_deps.py
+# copy models downloaded via download_deps.py
 RUN mkdir -p /ragflow/rag/res/deepdoc /root/.ragflow
 RUN --mount=type=bind,from=infiniflow/ragflow_deps:latest,source=/huggingface.co,target=/huggingface.co \
    tar --exclude='.*' -cf - \
@@ -19,41 +19,50 @@ RUN --mount=type=bind,from=infiniflow/ragflow_deps:latest,source=/huggingface.co
 # This is the only way to run python-tika without internet access. Without this set, the default is to check the tika version and pull latest every time from Apache.
 RUN --mount=type=bind,from=infiniflow/ragflow_deps:latest,source=/,target=/deps \
    cp -r /deps/nltk_data /root/ && \
-    cp /deps/tika-server-standard-3.0.0.jar /deps/tika-server-standard-3.0.0.jar.md5 /ragflow/ && \
+    cp /deps/tika-server-standard-3.3.0.jar /deps/tika-server-standard-3.3.0.jar.md5 /ragflow/ && \
    cp /deps/cl100k_base.tiktoken /ragflow/9b5ad71b2ce5302211f9c61530b329a4922fc6a4

-ENV TIKA_SERVER_JAR="file:///ragflow/tika-server-standard-3.0.0.jar"
+ENV TIKA_SERVER_JAR="file:///ragflow/tika-server-standard-3.3.0.jar"
 ENV DEBIAN_FRONTEND=noninteractive

 # Setup apt
 # Python package and implicit dependencies:
 # opencv-python: libglib2.0-0 libglx-mesa0 libgl1
-# aspose-slides: pkg-config libicu-dev libgdiplus         libssl1.1_1.1.1f-1ubuntu2_amd64.deb
-# python-pptx:   default-jdk                              tika-server-standard-3.0.0.jar
+# python-pptx:   default-jdk                              tika-server-standard-3.3.0.jar
 # selenium:      libatk-bridge2.0-0                       chrome-linux64-121-0-6167-85
 # Building C extensions: libpython3-dev libgtk-4-1 libnss3 xdg-utils libgbm-dev
 RUN --mount=type=cache,id=ragflow_apt,target=/var/cache/apt,sharing=locked \
    apt update && \
    apt --no-install-recommends install -y ca-certificates; \
    if [ "$NEED_MIRROR" == "1" ]; then \
-        sed -i 's|http://archive.ubuntu.com/ubuntu|https://mirrors.tuna.tsinghua.edu.cn/ubuntu|g' /etc/apt/sources.list.d/ubuntu.sources; \
-        sed -i 's|http://security.ubuntu.com/ubuntu|https://mirrors.tuna.tsinghua.edu.cn/ubuntu|g' /etc/apt/sources.list.d/ubuntu.sources; \
+        sed -i 's|http://archive.ubuntu.com/ubuntu|https://mirrors.aliyun.com/ubuntu|g' /etc/apt/sources.list.d/ubuntu.sources; \
+        sed -i 's|http://security.ubuntu.com/ubuntu|https://mirrors.aliyun.com/ubuntu|g' /etc/apt/sources.list.d/ubuntu.sources; \
    fi; \
    rm -f /etc/apt/apt.conf.d/docker-clean && \
    echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache && \
    chmod 1777 /tmp && \
    apt update && \
-    apt install -y libglib2.0-0 libglx-mesa0 libgl1 && \
-    apt install -y pkg-config libicu-dev libgdiplus && \
-    apt install -y default-jdk && \
-    apt install -y libatk-bridge2.0-0 && \
-    apt install -y libpython3-dev libgtk-4-1 libnss3 xdg-utils libgbm-dev && \
-    apt install -y libjemalloc-dev && \
-    apt install -y nginx unzip curl wget git vim less && \
-    apt install -y ghostscript && \
-    apt install -y pandoc && \
-    apt install -y texlive && \
-    apt install -y fonts-freefont-ttf fonts-noto-cjk
+    apt install -y \
+    build-essential libglib2.0-0 libglx-mesa0 libgl1 pkg-config libicu-dev libgdiplus default-jdk libatk-bridge2.0-0 libpython3-dev libgtk-4-1 libnss3 xdg-utils libgbm-dev libjemalloc-dev gnupg unzip curl wget git vim less ghostscript pandoc texlive texlive-latex-extra texlive-xetex texlive-lang-chinese fonts-freefont-ttf fonts-noto-cjk postgresql-client
+
+# Download resource from GitHub to /usr/share/infinity
+RUN mkdir -p /usr/share/infinity/resource && \
+    if [ "$NEED_MIRROR" == "1" ]; then \
+        git clone --depth 1 --single-branch https://gitee.com/infiniflow/resource /tmp/resource; \
+    else \
+        git clone --depth 1 --single-branch https://github.com/infiniflow/resource.git /tmp/resource; \
+    fi && \
+    cp -r /tmp/resource/* /usr/share/infinity/resource && \
+    rm -rf /tmp/resource
+
+ARG NGINX_VERSION=1.29.5-1~noble
+RUN --mount=type=cache,id=ragflow_apt,target=/var/cache/apt,sharing=locked \
+    mkdir -p /etc/apt/keyrings && \
+    curl --retry 5 --retry-delay 2 --retry-all-errors -fsSL https://nginx.org/keys/nginx_signing.key | gpg --dearmor -o /etc/apt/keyrings/nginx-archive-keyring.gpg && \
+    echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/ubuntu/ noble nginx" > /etc/apt/sources.list.d/nginx.list && \
+    apt -o Acquire::Retries=5 update && \
+    apt -o Acquire::Retries=5 install -y nginx=${NGINX_VERSION} && \
+    apt-mark hold nginx

 # Install uv
 RUN --mount=type=bind,from=infiniflow/ragflow_deps:latest,source=/,target=/deps \
@@ -61,41 +70,29 @@ RUN --mount=type=bind,from=infiniflow/ragflow_deps:latest,source=/,target=/deps
        mkdir -p /etc/uv && \
        echo 'python-install-mirror = "https://registry.npmmirror.com/-/binary/python-build-standalone/"' > /etc/uv/uv.toml && \
        echo '[[index]]' >> /etc/uv/uv.toml && \
-        echo 'url = "https://pypi.tuna.tsinghua.edu.cn/simple"' >> /etc/uv/uv.toml && \
+        echo 'url = "https://mirrors.aliyun.com/pypi/simple"' >> /etc/uv/uv.toml && \
        echo 'default = true' >> /etc/uv/uv.toml; \
    fi; \
-    tar xzf /deps/uv-x86_64-unknown-linux-gnu.tar.gz \
-    && cp uv-x86_64-unknown-linux-gnu/* /usr/local/bin/ \
-    && rm -rf uv-x86_64-unknown-linux-gnu \
-    && uv python install 3.11
+    arch="$(uname -m)"; \
+    if [ "$arch" = "x86_64" ]; then uv_arch="x86_64"; else uv_arch="aarch64"; fi; \
+    tar xzf "/deps/uv-${uv_arch}-unknown-linux-gnu.tar.gz" \
+    && cp "uv-${uv_arch}-unknown-linux-gnu/"* /usr/local/bin/ \
+    && rm -rf "uv-${uv_arch}-unknown-linux-gnu" \
+    && uv python install 3.12

-ENV PYTHONDONTWRITEBYTECODE=1 DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1
+ENV PYTHONDONTWRITEBYTECODE=1 DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1 \
+    UV_HTTP_TIMEOUT=200 \
+    UV_HTTP_RETRIES=3
 ENV PATH=/root/.local/bin:$PATH

 # nodejs 12.22 on Ubuntu 22.04 is too old
 RUN --mount=type=cache,id=ragflow_apt,target=/var/cache/apt,sharing=locked \
    curl -fsSL https://deb.nodesource.com/setup_20.x | bash - && \
-    apt purge -y nodejs npm cargo && \
+    apt purge -y nodejs npm && \
    apt autoremove -y && \
    apt update && \
    apt install -y nodejs

-# A modern version of cargo is needed for the latest version of the Rust compiler.
-RUN apt update && apt install -y curl build-essential \
-    && if [ "$NEED_MIRROR" == "1" ]; then \
-         # Use TUNA mirrors for rustup/rust dist files \
-         export RUSTUP_DIST_SERVER="https://mirrors.tuna.tsinghua.edu.cn/rustup"; \
-         export RUSTUP_UPDATE_ROOT="https://mirrors.tuna.tsinghua.edu.cn/rustup/rustup"; \
-         echo "Using TUNA mirrors for Rustup."; \
-       fi; \
-    # Force curl to use HTTP/1.1 \
-    curl --proto '=https' --tlsv1.2 --http1.1 -sSf https://sh.rustup.rs | bash -s -- -y --profile minimal \
-    && echo 'export PATH="/root/.cargo/bin:${PATH}"' >> /root/.bashrc
-
-ENV PATH="/root/.cargo/bin:${PATH}"
-
-RUN cargo --version && rustc --version
-
 # Add msssql ODBC driver
 # macOS ARM64 environment, install msodbcsql18.
 # general x86_64 environment, install msodbcsql17.
@@ -125,8 +122,6 @@ RUN --mount=type=bind,from=infiniflow/ragflow_deps:latest,source=/chromedriver-l
    mv chromedriver /usr/local/bin/ && \
    rm -f /usr/bin/google-chrome

-# https://forum.aspose.com/t/aspose-slides-for-net-no-usable-version-of-libssl-found-with-linux-server/271344/13
-# aspose-slides on linux/arm64 is unavailable
 RUN --mount=type=bind,from=infiniflow/ragflow_deps:latest,source=/,target=/deps \
    if [ "$(uname -m)" = "x86_64" ]; then \
        dpkg -i /deps/libssl1.1_1.1.1f-1ubuntu2_amd64.deb; \
@@ -148,16 +143,19 @@ COPY pyproject.toml uv.lock ./
 # uv records index url into uv.lock but doesn't failover among multiple indexes
 RUN --mount=type=cache,id=ragflow_uv,target=/root/.cache/uv,sharing=locked \
    if [ "$NEED_MIRROR" == "1" ]; then \
-        sed -i 's|pypi.org|pypi.tuna.tsinghua.edu.cn|g' uv.lock; \
+        sed -i 's|pypi.org|mirrors.aliyun.com/pypi|g' uv.lock; \
    else \
-        sed -i 's|pypi.tuna.tsinghua.edu.cn|pypi.org|g' uv.lock; \
+        sed -i 's|mirrors.aliyun.com/pypi|pypi.org|g' uv.lock; \
    fi; \
-    uv sync --python 3.12 --frozen
+    uv sync --python 3.12 --frozen && \
+    # Ensure pip is available in the venv for runtime package installation (fixes #12651)
+    .venv/bin/python3 -m ensurepip --upgrade

 COPY web web
 COPY docs docs
 RUN --mount=type=cache,id=ragflow_npm,target=/root/.npm,sharing=locked \
-    cd web && npm install && npm run build
+    cd web && NODE_OPTIONS="--max-old-space-size=8192" npm install && \
+    NODE_OPTIONS="--max-old-space-size=8192" VITE_BUILD_SOURCEMAP=false VITE_MINIFY=esbuild npm run build

 COPY .git /ragflow/.git

@@ -186,18 +184,23 @@ COPY conf conf
 COPY deepdoc deepdoc
 COPY rag rag
 COPY agent agent
-COPY graphrag graphrag
-COPY agentic_reasoning agentic_reasoning
 COPY pyproject.toml uv.lock ./
 COPY mcp mcp
-COPY plugin plugin
 COPY common common
 COPY memory memory
+COPY bin bin

 COPY docker/service_conf.yaml.template ./conf/service_conf.yaml.template
 COPY docker/entrypoint.sh ./
 RUN chmod +x ./entrypoint*.sh

+# Copy nginx configuration for frontend serving
+COPY docker/nginx/ragflow.conf.golang docker/nginx/ragflow.conf.python docker/nginx/ragflow.conf.hybrid docker/nginx/nginx.conf docker/nginx/proxy.conf /etc/nginx/
+RUN mv /etc/nginx/ragflow.conf.golang /etc/nginx/conf.d/ragflow.conf.golang && \
+    mv /etc/nginx/ragflow.conf.python /etc/nginx/conf.d/ragflow.conf.python && \
+    mv /etc/nginx/ragflow.conf.hybrid /etc/nginx/conf.d/ragflow.conf.hybrid && \
+    rm -f /etc/nginx/sites-enabled/default
+
 # Copy compiled web pages
 COPY --from=builder /ragflow/web/dist /ragflow/web/dist

--- a/Dockerfile.deps
+++ b/Dockerfile.deps
@@ -3,7 +3,7 @@
 FROM scratch

 # Copy resources downloaded via download_deps.py
-COPY chromedriver-linux64-121-0-6167-85 chrome-linux64-121-0-6167-85 cl100k_base.tiktoken libssl1.1_1.1.1f-1ubuntu2_amd64.deb libssl1.1_1.1.1f-1ubuntu2_arm64.deb tika-server-standard-3.0.0.jar tika-server-standard-3.0.0.jar.md5 libssl*.deb uv-x86_64-unknown-linux-gnu.tar.gz /
+COPY chromedriver-linux64-121-0-6167-85 chrome-linux64-121-0-6167-85 cl100k_base.tiktoken libssl1.1_1.1.1f-1ubuntu2_amd64.deb libssl1.1_1.1.1f-1ubuntu2_arm64.deb tika-server-standard-3.3.0.jar tika-server-standard-3.3.0.jar.md5 libssl*.deb uv-x86_64-unknown-linux-gnu.tar.gz uv-aarch64-unknown-linux-gnu.tar.gz /

 COPY nltk_data /nltk_data

--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
 <div align="center">
-<a href="https://demo.ragflow.io/">
+<a href="https://cloud.ragflow.io/">
 <img src="web/src/assets/logo-with-text.svg" width="520" alt="ragflow logo">
 </a>
 </div>
@@ -12,17 +12,20 @@
  <a href="./README_ko.md"><img alt="한국어" src="https://img.shields.io/badge/한국어-DFE0E5"></a>
  <a href="./README_id.md"><img alt="Bahasa Indonesia" src="https://img.shields.io/badge/Bahasa Indonesia-DFE0E5"></a>
  <a href="./README_pt_br.md"><img alt="Português(Brasil)" src="https://img.shields.io/badge/Português(Brasil)-DFE0E5"></a>
+  <a href="./README_fr.md"><img alt="README en Français" src="https://img.shields.io/badge/Français-DFE0E5"></a>
+  <a href="./README_ar.md"><img alt="README in Arabic" src="https://img.shields.io/badge/Arabic-DFE0E5"></a>
+  <a href="./README_tr.md"><img alt="Türkçe README" src="https://img.shields.io/badge/Türkçe-DFE0E5"></a>
 </p>

 <p align="center">
    <a href="https://x.com/intent/follow?screen_name=infiniflowai" target="_blank">
        <img src="https://img.shields.io/twitter/follow/infiniflow?logo=X&color=%20%23f5f5f5" alt="follow on X(Twitter)">
    </a>
-    <a href="https://demo.ragflow.io" target="_blank">
+    <a href="https://cloud.ragflow.io" target="_blank">
        <img alt="Static Badge" src="https://img.shields.io/badge/Online-Demo-4e6b99">
    </a>
    <a href="https://hub.docker.com/r/infiniflow/ragflow" target="_blank">
-        <img src="https://img.shields.io/docker/pulls/infiniflow/ragflow?label=Docker%20Pulls&color=0db7ed&logo=docker&logoColor=white&style=flat-square" alt="docker pull infiniflow/ragflow:v0.23.1">
+        <img src="https://img.shields.io/docker/pulls/infiniflow/ragflow?label=Docker%20Pulls&color=0db7ed&logo=docker&logoColor=white&style=flat-square" alt="docker pull infiniflow/ragflow:v0.25.1">
    </a>
    <a href="https://github.com/infiniflow/ragflow/releases/latest">
        <img src="https://img.shields.io/github/v/release/infiniflow/ragflow?color=blue&label=Latest%20Release" alt="Latest Release">
@@ -40,7 +43,7 @@
  <a href="https://github.com/infiniflow/ragflow/issues/12241">Roadmap</a> |
  <a href="https://twitter.com/infiniflowai">Twitter</a> |
  <a href="https://discord.gg/NjYzJD3GM3">Discord</a> |
-  <a href="https://demo.ragflow.io">Demo</a>
+  <a href="https://cloud.ragflow.io">Demo</a>
 </h4>

 <div align="center" style="margin-top:20px;margin-bottom:20px;">
@@ -72,11 +75,11 @@

 ## 💡 What is RAGFlow?

-[RAGFlow](https://ragflow.io/) is a leading open-source Retrieval-Augmented Generation (RAG) engine that fuses cutting-edge RAG with Agent capabilities to create a superior context layer for LLMs. It offers a streamlined RAG workflow adaptable to enterprises of any scale. Powered by a converged context engine and pre-built agent templates, RAGFlow enables developers to transform complex data into high-fidelity, production-ready AI systems with exceptional efficiency and precision.
+[RAGFlow](https://ragflow.io/) is a leading open-source Retrieval-Augmented Generation ([RAG](https://ragflow.io/basics/what-is-rag)) engine that fuses cutting-edge RAG with Agent capabilities to create a superior context layer for LLMs. It offers a streamlined RAG workflow adaptable to enterprises of any scale. Powered by a converged [context engine](https://ragflow.io/basics/what-is-agent-context-engine) and pre-built agent templates, RAGFlow enables developers to transform complex data into high-fidelity, production-ready AI systems with exceptional efficiency and precision.

 ## 🎮 Demo

-Try our demo at [https://demo.ragflow.io](https://demo.ragflow.io).
+Try our demo at [https://cloud.ragflow.io](https://cloud.ragflow.io).

 <div align="center" style="margin-top:20px;margin-bottom:20px;">
 <img src="https://raw.githubusercontent.com/infiniflow/ragflow-docs/refs/heads/image/image/chunking.gif" width="1200"/>
@@ -85,6 +88,7 @@ Try our demo at [https://demo.ragflow.io](https://demo.ragflow.io).

 ## 🔥 Latest Updates

+- 2026-03-24 [RAGFlow Skill on OpenClaw](https://clawhub.ai/yingfeng/ragflow-skill) — Provides an official skill for accessing RAGFlow datasets via OpenClaw.
 - 2025-12-26 Supports 'Memory' for AI agent.
 - 2025-11-19 Supports Gemini 3 Pro.
 - 2025-11-12 Supports data synchronization from Confluence, S3, Notion, Discord, Google Drive.
@@ -188,15 +192,15 @@ releases! 🌟
 > All Docker images are built for x86 platforms. We don't currently offer Docker images for ARM64.
 > If you are on an ARM64 platform, follow [this guide](https://ragflow.io/docs/dev/build_docker_image) to build a Docker image compatible with your system.

-> The command below downloads the `v0.23.1` edition of the RAGFlow Docker image. See the following table for descriptions of different RAGFlow editions. To download a RAGFlow edition different from `v0.23.1`, update the `RAGFLOW_IMAGE` variable accordingly in **docker/.env** before using `docker compose` to start the server.
+> The command below downloads the `v0.25.1` edition of the RAGFlow Docker image. See the following table for descriptions of different RAGFlow editions. To download a RAGFlow edition different from `v0.25.1`, update the `RAGFLOW_IMAGE` variable accordingly in **docker/.env** before using `docker compose` to start the server.

 ```bash
   $ cd ragflow/docker
-  
-   # git checkout v0.23.1
+
+   # git checkout v0.25.1
   # Optional: use a stable tag (see releases: https://github.com/infiniflow/ragflow/releases)
   # This step ensures the **entrypoint.sh** file in the code matches the Docker image version.
-   
+
   # Use CPU for DeepDoc tasks:
   $ docker compose -f docker-compose.yml up -d

@@ -325,7 +329,7 @@ docker build --platform linux/amd64 \
   git clone https://github.com/infiniflow/ragflow.git
   cd ragflow/
   uv sync --python 3.12 # install RAGFlow dependent python modules
-   uv run download_deps.py
+   uv run python3 download_deps.py
   pre-commit install
   ```
 3. Launch the dependent services (MinIO, Elasticsearch, Redis, and MySQL) using Docker Compose:
@@ -389,8 +393,8 @@ docker build --platform linux/amd64 \
 - [Quickstart](https://ragflow.io/docs/dev/)
 - [Configuration](https://ragflow.io/docs/dev/configurations)
 - [Release notes](https://ragflow.io/docs/dev/release_notes)
- [User guides](https://ragflow.io/docs/dev/category/guides)
- [Developer guides](https://ragflow.io/docs/dev/category/developers)
+- [User guides](https://ragflow.io/docs/category/user-guides)
+- [Developer guides](https://ragflow.io/docs/category/developer-guides)
 - [References](https://ragflow.io/docs/dev/category/references)
 - [FAQs](https://ragflow.io/docs/dev/faq)

--- a/README_ar.md
+++ b/README_ar.md
@@ -0,0 +1,414 @@
+<div align="center">
+<a href="https://cloud.ragflow.io/">
+<img src="web/src/assets/logo-with-text.svg" width="520" alt="ragflow logo">
+</a>
+</div>
+
+<p align="center">
+  <a href="./README.md"><img alt="README in English" src="https://img.shields.io/badge/English-DFE0E5"></a>
+  <a href="./README_zh.md"><img alt="简体中文版自述文件" src="https://img.shields.io/badge/简体中文-DFE0E5"></a>
+  <a href="./README_tzh.md"><img alt="繁體版中文自述文件" src="https://img.shields.io/badge/繁體中文-DFE0E5"></a>
+  <a href="./README_ja.md"><img alt="日本語のREADME" src="https://img.shields.io/badge/日本語-DFE0E5"></a>
+  <a href="./README_ko.md"><img alt="한국어" src="https://img.shields.io/badge/한국어-DFE0E5"></a>
+  <a href="./README_id.md"><img alt="Bahasa Indonesia" src="https://img.shields.io/badge/Bahasa Indonesia-DFE0E5"></a>
+  <a href="./README_pt_br.md"><img alt="Português(Brasil)" src="https://img.shields.io/badge/Português(Brasil)-DFE0E5"></a>
+  <a href="./README_fr.md"><img alt="README en Français" src="https://img.shields.io/badge/Français-DFE0E5"></a>
+  <a href="./README_ar.md"><img alt="README in Arabic" src="https://img.shields.io/badge/Arabic-DBEDFA"></a>
+  <a href="./README_tr.md"><img alt="Türkçe README" src="https://img.shields.io/badge/Türkçe-DFE0E5"></a>
+</p>
+
+<p align="center">
+    <a href="https://x.com/intent/follow?screen_name=infiniflowai" target="_blank">
+        <img src="https://img.shields.io/twitter/follow/infiniflow?logo=X&color=%20%23f5f5f5" alt="follow on X(Twitter)">
+    </a>
+    <a href="https://cloud.ragflow.io" target="_blank">
+        <img alt="Static Badge" src="https://img.shields.io/badge/Online-Demo-4e6b99">
+    </a>
+    <a href="https://hub.docker.com/r/infiniflow/ragflow" target="_blank">
+        <img src="https://img.shields.io/docker/pulls/infiniflow/ragflow?label=Docker%20Pulls&color=0db7ed&logo=docker&logoColor=white&style=flat-square" alt="docker pull infiniflow/ragflow:v0.25.1">
+    </a>
+    <a href="https://github.com/infiniflow/ragflow/releases/latest">
+        <img src="https://img.shields.io/github/v/release/infiniflow/ragflow?color=blue&label=Latest%20Release" alt="Latest Release">
+    </a>
+    <a href="https://github.com/infiniflow/ragflow/blob/main/LICENSE">
+        <img height="21" src="https://img.shields.io/badge/License-Apache--2.0-ffffff?labelColor=d4eaf7&color=2e6cc4" alt="license">
+    </a>
+    <a href="https://deepwiki.com/infiniflow/ragflow">
+        <img alt="Ask DeepWiki" src="https://deepwiki.com/badge.svg">
+    </a>
+</p>
+
+<h4 align="center">
+  <a href="https://ragflow.io/docs/dev/">Document</a> |
+  <a href="https://github.com/infiniflow/ragflow/issues/12241">Roadmap</a> |
+  <a href="https://twitter.com/infiniflowai">Twitter</a> |
+  <a href="https://discord.gg/NjYzJD3GM3">Discord</a> |
+  <a href="https://cloud.ragflow.io">Demo</a>
+</h4>
+
+<div align="center" style="margin-top:20px;margin-bottom:20px;">
+<img src="https://raw.githubusercontent.com/infiniflow/ragflow-docs/refs/heads/image/image/ragflow-octoverse.png" width="1200"/>
+</div>
+
+<div align="center">
+<a href="https://trendshift.io/repositories/9064" target="_blank"><img src="https://trendshift.io/api/badge/repositories/9064" alt="infiniflow%2Fragflow | Trendshift" style="width: 250px; height: 55px;" width="250" height="55"/></a>
+</div>
+
+<details open>
+<summary><b>📕 جدول المحتويات</b></summary>
+
+- 💡 [ما هو RAGFlow؟](#-what-is-ragflow)
+- 🎮 [Demo](#-demo)
+- 📌 [آخر التحديثات](#-latest-updates)
+- 🌟 [الميزات الرئيسية](#-key-features)
+- 🔎 [بنية النظام](#-system-architecture)
+- 🎬 [ابدأ](#-get-started)
+- 🔧 [التكوينات](#-configurations)
+- 🔧 [إنشاء صورة Docker](#-build-a-docker-image)
+- 🔨 [إطلاق الخدمة من المصدر للتطوير](#-launch-service-from-source-for-development)
+- 📚 [التوثيق](#-documentation)
+- 📜 [Roadmap](#-roadmap)
+- 🏄 [المجتمع](#-community)
+- 🙌 [مساهمة](#-contributing)
+
+</details>
+
+## 💡 ما هو RAGFlow؟
+
+يُعد مشروع [RAGFlow](https://ragflow.io/) محركًا رائدًا ومفتوح المصدر للاسترجاع المعزز بالتوليد (<bdi dir="ltr">RAG</bdi>)، ويجمع أحدث تقنيات <bdi dir="ltr">RAG</bdi> مع قدرات الوكلاء لبناء طبقة سياق متقدمة لنماذج <bdi dir="ltr">LLMs</bdi>. يوفّر سير عمل <bdi dir="ltr">RAG</bdi> مبسّطًا وقابلًا للتكيّف مع المؤسسات بمختلف أحجامها. وبالاعتماد على [محرك سياق موحّد](https://ragflow.io/basics/what-is-agent-context-engine) وقوالب وكلاء جاهزة، يتيح <bdi dir="ltr">RAGFlow</bdi> للمطورين تحويل البيانات المعقّدة إلى أنظمة <bdi dir="ltr">AI</bdi> عالية الدقة وجاهزة للإنتاج بكفاءة وموثوقية.
+
+## 🎮 Demo
+
+جرّب النسخة التجريبية على [https://cloud.ragflow.io](https://cloud.ragflow.io).
+
+<div align="center" style="margin-top:20px;margin-bottom:20px;">
+<img src="https://raw.githubusercontent.com/infiniflow/ragflow-docs/refs/heads/image/image/chunking.gif" width="1200"/>
+<img src="https://raw.githubusercontent.com/infiniflow/ragflow-docs/refs/heads/image/image/agentic-dark.gif" width="1200"/>
+</div>
+
+## 🔥 آخر التحديثات
+
+- 2026-03-24 [RAGFlow Skill on OpenClaw](https://clawhub.ai/yingfeng/ragflow-skill) — توفر مهارة رسمية للوصول إلى مجموعات بيانات RAGFlow عبر OpenClaw.
+- 2025-12-26 يدعم ميزة "Memory" لوكلاء الذكاء الاصطناعي.
+- 11-11-2025 يدعم Gemini 3 Pro.
+- 12-11-2025 يدعم مزامنة البيانات من Confluence، S3، Notion، Discord، Google Drive.
+- 23-10-2025 يدعم MinerU وDocling كطرق لتحليل المستندات.
+- 15-10-2025 يدعم العرض الأوركسترالي pipeline.
+- 08-08-2025 يدعم أحدث موديلات سلسلة OpenAI.
+- 01-08-2025 يدعم سير العمل الوكيل وMCP.
+- 23-05-2025 تمت إضافة مكون منفذ كود Python/JavaScript إلى Agent.
+- 05-05-2025 يدعم الاستعلام بين اللغات.
+- 19-03-2025 يدعم استخدام نموذج متعدد الوسائط لفهم الصور داخل ملفات PDF أو DOCX.
+
+## 🎉 تابعونا
+
+⭐️ قم بتمييز مستودعنا بنجمة لتبقى على اطلاع بالميزات والتحسينات الجديدة والمثيرة! احصل على إشعارات فورية بالجديد
+الإصدارات! 🌟
+
+<div align="center" style="margin-top:20px;margin-bottom:20px;">
+<img src="https://github.com/user-attachments/assets/18c9707e-b8aa-4caf-a154-037089c105ba" width="1200"/>
+</div>
+
+## 🌟 الميزات الرئيسية
+
+### 🍭 **"الجودة في الداخل، الجودة في الخارج"**
+
+- [الفهم العميق للمستندات](./deepdoc/README.md) لاستخراج المعرفة من البيانات غير المنظمة
+  ذات التنسيقات المعقدة.
+- يجد "إبرة في كومة قش بيانات" من الرموز غير المحدودة حرفيًا.
+
+### 🍱 **التقطيع القائم على القالب**
+
+- ذكي وقابل للتفسير.
+- الكثير من خيارات القالب للاختيار من بينها.
+
+### 🌱 **استشهادات مؤرضة لتقليل الهلوسة**
+
+- تصور تقطيع النص للسماح بالتدخل البشري.
+- عرض سريع للمراجع الرئيسية والاستشهادات التي يمكن تتبعها لدعم الإجابات المبنية على أسس سليمة.
+
+### 🍔 **التوافق مع مصادر البيانات غير المتجانسة**
+
+- يدعم Word، والشرائح، وExcel، وtxt، والصور، والنسخ الممسوحة ضوئيًا، والبيانات المنظمة، وصفحات الويب، والمزيد.
+
+### 🛀 **سير عمل RAG آلي وسهل**
+
+- تنسيق RAG مبسط يلبي احتياجات الشركات الشخصية والكبيرة على حد سواء.
+- نماذج LLMs قابلة للتكوين بالإضافة إلى نماذج embedding.
+- الاستدعاء المتعدد المقترن بإعادة التصنيف المدمجة.
+- APIs بديهي للتكامل السلس مع الأعمال.
+
+## 🔎 هندسة النظام
+
+<div align="center" style="margin-top:20px;margin-bottom:20px;">
+<img src="https://github.com/user-attachments/assets/31b0dd6f-ca4f-445a-9457-70cb44a381b2" width="1000"/>
+</div>
+
+## 🎬 ابدأ
+
+### 📝 المتطلبات الأساسية
+
+- CPU >= 4 مراكز
+- الرام >= 16 جيجا
+- القرص >= 50 جيجا بايت
+- Docker >= 24.0.0 & Docker Compose >= v2.26.1
+- [gVisor](https://gvisor.dev/docs/user_guide/install/): مطلوب فقط إذا كنت تنوي استخدام ميزة منفذ التعليمات البرمجية (وضع الحماية) لـ RAGFlow.
+
+> [!TIP]
+> إذا لم تقم بتثبيت Docker على جهازك المحلي (Windows أو Mac أو Linux)، راجع [تثبيت Docker Engine](https://docs.docker.com/engine/install/).
+
+### 🚀 بدء تشغيل الخادم
+
+1. تأكد من `vm.max_map_count` >= 262144:
+
+   > للتحقق من قيمة `vm.max_map_count`:
+   >
+   > ```bash
+   > $ sysctl vm.max_map_count
+   > ```
+   >
+   > أعد تعيين `vm.max_map_count` إلى قيمة 262144 على الأقل إذا لم تكن كذلك.
+   >
+   > ```bash
+   > # In this case, we set it to 262144:
+   > $ sudo sysctl -w vm.max_map_count=262144
+   > ```
+   >
+   > سيتم إعادة ضبط هذا التغيير بعد إعادة تشغيل النظام. لضمان بقاء التغيير دائمًا، قم بإضافة أو تحديث
+   > `vm.max_map_count` القيمة في **/etc/sysctl.conf** وفقًا لذلك:
+   >
+   > ```bash
+   > vm.max_map_count=262144
+   > ```
+   >
+2. استنساخ الريبو:
+
+   ```bash
+   $ git clone https://github.com/infiniflow/ragflow.git
+   ```
+3. ابدأ تشغيل الخادم باستخدام صور Docker المعدة مسبقًا:
+
+> [!CAUTION]
+> جميع الصور Docker مصممة لمنصات x86. لا نعرض حاليًا صور Docker لـ ARM64.
+> إذا كنت تستخدم نظامًا أساسيًا ARM64، فاتبع [هذا الدليل](https://ragflow.io/docs/dev/build_docker_image) لإنشاء صورة Docker متوافقة مع نظامك.
+
+> يقوم الأمر أدناه بتنزيل إصدار `v0.25.1` من الصورة RAGFlow Docker. راجع الجدول التالي للحصول على أوصاف لإصدارات RAGFlow المختلفة. لتنزيل إصدار RAGFlow مختلف عن `v0.25.1`، قم بتحديث المتغير `RAGFLOW_IMAGE` وفقًا لذلك في **docker/.env** قبل استخدام `docker compose` لبدء تشغيل الخادم.
+
+```bash
+   $ cd ragflow/docker
+
+   # git checkout v0.25.1
+   # Optional: use a stable tag (see releases: https://github.com/infiniflow/ragflow/releases)
+   # This step ensures the **entrypoint.sh** file in the code matches the Docker image version.
+
+   # Use CPU for DeepDoc tasks:
+   $ docker compose -f docker-compose.yml up -d
+
+   # To use GPU to accelerate DeepDoc tasks:
+   # sed -i '1i DEVICE=gpu' .env
+   # docker compose -f docker-compose.yml up -d
+```
+
+> ملاحظة: قبل `v0.22.0`، قدمنا كلتا الصورتين بنماذج embedding وصورًا رفيعة بدون نماذج embedding. التفاصيل على النحو التالي:
+
+| RAGFlow علامة الصورة | حجم الصورة (جيجابايت) | هل لديه نماذج embedding؟ | مستقر؟        |
+|-------------------|-----------------|-----------------------|----------------|
+| v0.21.1 | &approx;9 | ✔️ | إصدار مستقر |
+| v0.21.1-slim | &approx;2 | ❌ | إصدار مستقر |
+
+> بدءًا من `v0.22.0`، نقوم بشحن الإصدار النحيف فقط ولم نعد نلحق اللاحقة **-slim** بعلامة الصورة.
+
+4. التحقق من حالة الخادم بعد تشغيل الخادم:
+
+   ```bash
+   $ docker logs -f docker-ragflow-cpu-1
+   ```
+
+   _النتيجة التالية تؤكد الإطلاق الناجح للنظام:_
+
+   ```bash
+
+         ____   ___    ______ ______ __
+        / __ \ /   |  / ____// ____// /____  _      __
+       / /_/ // /| | / / __ / /_   / // __ \| | /| / /
+      / _, _// ___ |/ /_/ // __/  / // /_/ /| |/ |/ /
+     /_/ |_|/_/  |_|\____//_/    /_/ \____/ |__/|__/
+
+    * Running on all addresses (0.0.0.0)
+   ```
+
+   > إذا تخطيت خطوة التأكيد هذه وقمت بتسجيل الدخول مباشرة إلى RAGFlow، فقد يعرض متصفحك تنبيه `network abnormal`
+   > خطأ لأنه في تلك اللحظة، قد لا تتم تهيئة RAGFlow بشكل كامل.
+   >
+5. في متصفح الويب الخاص بك، أدخل عنوان IP الخاص بالخادم الخاص بك وقم بتسجيل الدخول إلى RAGFlow.
+
+   > باستخدام الإعدادات الافتراضية، ما عليك سوى إدخال `http://IP_OF_YOUR_MACHINE` (**من دون** رقم المنفذ) كإعداد افتراضي
+   > HTTP يمكن حذف منفذ العرض `80` عند استخدام التكوينات الافتراضية.
+   >
+6. في [service_conf.yaml.template](./docker/service_conf.yaml.template)، حدد المصنع LLM المطلوب في `user_default_llm` وقم بالتحديث
+   الحقل `API_KEY` مع مفتاح API المقابل.
+
+   > راجع [llm_api_key_setup](https://ragflow.io/docs/dev/llm_api_key_setup) لمزيد من المعلومات.
+   >
+
+   _العرض بدأ!_
+
+## 🔧 التكوينات
+
+عندما يتعلق الأمر بتكوينات النظام، ستحتاج إلى إدارة الملفات التالية:
+
+- [.env](./docker/.env): يحتفظ بالإعدادات الأساسية للنظام، مثل `SVR_HTTP_PORT`، `MYSQL_PASSWORD`، و
+  `MINIO_PASSWORD`.
+- [service_conf.yaml.template](./docker/service_conf.yaml.template): تكوين الخدمات الخلفية. سيتم ملء متغيرات البيئة في هذا الملف تلقائيًا عند بدء تشغيل الحاوية Docker. ستكون أي متغيرات بيئة تم تعيينها داخل حاوية Docker متاحة للاستخدام، مما يسمح لك بتخصيص سلوك الخدمة استنادًا إلى بيئة النشر.
+- [docker-compose.yml](./docker/docker-compose.yml): يعتمد النظام على [docker-compose.yml](./docker/docker-compose.yml) لبدء التشغيل.
+
+> يوفر الملف [./docker/README](./docker/README.md) وصفًا تفصيليًا لإعدادات البيئة والخدمة
+> التكوينات التي يمكن استخدامها كـ `${ENV_VARS}` في ملف [service_conf.yaml.template](./docker/service_conf.yaml.template).
+
+لتحديث منفذ العرض الافتراضي HTTP (80)، انتقل إلى [docker-compose.yml](./docker/docker-compose.yml) وقم بتغيير `80:80`
+إلى `<YOUR_SERVING_PORT>:80`.
+
+تتطلب تحديثات التكوينات المذكورة أعلاه إعادة تشغيل جميع الحاويات لتصبح سارية المفعول:
+
+> ```bash
+> $ docker compose -f docker-compose.yml up -d
+> ```
+
+### تبديل محرك المستندات من Elasticsearch إلى Infinity
+
+RAGFlow يستخدم Elasticsearch بشكل افتراضي لتخزين النص الكامل والمتجهات. للتبديل إلى [Infinity](https://github.com/infiniflow/infinity/)، اتبع الخطوات التالية:
+
+1. إيقاف كافة الحاويات قيد التشغيل:
+
+   ```bash
+   $ docker compose -f docker/docker-compose.yml down -v
+   ```
+
+> [!WARNING]
+> `-v` سوف يحذف docker وحدات تخزين الحاوية، وسيتم مسح البيانات الموجودة.
+
+2. اضبط `DOC_ENGINE` في **docker/.env** على `infinity`.
+3. ابدأ الحاويات:
+
+   ```bash
+   $ docker compose -f docker-compose.yml up -d
+   ```
+
+> [!WARNING]
+> التبديل إلى Infinity على جهاز Linux/arm64 غير مدعوم رسميًا بعد.
+
+## 🔧 أنشئ صورة Docker
+
+يبلغ حجم هذه الصورة حوالي 2 غيغابايت وتعتمد على خدمات LLM وembedding الخارجية.
+
+```bash
+git clone https://github.com/infiniflow/ragflow.git
+cd ragflow/
+docker build --platform linux/amd64 -f Dockerfile -t infiniflow/ragflow:nightly .
+```
+
+أو إذا كنت خلف وكيل، فيمكنك تمرير وسيطات الوكيل:
+
+```bash
+docker build --platform linux/amd64 \
+  --build-arg http_proxy=http://YOUR_PROXY:PORT \
+  --build-arg https_proxy=http://YOUR_PROXY:PORT \
+  -f Dockerfile -t infiniflow/ragflow:nightly .
+```
+
+## 🔨 إطلاق الخدمة من المصدر للتطوير
+
+1. قم بتثبيت `uv` و`pre-commit`، أو قم بتخطي هذه الخطوة إذا كانا مثبتين بالفعل:
+
+   ```bash
+   pipx install uv pre-commit
+   ```
+2. استنساخ الكود المصدري وتثبيت تبعيات بايثون:
+
+   ```bash
+   git clone https://github.com/infiniflow/ragflow.git
+   cd ragflow/
+   uv sync --python 3.12 # install RAGFlow dependent python modules
+   uv run python3 download_deps.py
+   pre-commit install
+   ```
+3. قم بتشغيل الخدمات التابعة (MinIO وElasticsearch وRedis وMySQL) باستخدام Docker Compose:
+
+   ```bash
+   docker compose -f docker/docker-compose-base.yml up -d
+   ```
+
+   أضف السطر التالي إلى `/etc/hosts` لحل كافة المضيفين المحددين في **docker/.env** إلى `127.0.0.1`:
+
+   ```
+   127.0.0.1       es01 infinity mysql minio redis sandbox-executor-manager
+   ```
+4. إذا لم تتمكن من الوصول إلى HuggingFace، فقم بتعيين متغير البيئة `HF_ENDPOINT` لاستخدام موقع مرآة:
+
+   ```bash
+   export HF_ENDPOINT=https://hf-mirror.com
+   ```
+5. إذا كان نظام التشغيل لديك لا يحتوي على jemalloc، فيرجى تثبيته على النحو التالي:
+
+   ```bash
+   # Ubuntu
+   sudo apt-get install libjemalloc-dev
+   # CentOS
+   sudo yum install jemalloc
+   # OpenSUSE
+   sudo zypper install jemalloc
+   # macOS
+   sudo brew install jemalloc
+   ```
+6. إطلاق الخدمة الخلفية:
+
+   ```bash
+   source .venv/bin/activate
+   export PYTHONPATH=$(pwd)
+   bash docker/launch_backend_service.sh
+   ```
+7. تثبيت تبعيات الواجهة الأمامية:
+
+   ```bash
+   cd web
+   npm install
+   ```
+8. إطلاق خدمة الواجهة الأمامية:
+
+   ```bash
+   npm run dev
+   ```
+
+   _النتيجة التالية تؤكد الإطلاق الناجح للنظام:_
+
+   ![](https://github.com/user-attachments/assets/0daf462c-a24d-4496-a66f-92533534e187)
+9. أوقف خدمة الواجهة الأمامية والخلفية RAGFlow بعد اكتمال التطوير:
+
+   ```bash
+   pkill -f "ragflow_server.py|task_executor.py"
+   ```
+
+## 📚 التوثيق
+
+- [البدء السريع](https://ragflow.io/docs/dev/)
+- [التكوين](https://ragflow.io/docs/dev/configurations)
+- [ملاحظات الإصدار](https://ragflow.io/docs/dev/release_notes)
+- [أدلة المستخدم](https://ragflow.io/docs/category/user-guides)
+- [أدلة المطورين](https://ragflow.io/docs/category/developer-guides)
+- [المراجع](https://ragflow.io/docs/dev/category/references)
+- [الأسئلة الشائعة](https://ragflow.io/docs/dev/faq)
+
+## 📜 Roadmap
+
+راجع [RAGFlow Roadmap 2026](https://github.com/infiniflow/ragflow/issues/12241)
+
+## 🏄 المجتمع
+
+- [Discord](https://discord.gg/NjYzJD3GM3)
+- [Twitter](https://twitter.com/infiniflowai)
+- [مناقشات جيثب](https://github.com/orgs/infiniflow/discussions)
+
+## 🙌 المساهمة
+
+RAGFlow يزدهر من خلال التعاون مفتوح المصدر. وبهذه الروح، فإننا نحتضن المساهمات المتنوعة من المجتمع.
+إذا كنت ترغب في أن تكون جزءًا، فراجع [إرشادات المساهمة](https://ragflow.io/docs/dev/contributing) أولاً.
--- a/README_fr.md
+++ b/README_fr.md
@@ -0,0 +1,405 @@
+<div align="center">
+<a href="https://cloud.ragflow.io/">
+<img src="web/src/assets/logo-with-text.svg" width="520" alt="ragflow logo">
+</a>
+</div>
+
+<p align="center">
+  <a href="./README.md"><img alt="README in English" src="https://img.shields.io/badge/English-DFE0E5"></a>
+  <a href="./README_zh.md"><img alt="简体中文版自述文件" src="https://img.shields.io/badge/简体中文-DFE0E5"></a>
+  <a href="./README_tzh.md"><img alt="繁體版中文自述文件" src="https://img.shields.io/badge/繁體中文-DFE0E5"></a>
+  <a href="./README_ja.md"><img alt="日本語のREADME" src="https://img.shields.io/badge/日本語-DFE0E5"></a>
+  <a href="./README_ko.md"><img alt="한국어" src="https://img.shields.io/badge/한국어-DFE0E5"></a>
+  <a href="./README_id.md"><img alt="Bahasa Indonesia" src="https://img.shields.io/badge/Bahasa Indonesia-DFE0E5"></a>
+  <a href="./README_pt_br.md"><img alt="Português(Brasil)" src="https://img.shields.io/badge/Português(Brasil)-DFE0E5"></a>
+  <a href="./README_fr.md"><img alt="README en Français" src="https://img.shields.io/badge/Français-DBEDFA"></a>
+  <a href="./README_ar.md"><img alt="README in Arabic" src="https://img.shields.io/badge/Arabic-DFE0E5"></a>
+  <a href="./README_tr.md"><img alt="Türkçe README" src="https://img.shields.io/badge/Türkçe-DFE0E5"></a>
+</p>
+
+<p align="center">
+    <a href="https://x.com/intent/follow?screen_name=infiniflowai" target="_blank">
+        <img src="https://img.shields.io/twitter/follow/infiniflow?logo=X&color=%20%23f5f5f5" alt="suivre sur X(Twitter)">
+    </a>
+    <a href="https://cloud.ragflow.io" target="_blank">
+        <img alt="Badge statique" src="https://img.shields.io/badge/Online-Demo-4e6b99">
+    </a>
+    <a href="https://hub.docker.com/r/infiniflow/ragflow" target="_blank">
+        <img src="https://img.shields.io/docker/pulls/infiniflow/ragflow?label=Docker%20Pulls&color=0db7ed&logo=docker&logoColor=white&style=flat-square" alt="docker pull infiniflow/ragflow:v0.25.1">
+    </a>
+    <a href="https://github.com/infiniflow/ragflow/releases/latest">
+        <img src="https://img.shields.io/github/v/release/infiniflow/ragflow?color=blue&label=Dernière%20version" alt="Dernière version">
+    </a>
+    <a href="https://github.com/infiniflow/ragflow/blob/main/LICENSE">
+        <img height="21" src="https://img.shields.io/badge/License-Apache--2.0-ffffff?labelColor=d4eaf7&color=2e6cc4" alt="licence">
+    </a>
+    <a href="https://deepwiki.com/infiniflow/ragflow">
+        <img alt="Ask DeepWiki" src="https://deepwiki.com/badge.svg">
+    </a>
+</p>
+
+<h4 align="center">
+  <a href="https://ragflow.io/docs/dev/">Documentation</a> |
+  <a href="https://github.com/infiniflow/ragflow/issues/12241">Roadmap</a> |
+  <a href="https://twitter.com/infiniflowai">Twitter</a> |
+  <a href="https://discord.gg/NjYzJD3GM3">Discord</a> |
+  <a href="https://cloud.ragflow.io">Démo</a>
+</h4>
+
+<div align="center" style="margin-top:20px;margin-bottom:20px;">
+<img src="https://raw.githubusercontent.com/infiniflow/ragflow-docs/refs/heads/image/image/ragflow-octoverse.png" width="1200"/>
+</div>
+
+<div align="center">
+<a href="https://trendshift.io/repositories/9064" target="_blank"><img src="https://trendshift.io/api/badge/repositories/9064" alt="infiniflow%2Fragflow | Trendshift" style="width: 250px; height: 55px;" width="250" height="55"/></a>
+</div>
+
+<details open>
+<summary><b>📕 Table des matières</b></summary>
+
+- 💡 [Qu'est-ce que RAGFlow?](#-quest-ce-que-ragflow)
+- 🎮 [Démo](#-démo)
+- 📌 [Dernières mises à jour](#-dernières-mises-à-jour)
+- 🌟 [Fonctionnalités clés](#-fonctionnalités-clés)
+- 🔎 [Architecture du système](#-architecture-du-système)
+- 🎬 [Démarrage](#-démarrage)
+- 🔧 [Configurations](#-configurations)
+- 🔧 [Construire une image Docker](#-construire-une-image-docker)
+- 🔨 [Lancer le service depuis les sources pour le développement](#-lancer-le-service-depuis-les-sources-pour-le-développement)
+- 📚 [Documentation](#-documentation)
+- 📜 [Roadmap](#-feuille-de-route)
+- 🏄 [Communauté](#-communauté)
+- 🙌 [Contribuer](#-contribuer)
+
+</details>
+
+## 💡 Qu'est-ce que RAGFlow?
+
+[RAGFlow](https://ragflow.io/) est un moteur de [RAG](https://ragflow.io/basics/what-is-rag) (Retrieval-Augmented Generation) open-source de premier plan qui fusionne les technologies RAG de pointe avec des capacités Agent pour créer une couche de contexte supérieure pour les LLM. Il offre un flux de travail RAG rationalisé, adaptable aux entreprises de toute taille. Alimenté par un [moteur de contexte](https://ragflow.io/basics/what-is-agent-context-engine) convergent et des modèles d'agents préconstruits, RAGFlow permet aux développeurs de transformer des données complexes en systèmes d'IA haute-fidélité, prêts pour la production, avec une efficacité et une précision exceptionnelles.
+
+## 🎮 Démo
+
+Essayez notre démo sur [https://cloud.ragflow.io](https://cloud.ragflow.io).
+
+<div align="center" style="margin-top:20px;margin-bottom:20px;">
+<img src="https://raw.githubusercontent.com/infiniflow/ragflow-docs/refs/heads/image/image/chunking.gif" width="1200"/>
+<img src="https://raw.githubusercontent.com/infiniflow/ragflow-docs/refs/heads/image/image/agentic-dark.gif" width="1200"/>
+</div>
+
+## 🔥 Dernières mises à jour
+
+- 24-03-2026 [RAGFlow Skill on OpenClaw](https://clawhub.ai/yingfeng/ragflow-skill) — Fournit un skill officiel pour accéder aux datasets RAGFlow via OpenClaw.
+- 26-12-2025 Prise en charge de la « Mémoire » pour l'agent IA.
+- 19-11-2025 Prise en charge de Gemini 3 Pro.
+- 12-11-2025 Prise en charge de la synchronisation de données depuis Confluence, S3, Notion, Discord et Google Drive.
+- 23-10-2025 Prise en charge de MinerU & Docling comme méthodes d'analyse de documents.
+- 15-10-2025 Prise en charge du pipeline d'ingestion orchestrable.
+- 08-08-2025 Prise en charge des derniers modèles de la série GPT-5 d'OpenAI.
+- 01-08-2025 Prise en charge du flux de travail agentique et de MCP.
+- 23-05-2025 Ajout d'un composant exécuteur de code Python/JavaScript à l'Agent.
+- 05-05-2025 Prise en charge des requêtes inter-langues.
+- 19-03-2025 Prise en charge de l'utilisation d'un modèle multi-modal pour analyser les images dans les fichiers PDF ou DOCX.
+
+## 🎉 Restez informé
+
+⭐️ Mettez une étoile à notre dépôt pour rester informé des nouvelles fonctionnalités et améliorations passionnantes ! Recevez des notifications instantanées pour les nouvelles versions ! 🌟
+
+<div align="center" style="margin-top:20px;margin-bottom:20px;">
+<img src="https://github.com/user-attachments/assets/18c9707e-b8aa-4caf-a154-037089c105ba" width="1200"/>
+</div>
+
+## 🌟 Fonctionnalités clés
+
+### 🍭 **"Quality in, quality out"**
+
+- Extraction de connaissances basée sur la [compréhension approfondie des documents](./deepdoc/README.md) à partir de données non structurées aux formats complexes.
+- Trouve "l'aiguille dans la meule de données" de tokens littéralement illimités.
+
+### 🍱 **Découpage(Chunking) basé sur des templates**
+
+- Intelligent et explicable.
+- De nombreuses options de templates disponibles.
+
+### 🌱 **Citations fondées avec réduction des hallucinations**
+
+- Visualisation du découpage de texte pour permettre une intervention humaine.
+- Aperçu rapide des références clés et citations traçables pour soutenir des réponses fondées.
+
+### 🍔 **Compatibilité avec des sources de données hétérogènes**
+
+- Prend en charge Word, présentations, Excel, txt, images, copies numérisées, données structurées, pages web, et plus encore.
+
+### 🛀 **Flux de travail RAG automatisé et sans effort**
+
+- Orchestration RAG rationalisée adaptée aux particuliers comme aux grandes entreprises.
+- LLM et modèles d'embedding configurables.
+- Rappel multiple associé à un ré-classement fusionné.
+- APIs intuitives pour une intégration transparente avec les entreprises.
+
+## 🔎 Architecture du système
+
+<div align="center" style="margin-top:20px;margin-bottom:20px;">
+<img src="https://github.com/user-attachments/assets/31b0dd6f-ca4f-445a-9457-70cb44a381b2" width="1000"/>
+</div>
+
+## 🎬 Démarrage
+
+### 📝 Prérequis
+
+- CPU >= 4 cœurs
+- RAM >= 16 Go
+- Disque >= 50 Go
+- Docker >= 24.0.0 & Docker Compose >= v2.26.1
+- [gVisor](https://gvisor.dev/docs/user_guide/install/) : Requis uniquement si vous souhaitez utiliser la fonctionnalité d'exécuteur de code (sandbox) de RAGFlow.
+
+> [!TIP]
+> Si vous n'avez pas installé Docker sur votre machine locale (Windows, Mac ou Linux), consultez [Installer Docker Engine](https://docs.docker.com/engine/install/).
+
+### 🚀 Démarrer le serveur
+
+1. Assurez-vous que `vm.max_map_count` >= 262144 :
+
+   > Pour vérifier la valeur de `vm.max_map_count` :
+   >
+   > ```bash
+   > $ sysctl vm.max_map_count
+   > ```
+   >
+   > Réinitialisez `vm.max_map_count` à une valeur d'au moins 262144 si ce n'est pas le cas.
+   >
+   > ```bash
+   > # Dans ce cas, nous le définissons à 262144 :
+   > $ sudo sysctl -w vm.max_map_count=262144
+   > ```
+   >
+   > Ce changement sera réinitialisé après un redémarrage du système. Pour que votre modification reste permanente, ajoutez ou mettez à jour la valeur `vm.max_map_count` dans **/etc/sysctl.conf** :
+   >
+   > ```bash
+   > vm.max_map_count=262144
+   > ```
+   >
+2. Clonez le dépôt :
+
+   ```bash
+   $ git clone https://github.com/infiniflow/ragflow.git
+   ```
+3. Démarrez le serveur en utilisant les images Docker préconstruites :
+
+> [!CAUTION]
+> Toutes les images Docker sont construites pour les plateformes x86. Nous ne proposons pas actuellement d'images Docker pour ARM64.
+> Si vous êtes sur une plateforme ARM64, suivez [ce guide](https://ragflow.io/docs/dev/build_docker_image) pour construire une image Docker compatible avec votre système.
+
+> La commande ci-dessous télécharge l'édition `v0.25.1` de l'image Docker RAGFlow. Consultez le tableau suivant pour les descriptions des différentes éditions de RAGFlow. Pour télécharger une édition de RAGFlow différente de `v0.25.1`, mettez à jour la variable `RAGFLOW_IMAGE` dans **docker/.env** avant d'utiliser `docker compose` pour démarrer le serveur.
+
+```bash
+   $ cd ragflow/docker
+
+   # git checkout v0.25.1
+   # Optionnel : utiliser un tag stable (voir les versions : https://github.com/infiniflow/ragflow/releases)
+   # Cette étape garantit que le fichier **entrypoint.sh** dans le code correspond à la version de l'image Docker.
+
+   # Use CPU for DeepDoc tasks:
+   $ docker compose -f docker-compose.yml up -d
+
+   # To use GPU to accelerate DeepDoc tasks:
+   # sed -i '1i DEVICE=gpu' .env
+   # docker compose -f docker-compose.yml up -d
+```
+
+> Remarque : Avant `v0.22.0`, nous fournissions à la fois des images avec des modèles d'embedding et des images slim sans modèles d'embedding. Détails ci-dessous :
+
+| RAGFlow image tag | Image size (GB) | Has embedding models? | Stable?        |
+|-------------------|-----------------|-----------------------|----------------|
+| v0.21.1           | &approx;9       | ✔️                    | Stable release |
+| v0.21.1-slim      | &approx;2       | ❌                     | Stable release |
+
+> À partir de `v0.22.0`, nous ne distribuons que l'édition slim et ne rajoutons plus le suffixe **-slim** au tag d'image.
+
+4. Vérifiez l'état du serveur après son démarrage :
+
+   ```bash
+   $ docker logs -f docker-ragflow-cpu-1
+   ```
+
+   _La sortie suivante confirme un lancement réussi du système :_
+
+   ```bash
+
+         ____   ___    ______ ______ __
+        / __ \ /   |  / ____// ____// /____  _      __
+       / /_/ // /| | / / __ / /_   / // __ \| | /| / /
+      / _, _// ___ |/ /_/ // __/  / // /_/ /| |/ |/ /
+     /_/ |_|/_/  |_|\____//_/    /_/ \____/ |__/|__/
+
+    * Running on all addresses (0.0.0.0)
+   ```
+
+   > Si vous sautez cette étape de confirmation et vous connectez directement à RAGFlow, votre navigateur peut afficher une erreur `network abnormal`, car à ce moment-là, votre RAGFlow peut ne pas être entièrement initialisé.
+   >
+5. Dans votre navigateur web, entrez l'adresse IP de votre serveur et connectez-vous à RAGFlow.
+
+   > Avec les paramètres par défaut, il vous suffit d'entrer `http://IP_OF_YOUR_MACHINE` (**sans** numéro de port), car le port HTTP par défaut `80` peut être omis lors de l'utilisation des configurations par défaut.
+   >
+6. Dans [service_conf.yaml.template](./docker/service_conf.yaml.template), sélectionnez la fabrique LLM souhaitée dans `user_default_llm` et mettez à jour le champ `API_KEY` avec la clé API correspondante.
+
+   > Voir [llm_api_key_setup](https://ragflow.io/docs/dev/llm_api_key_setup) pour plus d'informations.
+   >
+
+   _Le spectacle commence !_
+
+## 🔧 Configurations
+
+En ce qui concerne les configurations système, vous devrez gérer les fichiers suivants :
+
+- [.env](./docker/.env) : Conserve les paramètres de base du système, tels que `SVR_HTTP_PORT`, `MYSQL_PASSWORD` et `MINIO_PASSWORD`.
+- [service_conf.yaml.template](./docker/service_conf.yaml.template) : Configure les services back-end. Les variables d'environnement dans ce fichier seront automatiquement renseignées au démarrage du conteneur Docker. Toutes les variables d'environnement définies dans le conteneur Docker seront disponibles, vous permettant de personnaliser le comportement du service en fonction de l'environnement de déploiement.
+- [docker-compose.yml](./docker/docker-compose.yml) : Le système s'appuie sur [docker-compose.yml](./docker/docker-compose.yml) pour démarrer.
+
+> Le fichier [./docker/README](./docker/README.md) fournit une description détaillée des paramètres d'environnement et des configurations de services qui peuvent être utilisés comme `${ENV_VARS}` dans le fichier [service_conf.yaml.template](./docker/service_conf.yaml.template).
+
+Pour mettre à jour le port HTTP de service par défaut (80), accédez à [docker-compose.yml](./docker/docker-compose.yml) et changez `80:80` en `<YOUR_SERVING_PORT>:80`.
+
+Les mises à jour des configurations ci-dessus nécessitent un redémarrage de tous les conteneurs pour prendre effet :
+
+> ```bash
+> $ docker compose -f docker-compose.yml up -d
+> ```
+
+### Passer du moteur de documents Elasticsearch à Infinity
+
+RAGFlow utilise Elasticsearch par défaut pour stocker le texte intégral et les vecteurs. Pour passer à [Infinity](https://github.com/infiniflow/infinity/), suivez ces étapes :
+
+1. Arrêtez tous les conteneurs en cours d'exécution :
+
+   ```bash
+   $ docker compose -f docker/docker-compose.yml down -v
+   ```
+
+> [!WARNING]
+> `-v` supprimera les volumes des conteneurs Docker, et les données existantes seront effacées.
+
+2. Définissez `DOC_ENGINE` dans **docker/.env** sur `infinity`.
+3. Démarrez les conteneurs :
+
+   ```bash
+   $ docker compose -f docker-compose.yml up -d
+   ```
+
+> [!WARNING]
+> Le passage à Infinity sur une machine Linux/arm64 n'est pas encore officiellement pris en charge.
+
+## 🔧 Construire une image Docker
+
+Cette image fait environ 2 Go et dépend de services LLM et d'embedding externes.
+
+```bash
+git clone https://github.com/infiniflow/ragflow.git
+cd ragflow/
+docker build --platform linux/amd64 -f Dockerfile -t infiniflow/ragflow:nightly .
+```
+
+Ou si vous êtes derrière un proxy, vous pouvez passer des arguments de proxy :
+
+```bash
+docker build --platform linux/amd64 \
+  --build-arg http_proxy=http://YOUR_PROXY:PORT \
+  --build-arg https_proxy=http://YOUR_PROXY:PORT \
+  -f Dockerfile -t infiniflow/ragflow:nightly .
+```
+
+## 🔨 Lancer le service depuis les sources pour le développement
+
+1. Installez `uv` et `pre-commit`, ou ignorez cette étape s'ils sont déjà installés :
+
+   ```bash
+   pipx install uv pre-commit
+   ```
+2. Clonez le code source et installez les dépendances Python :
+
+   ```bash
+   git clone https://github.com/infiniflow/ragflow.git
+   cd ragflow/
+   uv sync --python 3.12 # install RAGFlow dependent python modules
+   uv run python3 download_deps.py
+   pre-commit install
+   ```
+3. Lancez les services dépendants (MinIO, Elasticsearch, Redis et MySQL) avec Docker Compose :
+
+   ```bash
+   docker compose -f docker/docker-compose-base.yml up -d
+   ```
+
+   Ajoutez la ligne suivante à `/etc/hosts` pour résoudre tous les hôtes spécifiés dans **docker/.env** vers `127.0.0.1` :
+
+   ```
+   127.0.0.1       es01 infinity mysql minio redis sandbox-executor-manager
+   ```
+4. Si vous ne pouvez pas accéder à HuggingFace, définissez la variable d'environnement `HF_ENDPOINT` pour utiliser un site miroir :
+
+   ```bash
+   export HF_ENDPOINT=https://hf-mirror.com
+   ```
+5. Si votre système d'exploitation n'a pas jemalloc, installez-le comme suit :
+
+   ```bash
+   # Ubuntu
+   sudo apt-get install libjemalloc-dev
+   # CentOS
+   sudo yum install jemalloc
+   # OpenSUSE
+   sudo zypper install jemalloc
+   # macOS
+   sudo brew install jemalloc
+   ```
+6. Lancez le service back-end :
+
+   ```bash
+   source .venv/bin/activate
+   export PYTHONPATH=$(pwd)
+   bash docker/launch_backend_service.sh
+   ```
+7. Installez les dépendances front-end :
+
+   ```bash
+   cd web
+   npm install
+   ```
+8. Lancez le service front-end :
+
+   ```bash
+   npm run dev
+   ```
+
+   _La sortie suivante confirme un lancement réussi du système :_
+
+   ![](https://github.com/user-attachments/assets/0daf462c-a24d-4496-a66f-92533534e187)
+9. Arrêtez les services front-end et back-end de RAGFlow une fois le développement terminé :
+
+   ```bash
+   pkill -f "ragflow_server.py|task_executor.py"
+   ```
+
+## 📚 Documentation
+
+- [Quickstart](https://ragflow.io/docs/dev/)
+- [Configuration](https://ragflow.io/docs/dev/configurations)
+- [Release notes](https://ragflow.io/docs/dev/release_notes)
+- [User guides](https://ragflow.io/docs/category/user-guides)
+- [Developer guides](https://ragflow.io/docs/category/developer-guides)
+- [References](https://ragflow.io/docs/dev/category/references)
+- [FAQs](https://ragflow.io/docs/dev/faq)
+
+## 📜 Roadmap
+
+Voir la [Feuille de route RAGFlow 2026](https://github.com/infiniflow/ragflow/issues/12241)
+
+## 🏄 Communauté
+
+- [Discord](https://discord.gg/NjYzJD3GM3)
+- [Twitter](https://twitter.com/infiniflowai)
+- [GitHub Discussions](https://github.com/orgs/infiniflow/discussions)
+
+## 🙌 Contribuer
+
+RAGFlow s'épanouit grâce à la collaboration open-source. Dans cet esprit, nous accueillons des contributions diverses de la communauté.
+Si vous souhaitez en faire partie, consultez d'abord nos [Directives de contribution](https://ragflow.io/docs/dev/contributing).
--- a/README_id.md
+++ b/README_id.md
@@ -1,5 +1,5 @@
 <div align="center">
-<a href="https://demo.ragflow.io/">
+<a href="https://cloud.ragflow.io/">
 <img src="web/src/assets/logo-with-text.svg" width="520" alt="Logo ragflow">
 </a>
 </div>
@@ -12,17 +12,20 @@
  <a href="./README_ko.md"><img alt="한국어" src="https://img.shields.io/badge/한국어-DFE0E5"></a>
  <a href="./README_id.md"><img alt="Bahasa Indonesia" src="https://img.shields.io/badge/Bahasa Indonesia-DBEDFA"></a>
  <a href="./README_pt_br.md"><img alt="Português(Brasil)" src="https://img.shields.io/badge/Português(Brasil)-DFE0E5"></a>
+  <a href="./README_fr.md"><img alt="README en Français" src="https://img.shields.io/badge/Français-DFE0E5"></a>
+  <a href="./README_ar.md"><img alt="README in Arabic" src="https://img.shields.io/badge/Arabic-DFE0E5"></a>
+  <a href="./README_tr.md"><img alt="Türkçe README" src="https://img.shields.io/badge/Türkçe-DFE0E5"></a>
 </p>

 <p align="center">
    <a href="https://x.com/intent/follow?screen_name=infiniflowai" target="_blank">
        <img src="https://img.shields.io/twitter/follow/infiniflow?logo=X&color=%20%23f5f5f5" alt="Ikuti di X (Twitter)">
    </a>
-    <a href="https://demo.ragflow.io" target="_blank">
+    <a href="https://cloud.ragflow.io" target="_blank">
        <img alt="Lencana Daring" src="https://img.shields.io/badge/Online-Demo-4e6b99">
    </a>
    <a href="https://hub.docker.com/r/infiniflow/ragflow" target="_blank">
-        <img src="https://img.shields.io/docker/pulls/infiniflow/ragflow?label=Docker%20Pulls&color=0db7ed&logo=docker&logoColor=white&style=flat-square" alt="docker pull infiniflow/ragflow:v0.23.1">
+        <img src="https://img.shields.io/docker/pulls/infiniflow/ragflow?label=Docker%20Pulls&color=0db7ed&logo=docker&logoColor=white&style=flat-square" alt="docker pull infiniflow/ragflow:v0.25.1">
    </a>
    <a href="https://github.com/infiniflow/ragflow/releases/latest">
        <img src="https://img.shields.io/github/v/release/infiniflow/ragflow?color=blue&label=Rilis%20Terbaru" alt="Rilis Terbaru">
@@ -40,7 +43,7 @@
  <a href="https://github.com/infiniflow/ragflow/issues/12241">Peta Jalan</a> |
  <a href="https://twitter.com/infiniflowai">Twitter</a> |
  <a href="https://discord.gg/NjYzJD3GM3">Discord</a> |
-  <a href="https://demo.ragflow.io">Demo</a>
+  <a href="https://cloud.ragflow.io">Demo</a>
 </h4>

 <div align="center" style="margin-top:20px;margin-bottom:20px;">
@@ -72,11 +75,11 @@

 ## 💡 Apa Itu RAGFlow?

-[RAGFlow](https://ragflow.io/) adalah mesin RAG (Retrieval-Augmented Generation) open-source terkemuka yang mengintegrasikan teknologi RAG mutakhir dengan kemampuan Agent untuk menciptakan lapisan kontekstual superior bagi LLM. Menyediakan alur kerja RAG yang efisien dan dapat diadaptasi untuk perusahaan segala skala. Didukung oleh mesin konteks terkonvergensi dan template Agent yang telah dipra-bangun, RAGFlow memungkinkan pengembang mengubah data kompleks menjadi sistem AI kesetiaan-tinggi dan siap-produksi dengan efisiensi dan presisi yang luar biasa.
+[RAGFlow](https://ragflow.io/) adalah mesin [RAG](https://ragflow.io/basics/what-is-rag) (Retrieval-Augmented Generation) open-source terkemuka yang mengintegrasikan teknologi RAG mutakhir dengan kemampuan Agent untuk menciptakan lapisan kontekstual superior bagi LLM. Menyediakan alur kerja RAG yang efisien dan dapat diadaptasi untuk perusahaan segala skala. Didukung oleh mesin konteks terkonvergensi dan template Agent yang telah dipra-bangun, RAGFlow memungkinkan pengembang mengubah data kompleks menjadi sistem AI kesetiaan-tinggi dan siap-produksi dengan efisiensi dan presisi yang luar biasa.

 ## 🎮 Demo

-Coba demo kami di [https://demo.ragflow.io](https://demo.ragflow.io).
+Coba demo kami di [https://cloud.ragflow.io](https://cloud.ragflow.io).

 <div align="center" style="margin-top:20px;margin-bottom:20px;">
 <img src="https://raw.githubusercontent.com/infiniflow/ragflow-docs/refs/heads/image/image/chunking.gif" width="1200"/>
@@ -85,6 +88,7 @@ Coba demo kami di [https://demo.ragflow.io](https://demo.ragflow.io).

 ## 🔥 Pembaruan Terbaru

+- 2026-03-24 [RAGFlow Skill on OpenClaw](https://clawhub.ai/yingfeng/ragflow-skill) — Menyediakan skill resmi untuk mengakses dataset RAGFlow melalui OpenClaw.
 - 2025-12-26 Mendukung 'Memori' untuk agen AI.
 - 2025-11-19 Mendukung Gemini 3 Pro.
 - 2025-11-12 Mendukung sinkronisasi data dari Confluence, S3, Notion, Discord, Google Drive.
@@ -188,12 +192,12 @@ Coba demo kami di [https://demo.ragflow.io](https://demo.ragflow.io).
 > Semua gambar Docker dibangun untuk platform x86. Saat ini, kami tidak menawarkan gambar Docker untuk ARM64.
 > Jika Anda menggunakan platform ARM64, [silakan gunakan panduan ini untuk membangun gambar Docker yang kompatibel dengan sistem Anda](https://ragflow.io/docs/dev/build_docker_image).

-> Perintah di bawah ini mengunduh edisi v0.23.1 dari gambar Docker RAGFlow. Silakan merujuk ke tabel berikut untuk deskripsi berbagai edisi RAGFlow. Untuk mengunduh edisi RAGFlow yang berbeda dari v0.23.1, perbarui variabel RAGFLOW_IMAGE di docker/.env sebelum menggunakan docker compose untuk memulai server.
+> Perintah di bawah ini mengunduh edisi v0.25.1 dari gambar Docker RAGFlow. Silakan merujuk ke tabel berikut untuk deskripsi berbagai edisi RAGFlow. Untuk mengunduh edisi RAGFlow yang berbeda dari v0.25.1, perbarui variabel RAGFLOW_IMAGE di docker/.env sebelum menggunakan docker compose untuk memulai server.

 ```bash
   $ cd ragflow/docker
-   
-   # git checkout v0.23.1
+
+   # git checkout v0.25.1
   # Opsional: gunakan tag stabil (lihat releases: https://github.com/infiniflow/ragflow/releases)
   # This steps ensures the **entrypoint.sh** file in the code matches the Docker image version.

@@ -299,7 +303,7 @@ docker build --platform linux/amd64 \
   git clone https://github.com/infiniflow/ragflow.git
   cd ragflow/
   uv sync --python 3.12 # install RAGFlow dependent python modules
-   uv run download_deps.py
+   uv run python3 download_deps.py
   pre-commit install
   ```
 3. Jalankan aplikasi yang diperlukan (MinIO, Elasticsearch, Redis, dan MySQL) menggunakan Docker Compose:
@@ -361,8 +365,8 @@ docker build --platform linux/amd64 \
 - [Quickstart](https://ragflow.io/docs/dev/)
 - [Configuration](https://ragflow.io/docs/dev/configurations)
 - [Release notes](https://ragflow.io/docs/dev/release_notes)
- [User guides](https://ragflow.io/docs/dev/category/guides)
- [Developer guides](https://ragflow.io/docs/dev/category/developers)
+- [User guides](https://ragflow.io/docs/category/user-guides)
+- [Developer guides](https://ragflow.io/docs/category/developer-guides)
 - [References](https://ragflow.io/docs/dev/category/references)
 - [FAQs](https://ragflow.io/docs/dev/faq)

--- a/README_ja.md
+++ b/README_ja.md
@@ -1,5 +1,5 @@
 <div align="center">
-<a href="https://demo.ragflow.io/">
+<a href="https://cloud.ragflow.io/">
 <img src="web/src/assets/logo-with-text.svg" width="350" alt="ragflow logo">
 </a>
 </div>
@@ -12,17 +12,20 @@
  <a href="./README_ko.md"><img alt="한국어" src="https://img.shields.io/badge/한국어-DFE0E5"></a>
  <a href="./README_id.md"><img alt="Bahasa Indonesia" src="https://img.shields.io/badge/Bahasa Indonesia-DFE0E5"></a>
  <a href="./README_pt_br.md"><img alt="Português(Brasil)" src="https://img.shields.io/badge/Português(Brasil)-DFE0E5"></a>
+  <a href="./README_fr.md"><img alt="README en Français" src="https://img.shields.io/badge/Français-DFE0E5"></a>
+  <a href="./README_ar.md"><img alt="README in Arabic" src="https://img.shields.io/badge/Arabic-DFE0E5"></a>
+  <a href="./README_tr.md"><img alt="Türkçe README" src="https://img.shields.io/badge/Türkçe-DFE0E5"></a>
 </p>

 <p align="center">
    <a href="https://x.com/intent/follow?screen_name=infiniflowai" target="_blank">
        <img src="https://img.shields.io/twitter/follow/infiniflow?logo=X&color=%20%23f5f5f5" alt="follow on X(Twitter)">
    </a>
-    <a href="https://demo.ragflow.io" target="_blank">
+    <a href="https://cloud.ragflow.io" target="_blank">
        <img alt="Static Badge" src="https://img.shields.io/badge/Online-Demo-4e6b99">
    </a>
    <a href="https://hub.docker.com/r/infiniflow/ragflow" target="_blank">
-        <img src="https://img.shields.io/docker/pulls/infiniflow/ragflow?label=Docker%20Pulls&color=0db7ed&logo=docker&logoColor=white&style=flat-square" alt="docker pull infiniflow/ragflow:v0.23.1">
+        <img src="https://img.shields.io/docker/pulls/infiniflow/ragflow?label=Docker%20Pulls&color=0db7ed&logo=docker&logoColor=white&style=flat-square" alt="docker pull infiniflow/ragflow:v0.25.1">
    </a>
    <a href="https://github.com/infiniflow/ragflow/releases/latest">
        <img src="https://img.shields.io/github/v/release/infiniflow/ragflow?color=blue&label=Latest%20Release" alt="Latest Release">
@@ -40,7 +43,7 @@
  <a href="https://github.com/infiniflow/ragflow/issues/12241">Roadmap</a> |
  <a href="https://twitter.com/infiniflowai">Twitter</a> |
  <a href="https://discord.gg/NjYzJD3GM3">Discord</a> |
-  <a href="https://demo.ragflow.io">Demo</a>
+  <a href="https://cloud.ragflow.io">Demo</a>
 </h4>

 <div align="center" style="margin-top:20px;margin-bottom:20px;">
@@ -53,11 +56,11 @@

 ## 💡 RAGFlow とは？

-[RAGFlow](https://ragflow.io/) は、先進的なRAG（Retrieval-Augmented Generation）技術と Agent 機能を融合し、大規模言語モデル（LLM）に優れたコンテキスト層を構築する最先端のオープンソース RAG エンジンです。あらゆる規模の企業に対応可能な合理化された RAG ワークフローを提供し、統合型コンテキストエンジンと事前構築されたAgentテンプレートにより、開発者が複雑なデータを驚異的な効率性と精度で高精細なプロダクションレディAIシステムへ変換することを可能にします。
+[RAGFlow](https://ragflow.io/) は、先進的な[RAG](https://ragflow.io/basics/what-is-rag)（Retrieval-Augmented Generation）技術と Agent 機能を融合し、大規模言語モデル（LLM）に優れたコンテキスト層を構築する最先端のオープンソース RAG エンジンです。あらゆる規模の企業に対応可能な合理化された RAG ワークフローを提供し、統合型[コンテキストエンジン](https://ragflow.io/basics/what-is-agent-context-engine)と事前構築されたAgentテンプレートにより、開発者が複雑なデータを驚異的な効率性と精度で高精細なプロダクションレディAIシステムへ変換することを可能にします。

 ## 🎮 Demo

-デモをお試しください：[https://demo.ragflow.io](https://demo.ragflow.io)。
+デモをお試しください：[https://cloud.ragflow.io](https://cloud.ragflow.io)。

 <div align="center" style="margin-top:20px;margin-bottom:20px;">
 <img src="https://raw.githubusercontent.com/infiniflow/ragflow-docs/refs/heads/image/image/chunking.gif" width="1200"/>
@@ -66,6 +69,7 @@

 ## 🔥 最新情報

+- 2026-03-24 [RAGFlow Skill on OpenClaw](https://clawhub.ai/yingfeng/ragflow-skill) — OpenClaw経由でRAGFlowデータセットにアクセスする公式スキルを提供。
 - 2025-12-26 AIエージェントの「メモリ」機能をサポート。
 - 2025-11-19 Gemini 3 Proをサポートしています。
 - 2025-11-12 Confluence、S3、Notion、Discord、Google Drive からのデータ同期をサポートします。
@@ -168,12 +172,12 @@
 > 現在、公式に提供されているすべての Docker イメージは x86 アーキテクチャ向けにビルドされており、ARM64 用の Docker イメージは提供されていません。
 > ARM64 アーキテクチャのオペレーティングシステムを使用している場合は、[このドキュメント](https://ragflow.io/docs/dev/build_docker_image)を参照して Docker イメージを自分でビルドしてください。

-> 以下のコマンドは、RAGFlow Docker イメージの v0.23.1 エディションをダウンロードします。異なる RAGFlow エディションの説明については、以下の表を参照してください。v0.23.1 とは異なるエディションをダウンロードするには、docker/.env ファイルの RAGFLOW_IMAGE 変数を適宜更新し、docker compose を使用してサーバーを起動してください。
+> 以下のコマンドは、RAGFlow Docker イメージの v0.25.1 エディションをダウンロードします。異なる RAGFlow エディションの説明については、以下の表を参照してください。v0.25.1 とは異なるエディションをダウンロードするには、docker/.env ファイルの RAGFLOW_IMAGE 変数を適宜更新し、docker compose を使用してサーバーを起動してください。

 ```bash
   $ cd ragflow/docker

-   # git checkout v0.23.1
+   # git checkout v0.25.1
   # 任意: 安定版タグを利用 (一覧: https://github.com/infiniflow/ragflow/releases)
   # この手順は、コード内の entrypoint.sh ファイルが Docker イメージのバージョンと一致していることを確認します。

@@ -194,8 +198,8 @@

 > `v0.22.0` 以降、当プロジェクトでは slim エディションのみを提供し、イメージタグに **-slim** サフィックスを付けなくなりました。

-   1. サーバーを立ち上げた後、サーバーの状態を確認する:   
-   
+   1. サーバーを立ち上げた後、サーバーの状態を確認する:
+
   ```bash
   $ docker logs -f docker-ragflow-cpu-1
   ```
@@ -299,7 +303,7 @@ docker build --platform linux/amd64 \
   git clone https://github.com/infiniflow/ragflow.git
   cd ragflow/
   uv sync --python 3.12 # install RAGFlow dependent python modules
-   uv run download_deps.py
+   uv run python3 download_deps.py
   pre-commit install
   ```
 3. Docker Compose を使用して依存サービス（MinIO、Elasticsearch、Redis、MySQL）を起動する:
@@ -361,8 +365,8 @@ docker build --platform linux/amd64 \
 - [Quickstart](https://ragflow.io/docs/dev/)
 - [Configuration](https://ragflow.io/docs/dev/configurations)
 - [Release notes](https://ragflow.io/docs/dev/release_notes)
- [User guides](https://ragflow.io/docs/dev/category/guides)
- [Developer guides](https://ragflow.io/docs/dev/category/developers)
+- [User guides](https://ragflow.io/docs/category/user-guides)
+- [Developer guides](https://ragflow.io/docs/category/developer-guides)
 - [References](https://ragflow.io/docs/dev/category/references)
 - [FAQs](https://ragflow.io/docs/dev/faq)

--- a/README_ko.md
+++ b/README_ko.md
@@ -1,5 +1,5 @@
 <div align="center">
-<a href="https://demo.ragflow.io/">
+<a href="https://cloud.ragflow.io/">
 <img src="web/src/assets/logo-with-text.svg" width="520" alt="ragflow logo">
 </a>
 </div>
@@ -12,17 +12,20 @@
  <a href="./README_ko.md"><img alt="한국어" src="https://img.shields.io/badge/한국어-DBEDFA"></a>
  <a href="./README_id.md"><img alt="Bahasa Indonesia" src="https://img.shields.io/badge/Bahasa Indonesia-DFE0E5"></a>
  <a href="./README_pt_br.md"><img alt="Português(Brasil)" src="https://img.shields.io/badge/Português(Brasil)-DFE0E5"></a>
+  <a href="./README_fr.md"><img alt="README en Français" src="https://img.shields.io/badge/Français-DFE0E5"></a>
+  <a href="./README_ar.md"><img alt="README in Arabic" src="https://img.shields.io/badge/Arabic-DFE0E5"></a>
+  <a href="./README_tr.md"><img alt="Türkçe README" src="https://img.shields.io/badge/Türkçe-DFE0E5"></a>
 </p>

 <p align="center">
    <a href="https://x.com/intent/follow?screen_name=infiniflowai" target="_blank">
        <img src="https://img.shields.io/twitter/follow/infiniflow?logo=X&color=%20%23f5f5f5" alt="follow on X(Twitter)">
    </a>
-    <a href="https://demo.ragflow.io" target="_blank">
+    <a href="https://cloud.ragflow.io" target="_blank">
        <img alt="Static Badge" src="https://img.shields.io/badge/Online-Demo-4e6b99">
    </a>
    <a href="https://hub.docker.com/r/infiniflow/ragflow" target="_blank">
-        <img src="https://img.shields.io/docker/pulls/infiniflow/ragflow?label=Docker%20Pulls&color=0db7ed&logo=docker&logoColor=white&style=flat-square" alt="docker pull infiniflow/ragflow:v0.23.1">
+        <img src="https://img.shields.io/docker/pulls/infiniflow/ragflow?label=Docker%20Pulls&color=0db7ed&logo=docker&logoColor=white&style=flat-square" alt="docker pull infiniflow/ragflow:v0.25.1">
    </a>
    <a href="https://github.com/infiniflow/ragflow/releases/latest">
        <img src="https://img.shields.io/github/v/release/infiniflow/ragflow?color=blue&label=Latest%20Release" alt="Latest Release">
@@ -40,7 +43,7 @@
  <a href="https://github.com/infiniflow/ragflow/issues/12241">Roadmap</a> |
  <a href="https://twitter.com/infiniflowai">Twitter</a> |
  <a href="https://discord.gg/NjYzJD3GM3">Discord</a> |
-  <a href="https://demo.ragflow.io">Demo</a>
+  <a href="https://cloud.ragflow.io">Demo</a>
 </h4>

 <div align="center" style="margin-top:20px;margin-bottom:20px;">
@@ -54,11 +57,11 @@

 ## 💡 RAGFlow란?

-[RAGFlow](https://ragflow.io/) 는 최첨단 RAG(Retrieval-Augmented Generation)와 Agent 기능을 융합하여 대규모 언어 모델(LLM)을 위한 우수한 컨텍스트 계층을 생성하는 선도적인 오픈소스 RAG 엔진입니다. 모든 규모의 기업에 적용 가능한 효율적인 RAG 워크플로를 제공하며, 통합 컨텍스트 엔진과 사전 구축된 Agent 템플릿을 통해 개발자들이 복잡한 데이터를 예외적인 효율성과 정밀도로 고급 구현도의 프로덕션 준비 완료 AI 시스템으로 변환할 수 있도록 지원합니다.
+[RAGFlow](https://ragflow.io/) 는 최첨단 [RAG](https://ragflow.io/basics/what-is-rag)(Retrieval-Augmented Generation)와 Agent 기능을 융합하여 대규모 언어 모델(LLM)을 위한 우수한 컨텍스트 계층을 생성하는 선도적인 오픈소스 RAG 엔진입니다. 모든 규모의 기업에 적용 가능한 효율적인 RAG 워크플로를 제공하며, 통합 [컨텍스트 엔진](https://ragflow.io/basics/what-is-agent-context-engine)과 사전 구축된 Agent 템플릿을 통해 개발자들이 복잡한 데이터를 예외적인 효율성과 정밀도로 고급 구현도의 프로덕션 준비 완료 AI 시스템으로 변환할 수 있도록 지원합니다.

 ## 🎮 데모

-데모를 [https://demo.ragflow.io](https://demo.ragflow.io)에서 실행해 보세요.
+데모를 [https://cloud.ragflow.io](https://cloud.ragflow.io)에서 실행해 보세요.

 <div align="center" style="margin-top:20px;margin-bottom:20px;">
 <img src="https://raw.githubusercontent.com/infiniflow/ragflow-docs/refs/heads/image/image/chunking.gif" width="1200"/>
@@ -67,6 +70,7 @@

 ## 🔥 업데이트

+- 2026-03-24 [RAGFlow Skill on OpenClaw](https://clawhub.ai/yingfeng/ragflow-skill) — OpenClaw를 통해 RAGFlow 데이터셋에 접근하는 공식 스킬 제공.
 - 2025-12-26 AI 에이전트의 '메모리' 기능 지원.
 - 2025-11-19 Gemini 3 Pro를 지원합니다.
 - 2025-11-12 Confluence, S3, Notion, Discord, Google Drive에서 데이터 동기화를 지원합니다.
@@ -170,12 +174,12 @@
 > 모든 Docker 이미지는 x86 플랫폼을 위해 빌드되었습니다. 우리는 현재 ARM64 플랫폼을 위한 Docker 이미지를 제공하지 않습니다.
 > ARM64 플랫폼을 사용 중이라면, [시스템과 호환되는 Docker 이미지를 빌드하려면 이 가이드를 사용해 주세요](https://ragflow.io/docs/dev/build_docker_image).

-   > 아래 명령어는 RAGFlow Docker 이미지의 v0.23.1 버전을 다운로드합니다. 다양한 RAGFlow 버전에 대한 설명은 다음 표를 참조하십시오. v0.23.1과 다른 RAGFlow 버전을 다운로드하려면, docker/.env 파일에서 RAGFLOW_IMAGE 변수를 적절히 업데이트한 후 docker compose를 사용하여 서버를 시작하십시오.
+   > 아래 명령어는 RAGFlow Docker 이미지의 v0.25.1 버전을 다운로드합니다. 다양한 RAGFlow 버전에 대한 설명은 다음 표를 참조하십시오. v0.25.1과 다른 RAGFlow 버전을 다운로드하려면, docker/.env 파일에서 RAGFLOW_IMAGE 변수를 적절히 업데이트한 후 docker compose를 사용하여 서버를 시작하십시오.

   ```bash
   $ cd ragflow/docker
-   
-   # git checkout v0.23.1
+
+   # git checkout v0.25.1
   # Optional: use a stable tag (see releases: https://github.com/infiniflow/ragflow/releases)
   # 이 단계는 코드의 entrypoint.sh 파일이 Docker 이미지 버전과 일치하도록 보장합니다.

@@ -294,7 +298,7 @@ docker build --platform linux/amd64 \
   git clone https://github.com/infiniflow/ragflow.git
   cd ragflow/
   uv sync --python 3.12 # install RAGFlow dependent python modules
-   uv run download_deps.py
+   uv run python3 download_deps.py
   pre-commit install
   ```

@@ -365,8 +369,8 @@ docker build --platform linux/amd64 \
 - [Quickstart](https://ragflow.io/docs/dev/)
 - [Configuration](https://ragflow.io/docs/dev/configurations)
 - [Release notes](https://ragflow.io/docs/dev/release_notes)
- [User guides](https://ragflow.io/docs/dev/category/guides)
- [Developer guides](https://ragflow.io/docs/dev/category/developers)
+- [User guides](https://ragflow.io/docs/category/user-guides)
+- [Developer guides](https://ragflow.io/docs/category/developer-guides)
 - [References](https://ragflow.io/docs/dev/category/references)
 - [FAQs](https://ragflow.io/docs/dev/faq)

--- a/README_pt_br.md
+++ b/README_pt_br.md
@@ -1,5 +1,5 @@
 <div align="center">
-<a href="https://demo.ragflow.io/">
+<a href="https://cloud.ragflow.io/">
 <img src="web/src/assets/logo-with-text.svg" width="520" alt="ragflow logo">
 </a>
 </div>
@@ -12,17 +12,20 @@
  <a href="./README_ko.md"><img alt="한국어" src="https://img.shields.io/badge/한국어-DFE0E5"></a>
  <a href="./README_id.md"><img alt="Bahasa Indonesia" src="https://img.shields.io/badge/Bahasa Indonesia-DFE0E5"></a>
  <a href="./README_pt_br.md"><img alt="Português(Brasil)" src="https://img.shields.io/badge/Português(Brasil)-DBEDFA"></a>
+  <a href="./README_fr.md"><img alt="README en Français" src="https://img.shields.io/badge/Français-DFE0E5"></a>
+  <a href="./README_ar.md"><img alt="README in Arabic" src="https://img.shields.io/badge/Arabic-DFE0E5"></a>
+  <a href="./README_tr.md"><img alt="Türkçe README" src="https://img.shields.io/badge/Türkçe-DFE0E5"></a>
 </p>

 <p align="center">
    <a href="https://x.com/intent/follow?screen_name=infiniflowai" target="_blank">
        <img src="https://img.shields.io/twitter/follow/infiniflow?logo=X&color=%20%23f5f5f5" alt="seguir no X(Twitter)">
    </a>
-    <a href="https://demo.ragflow.io" target="_blank">
+    <a href="https://cloud.ragflow.io" target="_blank">
        <img alt="Badge Estático" src="https://img.shields.io/badge/Online-Demo-4e6b99">
    </a>
    <a href="https://hub.docker.com/r/infiniflow/ragflow" target="_blank">
-        <img src="https://img.shields.io/docker/pulls/infiniflow/ragflow?label=Docker%20Pulls&color=0db7ed&logo=docker&logoColor=white&style=flat-square" alt="docker pull infiniflow/ragflow:v0.23.1">
+        <img src="https://img.shields.io/docker/pulls/infiniflow/ragflow?label=Docker%20Pulls&color=0db7ed&logo=docker&logoColor=white&style=flat-square" alt="docker pull infiniflow/ragflow:v0.25.1">
    </a>
    <a href="https://github.com/infiniflow/ragflow/releases/latest">
        <img src="https://img.shields.io/github/v/release/infiniflow/ragflow?color=blue&label=Última%20Relese" alt="Última Versão">
@@ -40,7 +43,7 @@
  <a href="https://github.com/infiniflow/ragflow/issues/12241">Roadmap</a> |
  <a href="https://twitter.com/infiniflowai">Twitter</a> |
  <a href="https://discord.gg/NjYzJD3GM3">Discord</a> |
-  <a href="https://demo.ragflow.io">Demo</a>
+  <a href="https://cloud.ragflow.io">Demo</a>
 </h4>

 <div align="center" style="margin-top:20px;margin-bottom:20px;">
@@ -73,11 +76,11 @@

 ## 💡 O que é o RAGFlow?

-[RAGFlow](https://ragflow.io/) é um mecanismo de RAG (Retrieval-Augmented Generation) open-source líder que fusiona tecnologias RAG de ponta com funcionalidades Agent para criar uma camada contextual superior para LLMs. Oferece um fluxo de trabalho RAG otimizado adaptável a empresas de qualquer escala. Alimentado por um motor de contexto convergente e modelos Agent pré-construídos, o RAGFlow permite que desenvolvedores transformem dados complexos em sistemas de IA de alta fidelidade e pronto para produção com excepcional eficiência e precisão.
+[RAGFlow](https://ragflow.io/) é um mecanismo de [RAG](https://ragflow.io/basics/what-is-rag) (Retrieval-Augmented Generation) open-source líder que fusiona tecnologias RAG de ponta com funcionalidades Agent para criar uma camada contextual superior para LLMs. Oferece um fluxo de trabalho RAG otimizado adaptável a empresas de qualquer escala. Alimentado por [um motor de contexto](https://ragflow.io/basics/what-is-agent-context-engine) convergente e modelos Agent pré-construídos, o RAGFlow permite que desenvolvedores transformem dados complexos em sistemas de IA de alta fidelidade e pronto para produção com excepcional eficiência e precisão.

 ## 🎮 Demo

-Experimente nossa demo em [https://demo.ragflow.io](https://demo.ragflow.io).
+Experimente nossa demo em [https://cloud.ragflow.io](https://cloud.ragflow.io).

 <div align="center" style="margin-top:20px;margin-bottom:20px;">
 <img src="https://raw.githubusercontent.com/infiniflow/ragflow-docs/refs/heads/image/image/chunking.gif" width="1200"/>
@@ -86,6 +89,7 @@ Experimente nossa demo em [https://demo.ragflow.io](https://demo.ragflow.io).

 ## 🔥 Últimas Atualizações

+- 24-03-2026 [RAGFlow Skill on OpenClaw](https://clawhub.ai/yingfeng/ragflow-skill) — Fornece um skill oficial para acessar datasets do RAGFlow via OpenClaw.
 - 26-12-2025 Suporte à função 'Memória' para agentes de IA.
 - 19-11-2025 Suporta Gemini 3 Pro.
 - 12-11-2025 Suporta a sincronização de dados do Confluence, S3, Notion, Discord e Google Drive.
@@ -188,12 +192,12 @@ Experimente nossa demo em [https://demo.ragflow.io](https://demo.ragflow.io).
 > Todas as imagens Docker são construídas para plataformas x86. Atualmente, não oferecemos imagens Docker para ARM64.
 > Se você estiver usando uma plataforma ARM64, por favor, utilize [este guia](https://ragflow.io/docs/dev/build_docker_image) para construir uma imagem Docker compatível com o seu sistema.

-    > O comando abaixo baixa a edição`v0.23.1` da imagem Docker do RAGFlow. Consulte a tabela a seguir para descrições de diferentes edições do RAGFlow. Para baixar uma edição do RAGFlow diferente da `v0.23.1`, atualize a variável `RAGFLOW_IMAGE` conforme necessário no **docker/.env** antes de usar `docker compose` para iniciar o servidor.
+    > O comando abaixo baixa a edição`v0.25.1` da imagem Docker do RAGFlow. Consulte a tabela a seguir para descrições de diferentes edições do RAGFlow. Para baixar uma edição do RAGFlow diferente da `v0.25.1`, atualize a variável `RAGFLOW_IMAGE` conforme necessário no **docker/.env** antes de usar `docker compose` para iniciar o servidor.

 ```bash
   $ cd ragflow/docker
-   
-   # git checkout v0.23.1
+
+   # git checkout v0.25.1
   # Opcional: use uma tag estável (veja releases: https://github.com/infiniflow/ragflow/releases)
   # Esta etapa garante que o arquivo entrypoint.sh no código corresponda à versão da imagem do Docker.

@@ -316,7 +320,7 @@ docker build --platform linux/amd64 \
   git clone https://github.com/infiniflow/ragflow.git
   cd ragflow/
   uv sync --python 3.12 # instala os módulos Python dependentes do RAGFlow
-   uv run download_deps.py
+   uv run python3 download_deps.py
   pre-commit install
   ```
 3. Inicie os serviços dependentes (MinIO, Elasticsearch, Redis e MySQL) usando Docker Compose:
@@ -378,8 +382,8 @@ docker build --platform linux/amd64 \
 - [Quickstart](https://ragflow.io/docs/dev/)
 - [Configuration](https://ragflow.io/docs/dev/configurations)
 - [Release notes](https://ragflow.io/docs/dev/release_notes)
- [User guides](https://ragflow.io/docs/dev/category/guides)
- [Developer guides](https://ragflow.io/docs/dev/category/developers)
+- [User guides](https://ragflow.io/docs/category/user-guides)
+- [Developer guides](https://ragflow.io/docs/category/developer-guides)
 - [References](https://ragflow.io/docs/dev/category/references)
 - [FAQs](https://ragflow.io/docs/dev/faq)

--- a/README_tr.md
+++ b/README_tr.md
@@ -0,0 +1,409 @@
+<div align="center">
+<a href="https://cloud.ragflow.io/">
+<img src="web/src/assets/logo-with-text.svg" width="520" alt="ragflow logo">
+</a>
+</div>
+
+<p align="center">
+  <a href="./README.md"><img alt="README in English" src="https://img.shields.io/badge/English-DFE0E5"></a>
+  <a href="./README_zh.md"><img alt="简体中文版自述文件" src="https://img.shields.io/badge/简体中文-DFE0E5"></a>
+  <a href="./README_tzh.md"><img alt="繁體版中文自述文件" src="https://img.shields.io/badge/繁體中文-DFE0E5"></a>
+  <a href="./README_ja.md"><img alt="日本語のREADME" src="https://img.shields.io/badge/日本語-DFE0E5"></a>
+  <a href="./README_ko.md"><img alt="한국어" src="https://img.shields.io/badge/한국어-DFE0E5"></a>
+  <a href="./README_id.md"><img alt="Bahasa Indonesia" src="https://img.shields.io/badge/Bahasa Indonesia-DFE0E5"></a>
+  <a href="./README_pt_br.md"><img alt="Português(Brasil)" src="https://img.shields.io/badge/Português(Brasil)-DFE0E5"></a>
+  <a href="./README_fr.md"><img alt="README en Français" src="https://img.shields.io/badge/Français-DFE0E5"></a>
+  <a href="./README_ar.md"><img alt="README in Arabic" src="https://img.shields.io/badge/Arabic-DFE0E5"></a>
+  <a href="./README_tr.md"><img alt="Türkçe README" src="https://img.shields.io/badge/Türkçe-DBEDFA"></a>
+</p>
+
+<p align="center">
+    <a href="https://x.com/intent/follow?screen_name=infiniflowai" target="_blank">
+        <img src="https://img.shields.io/twitter/follow/infiniflow?logo=X&color=%20%23f5f5f5" alt="X(Twitter)'da takip et">
+    </a>
+    <a href="https://cloud.ragflow.io" target="_blank">
+        <img alt="Çevrimiçi Demo" src="https://img.shields.io/badge/Online-Demo-4e6b99">
+    </a>
+    <a href="https://hub.docker.com/r/infiniflow/ragflow" target="_blank">
+        <img src="https://img.shields.io/docker/pulls/infiniflow/ragflow?label=Docker%20Pulls&color=0db7ed&logo=docker&logoColor=white&style=flat-square" alt="docker pull infiniflow/ragflow:v0.25.1">
+    </a>
+    <a href="https://github.com/infiniflow/ragflow/releases/latest">
+        <img src="https://img.shields.io/github/v/release/infiniflow/ragflow?color=blue&label=Son%20Sürüm" alt="Son Sürüm">
+    </a>
+    <a href="https://github.com/infiniflow/ragflow/blob/main/LICENSE">
+        <img height="21" src="https://img.shields.io/badge/Lisans-Apache--2.0-ffffff?labelColor=d4eaf7&color=2e6cc4" alt="lisans">
+    </a>
+    <a href="https://deepwiki.com/infiniflow/ragflow">
+        <img alt="Ask DeepWiki" src="https://deepwiki.com/badge.svg">
+    </a>
+</p>
+
+<h4 align="center">
+  <a href="https://ragflow.io/docs/dev/">Dokümantasyon</a> |
+  <a href="https://github.com/infiniflow/ragflow/issues/12241">Yol Haritası</a> |
+  <a href="https://twitter.com/infiniflowai">Twitter</a> |
+  <a href="https://discord.gg/NjYzJD3GM3">Discord</a> |
+  <a href="https://cloud.ragflow.io">Demo</a>
+</h4>
+
+<div align="center" style="margin-top:20px;margin-bottom:20px;">
+<img src="https://raw.githubusercontent.com/infiniflow/ragflow-docs/refs/heads/image/image/ragflow-octoverse.png" width="1200"/>
+</div>
+
+<div align="center">
+<a href="https://trendshift.io/repositories/9064" target="_blank"><img src="https://trendshift.io/api/badge/repositories/9064" alt="infiniflow%2Fragflow | Trendshift" style="width: 250px; height: 55px;" width="250" height="55"/></a>
+</div>
+
+<details open>
+<summary><b>📕 İçindekiler</b></summary>
+
+- 💡 [RAGFlow Nedir?](#-ragflow-nedir)
+- 🎮 [Demo](#-demo)
+- 📌 [Son Güncellemeler](#-son-güncellemeler)
+- 🌟 [Temel Özellikler](#-temel-özellikler)
+- 🔎 [Sistem Mimarisi](#-sistem-mimarisi)
+- 🎬 [Başlarken](#-başlarken)
+- 🔧 [Yapılandırmalar](#-yapılandırmalar)
+- 🔧 [Docker İmajı Oluşturma](#-docker-i̇majı-oluşturma)
+- 🔨 [Geliştirme İçin Kaynaktan Hizmet Başlatma](#-geliştirme-i̇çin-kaynaktan-hizmet-başlatma)
+- 📚 [Dokümantasyon](#-dokümantasyon)
+- 📜 [Yol Haritası](#-yol-haritası)
+- 🏄 [Topluluk](#-topluluk)
+- 🙌 [Katkıda Bulunma](#-katkıda-bulunma)
+
+</details>
+
+## 💡 RAGFlow Nedir?
+
+[RAGFlow](https://ragflow.io/), derin doküman anlayışına dayalı, açık kaynaklı ve öncü bir Artırılmış Üretim ile Bilgi Erişimi ([RAG](https://ragflow.io/basics/what-is-rag)) motorudur. En son RAG teknolojisini Ajan yetenekleriyle birleştirerek LLM'ler için üstün bir bağlam katmanı oluşturur. Her ölçekteki kuruluşa uyarlanabilir, kolaylaştırılmış bir RAG iş akışı sunar. Yakınsanmış bir [bağlam motoru](https://ragflow.io/basics/what-is-agent-context-engine) ve hazır ajan şablonlarıyla donatılmış RAGFlow, geliştiricilerin karmaşık verileri yüksek doğrulukta, üretime hazır yapay zeka sistemlerine olağanüstü verimlilik ve hassasiyetle dönüştürmesini sağlar.
+
+## 🎮 Demo
+
+Demomuzu [https://cloud.ragflow.io](https://cloud.ragflow.io) adresinden deneyebilirsiniz.
+
+<div align="center" style="margin-top:20px;margin-bottom:20px;">
+<img src="https://raw.githubusercontent.com/infiniflow/ragflow-docs/refs/heads/image/image/chunking.gif" width="1200"/>
+<img src="https://raw.githubusercontent.com/infiniflow/ragflow-docs/refs/heads/image/image/agentic-dark.gif" width="1200"/>
+</div>
+
+## 🔥 Son Güncellemeler
+
+- 2026-03-24 [RAGFlow Skill on OpenClaw](https://clawhub.ai/yingfeng/ragflow-skill) — OpenClaw üzerinden RAGFlow veri setlerine erişmek için resmi bir skill sağlar.
+- 2025-12-26 Yapay zeka ajanı için 'Bellek' desteği eklendi.
+- 2025-11-19 Gemini 3 Pro desteği eklendi.
+- 2025-11-12 Confluence, S3, Notion, Discord, Google Drive'dan veri senkronizasyonu desteği eklendi.
+- 2025-10-23 Doküman ayrıştırma yöntemi olarak MinerU ve Docling desteği eklendi.
+- 2025-10-15 Düzenlenebilir veri alım hattı desteği eklendi.
+- 2025-08-08 OpenAI'ın en yeni GPT-5 serisi modelleri için destek eklendi.
+- 2025-08-01 Ajanlı iş akışı ve MCP desteği eklendi.
+- 2025-05-23 Ajana Python/JavaScript kod çalıştırıcı bileşeni eklendi.
+- 2025-05-05 Diller arası sorgu desteği eklendi.
+- 2025-03-19 PDF veya DOCX dosyalarındaki görselleri yorumlamak için çok modlu model desteği eklendi.
+
+## 🎉 Bizi Takip Edin
+
+⭐️ Heyecan verici yeni özellikler ve iyileştirmelerden haberdar olmak için depomuzı yıldızlayın! Yeni sürümler için anında bildirim alın! 🌟
+
+<div align="center" style="margin-top:20px;margin-bottom:20px;">
+<img src="https://github.com/user-attachments/assets/18c9707e-b8aa-4caf-a154-037089c105ba" width="1200"/>
+</div>
+
+## 🌟 Temel Özellikler
+
+### 🍭 **"Kaliteli girdi, kaliteli çıktı"**
+
+- Karmaşık formatlara sahip yapılandırılmamış verilerden [derin doküman anlayışı](./deepdoc/README.md) tabanlı bilgi çıkarımı.
+- Kelimenin tam anlamıyla sınırsız token içinde "samanlıkta iğne bulma" yeteneği.
+
+### 🍱 **Şablon tabanlı parçalama**
+
+- Akıllı ve açıklanabilir.
+- Aralarından seçim yapabileceğiniz çok sayıda şablon seçeneği.
+
+### 🌱 **Azaltılmış halüsinasyonlarla temellendirilmiş alıntılar**
+
+- İnsan müdahalesine olanak tanıyan metin parçalama görselleştirmesi.
+- Temellendirilmiş yanıtları desteklemek için anahtar referansların hızlı görüntülenmesi ve izlenebilir alıntılar.
+
+### 🍔 **Heterojen veri kaynaklarıyla uyumluluk**
+
+- Word, slaytlar, Excel, txt, görseller, taranmış kopyalar, yapılandırılmış veriler, web sayfaları ve daha fazlasını destekler.
+
+### 🛀 **Otomatik ve zahmetsiz RAG iş akışı**
+
+- Hem bireysel hem de büyük işletmeler için özelleştirilmiş kolaylaştırılmış RAG düzenlemesi.
+- Yapılandırılabilir LLM'ler ve gömme (embedding) modelleri.
+- Birleştirilmiş yeniden sıralama ile çoklu geri çağırma.
+- İş süreçlerine sorunsuz entegrasyon için sezgisel API'ler.
+
+## 🔎 Sistem Mimarisi
+
+<div align="center" style="margin-top:20px;margin-bottom:20px;">
+<img src="https://github.com/user-attachments/assets/31b0dd6f-ca4f-445a-9457-70cb44a381b2" width="1000"/>
+</div>
+
+## 🎬 Başlarken
+
+### 📝 Ön Koşullar
+
+- CPU >= 4 çekirdek
+- RAM >= 16 GB
+- Disk >= 50 GB
+- Docker >= 24.0.0 & Docker Compose >= v2.26.1
+- [gVisor](https://gvisor.dev/docs/user_guide/install/): Yalnızca RAGFlow'un kod çalıştırıcı (sandbox) özelliğini kullanmayı planlıyorsanız gereklidir.
+
+> [!TIP]
+> Yerel makinenize (Windows, Mac veya Linux) Docker yüklemediyseniz, [Docker Engine Kurulumu](https://docs.docker.com/engine/install/) sayfasına bakın.
+
+### 🚀 Sunucuyu Başlatma
+
+1. `vm.max_map_count` değerinin >= 262144 olduğundan emin olun:
+
+   > `vm.max_map_count` değerini kontrol etmek için:
+   >
+   > ```bash
+   > $ sysctl vm.max_map_count
+   > ```
+   >
+   > Değer 262144'ten düşükse, en az 262144 olarak ayarlayın.
+   >
+   > ```bash
+   > # Bu örnekte 262144 olarak ayarlıyoruz:
+   > $ sudo sysctl -w vm.max_map_count=262144
+   > ```
+   >
+   > Bu değişiklik sistem yeniden başlatıldığında sıfırlanacaktır. Değişikliğin kalıcı olmasını sağlamak için
+   > **/etc/sysctl.conf** dosyasındaki `vm.max_map_count` değerini buna göre ekleyin veya güncelleyin:
+   >
+   > ```bash
+   > vm.max_map_count=262144
+   > ```
+   >
+2. Depoyu klonlayın:
+
+   ```bash
+   $ git clone https://github.com/infiniflow/ragflow.git
+   ```
+3. Önceden oluşturulmuş Docker imajlarını kullanarak sunucuyu başlatın:
+
+> [!CAUTION]
+> Tüm Docker imajları x86 platformları için oluşturulmuştur. Şu anda ARM64 için Docker imajı sunmuyoruz.
+> ARM64 platformundaysanız, sisteminizle uyumlu bir Docker imajı oluşturmak için [bu kılavuzu](https://ragflow.io/docs/dev/build_docker_image) takip edin.
+
+> Aşağıdaki komut RAGFlow Docker imajının `v0.25.1` sürümünü indirir. Farklı RAGFlow sürümleri için aşağıdaki tabloya bakın. `v0.25.1` dışında bir sürüm indirmek için, `docker compose` ile sunucuyu başlatmadan önce **docker/.env** dosyasındaki `RAGFLOW_IMAGE` değişkenini güncelleyin.
+
+```bash
+   $ cd ragflow/docker
+
+   # git checkout v0.25.1
+   # İsteğe bağlı: Kararlı bir etiket kullanın (sürümler: https://github.com/infiniflow/ragflow/releases)
+   # Bu adım, koddaki **entrypoint.sh** dosyasının Docker imaj sürümüyle eşleşmesini sağlar.
+
+   # DeepDoc görevleri için CPU kullanımı:
+   $ docker compose -f docker-compose.yml up -d
+
+   # DeepDoc görevlerini hızlandırmak için GPU kullanımı:
+   # sed -i '1i DEVICE=gpu' .env
+   # docker compose -f docker-compose.yml up -d
+```
+
+> Not: `v0.22.0` öncesinde hem gömme modelleri içeren imajlar hem de gömme modelleri içermeyen ince (slim) imajlar sunuyorduk. Detaylar aşağıdadır:
+
+| RAGFlow imaj etiketi | İmaj boyutu (GB) | Gömme modelleri var mı? | Kararlı mı?    |
+|-----------------------|-------------------|-------------------------|-----------------|
+| v0.21.1               | &approx;9        | ✔️                      | Kararlı sürüm   |
+| v0.21.1-slim          | &approx;2        | ❌                       | Kararlı sürüm   |
+
+> `v0.22.0`'dan itibaren yalnızca ince (slim) sürümü sunuyoruz ve imaj etiketine artık **-slim** son eki eklemiyoruz.
+
+4. Sunucu çalışır duruma geldikten sonra sunucu durumunu kontrol edin:
+
+   ```bash
+   $ docker logs -f docker-ragflow-cpu-1
+   ```
+
+   _Aşağıdaki çıktı, sistemin başarıyla başlatıldığını onaylar:_
+
+   ```bash
+
+         ____   ___    ______ ______ __
+        / __ \ /   |  / ____// ____// /____  _      __
+       / /_/ // /| | / / __ / /_   / // __ \| | /| / /
+      / _, _// ___ |/ /_/ // __/  / // /_/ /| |/ |/ /
+     /_/ |_|/_/  |_|\____//_/    /_/ \____/ |__/|__/
+
+    * Running on all addresses (0.0.0.0)
+   ```
+
+   > Bu onay adımını atlayıp doğrudan RAGFlow'a giriş yaparsanız, o anda RAGFlow tam olarak başlatılmamış olabileceğinden
+   > tarayıcınız `ağ hatası` uyarısı verebilir.
+   >
+5. Web tarayıcınıza sunucunuzun IP adresini girin ve RAGFlow'a giriş yapın.
+
+   > Varsayılan ayarlarla, yalnızca `http://MAKİNENİZİN_IP_ADRESİ` girmeniz yeterlidir (port numarası **gerekmez**),
+   > çünkü varsayılan HTTP sunucu portu `80` varsayılan yapılandırmalar kullanıldığında ihmal edilebilir.
+   >
+6. [service_conf.yaml.template](./docker/service_conf.yaml.template) dosyasında, `user_default_llm` içinde istediğiniz LLM sağlayıcısını seçin ve
+   `API_KEY` alanını ilgili API anahtarıyla güncelleyin.
+
+   > Daha fazla bilgi için [llm_api_key_setup](https://ragflow.io/docs/dev/llm_api_key_setup) sayfasına bakın.
+   >
+
+   _Gösteri başlasın!_
+
+## 🔧 Yapılandırmalar
+
+Sistem yapılandırmaları söz konusu olduğunda, aşağıdaki dosyaları yönetmeniz gerekecektir:
+
+- [.env](./docker/.env): `SVR_HTTP_PORT`, `MYSQL_PASSWORD` ve `MINIO_PASSWORD` gibi temel sistem ayarlarını içerir.
+- [service_conf.yaml.template](./docker/service_conf.yaml.template): Arka uç hizmetlerini yapılandırır. Bu dosyadaki ortam değişkenleri, Docker konteyneri başladığında otomatik olarak doldurulacaktır. Docker konteyneri içinde ayarlanan tüm ortam değişkenleri kullanıma hazır olacak ve hizmet davranışını dağıtım ortamına göre özelleştirmenize olanak tanıyacaktır.
+- [docker-compose.yml](./docker/docker-compose.yml): Sistem, başlatılmak için [docker-compose.yml](./docker/docker-compose.yml) dosyasına dayanır.
+
+> [./docker/README](./docker/README.md) dosyası, [service_conf.yaml.template](./docker/service_conf.yaml.template) dosyasında `${ENV_VARS}` olarak kullanılabilen ortam ayarları ve hizmet yapılandırmalarının ayrıntılı bir açıklamasını sağlar.
+
+Varsayılan HTTP sunucu portunu (80) değiştirmek için [docker-compose.yml](./docker/docker-compose.yml) dosyasında `80:80` ifadesini `<SUNUCU_PORTUNUZ>:80` olarak değiştirin.
+
+Yukarıdaki yapılandırma değişikliklerinin etkili olması için tüm konteynerlerin yeniden başlatılması gerekir:
+
+> ```bash
+> $ docker compose -f docker-compose.yml up -d
+> ```
+
+### Doküman Motorunu Elasticsearch'ten Infinity'ye Geçirme
+
+RAGFlow varsayılan olarak tam metin ve vektörlerin depolanması için Elasticsearch kullanır. [Infinity](https://github.com/infiniflow/infinity/)'ye geçmek için şu adımları izleyin:
+
+1. Çalışan tüm konteynerleri durdurun:
+
+   ```bash
+   $ docker compose -f docker/docker-compose.yml down -v
+   ```
+
+> [!WARNING]
+> `-v` seçeneği Docker konteyner birimlerini silecek ve mevcut veriler temizlenecektir.
+
+2. **docker/.env** dosyasında `DOC_ENGINE` değerini `infinity` olarak ayarlayın.
+3. Konteynerleri başlatın:
+
+   ```bash
+   $ docker compose -f docker-compose.yml up -d
+   ```
+
+> [!WARNING]
+> Linux/arm64 makinesinde Infinity'ye geçiş henüz resmi olarak desteklenmemektedir.
+
+## 🔧 Docker İmajı Oluşturma
+
+Bu imaj yaklaşık 2 GB boyutundadır ve harici LLM ile gömme hizmetlerine bağlıdır.
+
+```bash
+git clone https://github.com/infiniflow/ragflow.git
+cd ragflow/
+docker build --platform linux/amd64 -f Dockerfile -t infiniflow/ragflow:nightly .
+```
+
+Veya bir proxy arkasındaysanız, proxy parametrelerini iletebilirsiniz:
+
+```bash
+docker build --platform linux/amd64 \
+  --build-arg http_proxy=http://PROXY_ADRESINIZ:PORT \
+  --build-arg https_proxy=http://PROXY_ADRESINIZ:PORT \
+  -f Dockerfile -t infiniflow/ragflow:nightly .
+```
+
+## 🔨 Geliştirme İçin Kaynaktan Hizmet Başlatma
+
+1. `uv` ve `pre-commit` yükleyin veya zaten yüklüyse bu adımı atlayın:
+
+   ```bash
+   pipx install uv pre-commit
+   ```
+2. Kaynak kodunu klonlayın ve Python bağımlılıklarını yükleyin:
+
+   ```bash
+   git clone https://github.com/infiniflow/ragflow.git
+   cd ragflow/
+   uv sync --python 3.12 # RAGFlow'un bağımlı Python modüllerini yükler
+   uv run python3 download_deps.py
+   pre-commit install
+   ```
+3. Bağımlı hizmetleri (MinIO, Elasticsearch, Redis ve MySQL) Docker Compose kullanarak başlatın:
+
+   ```bash
+   docker compose -f docker/docker-compose-base.yml up -d
+   ```
+
+   **docker/.env** dosyasında belirtilen tüm ana bilgisayar adlarını `127.0.0.1`'e çözümlemek için `/etc/hosts` dosyasına aşağıdaki satırı ekleyin:
+
+   ```
+   127.0.0.1       es01 infinity mysql minio redis sandbox-executor-manager
+   ```
+4. HuggingFace'e erişemiyorsanız, bir ayna site kullanmak için `HF_ENDPOINT` ortam değişkenini ayarlayın:
+
+   ```bash
+   export HF_ENDPOINT=https://hf-mirror.com
+   ```
+5. İşletim sisteminizde jemalloc yoksa, aşağıdaki şekilde yükleyin:
+
+   ```bash
+   # Ubuntu
+   sudo apt-get install libjemalloc-dev
+   # CentOS
+   sudo yum install jemalloc
+   # OpenSUSE
+   sudo zypper install jemalloc
+   # macOS
+   sudo brew install jemalloc
+   ```
+6. Arka uç hizmetini başlatın:
+
+   ```bash
+   source .venv/bin/activate
+   export PYTHONPATH=$(pwd)
+   bash docker/launch_backend_service.sh
+   ```
+7. Ön yüz bağımlılıklarını yükleyin:
+
+   ```bash
+   cd web
+   npm install
+   ```
+8. Ön yüz hizmetini başlatın:
+
+   ```bash
+   npm run dev
+   ```
+
+   _Aşağıdaki çıktı, sistemin başarıyla başlatıldığını onaylar:_
+
+   ![](https://github.com/user-attachments/assets/0daf462c-a24d-4496-a66f-92533534e187)
+9. Geliştirme tamamlandıktan sonra RAGFlow ön yüz ve arka uç hizmetini durdurun:
+
+   ```bash
+   pkill -f "ragflow_server.py|task_executor.py"
+   ```
+
+## 📚 Dokümantasyon
+
+- [Hızlı Başlangıç](https://ragflow.io/docs/dev/)
+- [Yapılandırma](https://ragflow.io/docs/dev/configurations)
+- [Sürüm Notları](https://ragflow.io/docs/dev/release_notes)
+- [Kullanıcı Kılavuzları](https://ragflow.io/docs/category/user-guides)
+- [Geliştirici Kılavuzları](https://ragflow.io/docs/category/developer-guides)
+- [Referanslar](https://ragflow.io/docs/dev/category/references)
+- [SSS](https://ragflow.io/docs/dev/faq)
+
+## 📜 Yol Haritası
+
+[RAGFlow Yol Haritası 2026](https://github.com/infiniflow/ragflow/issues/12241) sayfasına bakın.
+
+## 🏄 Topluluk
+
+- [Discord](https://discord.gg/NjYzJD3GM3)
+- [Twitter](https://twitter.com/infiniflowai)
+- [GitHub Tartışmalar](https://github.com/orgs/infiniflow/discussions)
+
+## 🙌 Katkıda Bulunma
+
+RAGFlow, açık kaynak iş birliği sayesinde gelişmektedir. Bu anlayışla, topluluktan gelen çeşitli katkıları benimsiyoruz.
+Bir parçası olmak istiyorsanız, önce [Katkıda Bulunma Kılavuzumuzu](https://ragflow.io/docs/dev/contributing) inceleyin.
--- a/README_tzh.md
+++ b/README_tzh.md
@@ -1,5 +1,5 @@
 <div align="center">
-<a href="https://demo.ragflow.io/">
+<a href="https://cloud.ragflow.io/">
 <img src="web/src/assets/logo-with-text.svg" width="350" alt="ragflow logo">
 </a>
 </div>
@@ -12,17 +12,20 @@
  <a href="./README_ko.md"><img alt="한국어" src="https://img.shields.io/badge/한국어-DFE0E5"></a>
  <a href="./README_id.md"><img alt="Bahasa Indonesia" src="https://img.shields.io/badge/Bahasa Indonesia-DFE0E5"></a>
  <a href="./README_pt_br.md"><img alt="Português(Brasil)" src="https://img.shields.io/badge/Português(Brasil)-DFE0E5"></a>
+  <a href="./README_fr.md"><img alt="README en Français" src="https://img.shields.io/badge/Français-DFE0E5"></a>
+  <a href="./README_ar.md"><img alt="README in Arabic" src="https://img.shields.io/badge/Arabic-DFE0E5"></a>
+  <a href="./README_tr.md"><img alt="Türkçe README" src="https://img.shields.io/badge/Türkçe-DFE0E5"></a>
 </p>

 <p align="center">
    <a href="https://x.com/intent/follow?screen_name=infiniflowai" target="_blank">
        <img src="https://img.shields.io/twitter/follow/infiniflow?logo=X&color=%20%23f5f5f5" alt="follow on X(Twitter)">
    </a>
-    <a href="https://demo.ragflow.io" target="_blank">
+    <a href="https://cloud.ragflow.io" target="_blank">
        <img alt="Static Badge" src="https://img.shields.io/badge/Online-Demo-4e6b99">
    </a>
    <a href="https://hub.docker.com/r/infiniflow/ragflow" target="_blank">
-        <img src="https://img.shields.io/docker/pulls/infiniflow/ragflow?label=Docker%20Pulls&color=0db7ed&logo=docker&logoColor=white&style=flat-square" alt="docker pull infiniflow/ragflow:v0.23.1">
+        <img src="https://img.shields.io/docker/pulls/infiniflow/ragflow?label=Docker%20Pulls&color=0db7ed&logo=docker&logoColor=white&style=flat-square" alt="docker pull infiniflow/ragflow:v0.25.1">
    </a>
    <a href="https://github.com/infiniflow/ragflow/releases/latest">
        <img src="https://img.shields.io/github/v/release/infiniflow/ragflow?color=blue&label=Latest%20Release" alt="Latest Release">
@@ -40,7 +43,7 @@
  <a href="https://github.com/infiniflow/ragflow/issues/12241">Roadmap</a> |
  <a href="https://twitter.com/infiniflowai">Twitter</a> |
  <a href="https://discord.gg/NjYzJD3GM3">Discord</a> |
-  <a href="https://demo.ragflow.io">Demo</a>
+  <a href="https://cloud.ragflow.io">Demo</a>
 </h4>

 <div align="center" style="margin-top:20px;margin-bottom:20px;">
@@ -72,11 +75,11 @@

 ## 💡 RAGFlow 是什麼？

-[RAGFlow](https://ragflow.io/) 是一款領先的開源 RAG（Retrieval-Augmented Generation）引擎，通過融合前沿的 RAG 技術與 Agent 能力，為大型語言模型提供卓越的上下文層。它提供可適配任意規模企業的端到端 RAG 工作流，憑藉融合式上下文引擎與預置的 Agent 模板，助力開發者以極致效率與精度將複雜數據轉化為高可信、生產級的人工智能系統。
+[RAGFlow](https://ragflow.io/) 是一款領先的開源 [RAG](https://ragflow.io/basics/what-is-rag)（Retrieval-Augmented Generation）引擎，通過融合前沿的 RAG 技術與 Agent 能力，為大型語言模型提供卓越的上下文層。它提供可適配任意規模企業的端到端 RAG 工作流，憑藉融合式[上下文引擎](https://ragflow.io/basics/what-is-agent-context-engine)與預置的 Agent 模板，助力開發者以極致效率與精度將複雜數據轉化為高可信、生產級的人工智能系統。

 ## 🎮 Demo 試用

-請登入網址 [https://demo.ragflow.io](https://demo.ragflow.io) 試用 demo。
+請登入網址 [https://cloud.ragflow.io](https://cloud.ragflow.io) 試用 demo。

 <div align="center" style="margin-top:20px;margin-bottom:20px;">
 <img src="https://raw.githubusercontent.com/infiniflow/ragflow-docs/refs/heads/image/image/chunking.gif" width="1200"/>
@@ -85,6 +88,7 @@

 ## 🔥 近期更新

+- 2026-03-24 發布 [RAGFlow 官方 Skill](https://clawhub.ai/yingfeng/ragflow-skill) — 提供官方 Skill 以透過 OpenClaw 訪問 RAGFlow 數據集。
 - 2025-12-26 支援AI代理的「記憶」功能。
 - 2025-11-19 支援 Gemini 3 Pro。
 - 2025-11-12 支援從 Confluence、S3、Notion、Discord、Google Drive 進行資料同步。
@@ -187,12 +191,12 @@
 > 所有 Docker 映像檔都是為 x86 平台建置的。目前，我們不提供 ARM64 平台的 Docker 映像檔。
 > 如果您使用的是 ARM64 平台，請使用 [這份指南](https://ragflow.io/docs/dev/build_docker_image) 來建置適合您系統的 Docker 映像檔。

-> 執行以下指令會自動下載 RAGFlow Docker 映像 `v0.23.1`。請參考下表查看不同 Docker 發行版的說明。如需下載不同於 `v0.23.1` 的 Docker 映像，請在執行 `docker compose` 啟動服務之前先更新 **docker/.env** 檔案內的 `RAGFLOW_IMAGE` 變數。
+> 執行以下指令會自動下載 RAGFlow Docker 映像 `v0.25.1`。請參考下表查看不同 Docker 發行版的說明。如需下載不同於 `v0.25.1` 的 Docker 映像，請在執行 `docker compose` 啟動服務之前先更新 **docker/.env** 檔案內的 `RAGFLOW_IMAGE` 變數。

 ```bash
   $ cd ragflow/docker
-   
-   # git checkout v0.23.1
+
+   # git checkout v0.25.1
   # 可選：使用穩定版標籤（查看發佈：https://github.com/infiniflow/ragflow/releases）
   # 此步驟確保程式碼中的 entrypoint.sh 檔案與 Docker 映像版本一致。

@@ -326,7 +330,7 @@ docker build --platform linux/amd64 \
   git clone https://github.com/infiniflow/ragflow.git
   cd ragflow/
   uv sync --python 3.12 # install RAGFlow dependent python modules
-   uv run download_deps.py
+   uv run python3 download_deps.py
   pre-commit install
   ```
 3. 透過 Docker Compose 啟動依賴的服務（MinIO, Elasticsearch, Redis, and MySQL）：
@@ -392,8 +396,8 @@ docker build --platform linux/amd64 \
 - [Quickstart](https://ragflow.io/docs/dev/)
 - [Configuration](https://ragflow.io/docs/dev/configurations)
 - [Release notes](https://ragflow.io/docs/dev/release_notes)
- [User guides](https://ragflow.io/docs/dev/category/guides)
- [Developer guides](https://ragflow.io/docs/dev/category/developers)
+- [User guides](https://ragflow.io/docs/category/user-guides)
+- [Developer guides](https://ragflow.io/docs/category/developer-guides)
 - [References](https://ragflow.io/docs/dev/category/references)
 - [FAQs](https://ragflow.io/docs/dev/faq)

--- a/README_zh.md
+++ b/README_zh.md
@@ -1,5 +1,5 @@
 <div align="center">
-<a href="https://demo.ragflow.io/">
+<a href="https://cloud.ragflow.io/">
 <img src="web/src/assets/logo-with-text.svg" width="350" alt="ragflow logo">
 </a>
 </div>
@@ -12,17 +12,20 @@
  <a href="./README_ko.md"><img alt="한국어" src="https://img.shields.io/badge/한국어-DFE0E5"></a>
  <a href="./README_id.md"><img alt="Bahasa Indonesia" src="https://img.shields.io/badge/Bahasa Indonesia-DFE0E5"></a>
  <a href="./README_pt_br.md"><img alt="Português(Brasil)" src="https://img.shields.io/badge/Português(Brasil)-DFE0E5"></a>
+  <a href="./README_fr.md"><img alt="README en Français" src="https://img.shields.io/badge/Français-DFE0E5"></a>
+  <a href="./README_ar.md"><img alt="README in Arabic" src="https://img.shields.io/badge/Arabic-DFE0E5"></a>
+  <a href="./README_tr.md"><img alt="Türkçe README" src="https://img.shields.io/badge/Türkçe-DFE0E5"></a>
 </p>

 <p align="center">
    <a href="https://x.com/intent/follow?screen_name=infiniflowai" target="_blank">
        <img src="https://img.shields.io/twitter/follow/infiniflow?logo=X&color=%20%23f5f5f5" alt="follow on X(Twitter)">
    </a>
-    <a href="https://demo.ragflow.io" target="_blank">
+    <a href="https://cloud.ragflow.io" target="_blank">
        <img alt="Static Badge" src="https://img.shields.io/badge/Online-Demo-4e6b99">
    </a>
    <a href="https://hub.docker.com/r/infiniflow/ragflow" target="_blank">
-        <img src="https://img.shields.io/docker/pulls/infiniflow/ragflow?label=Docker%20Pulls&color=0db7ed&logo=docker&logoColor=white&style=flat-square" alt="docker pull infiniflow/ragflow:v0.23.1">
+        <img src="https://img.shields.io/docker/pulls/infiniflow/ragflow?label=Docker%20Pulls&color=0db7ed&logo=docker&logoColor=white&style=flat-square" alt="docker pull infiniflow/ragflow:v0.25.1">
    </a>
    <a href="https://github.com/infiniflow/ragflow/releases/latest">
        <img src="https://img.shields.io/github/v/release/infiniflow/ragflow?color=blue&label=Latest%20Release" alt="Latest Release">
@@ -40,7 +43,7 @@
  <a href="https://github.com/infiniflow/ragflow/issues/12241">Roadmap</a> |
  <a href="https://twitter.com/infiniflowai">Twitter</a> |
  <a href="https://discord.gg/NjYzJD3GM3">Discord</a> |
-  <a href="https://demo.ragflow.io">Demo</a>
+  <a href="https://cloud.ragflow.io">Demo</a>
 </h4>

 <div align="center" style="margin-top:20px;margin-bottom:20px;">
@@ -72,11 +75,11 @@

 ## 💡 RAGFlow 是什么？

-[RAGFlow](https://ragflow.io/) 是一款领先的开源检索增强生成（RAG）引擎，通过融合前沿的 RAG 技术与 Agent 能力，为大型语言模型提供卓越的上下文层。它提供可适配任意规模企业的端到端 RAG 工作流，凭借融合式上下文引擎与预置的 Agent 模板，助力开发者以极致效率与精度将复杂数据转化为高可信、生产级的人工智能系统。
+[RAGFlow](https://ragflow.io/) 是一款领先的开源检索增强生成（[RAG](https://ragflow.io/basics/what-is-rag)）引擎，通过融合前沿的 RAG 技术与 Agent 能力，为大型语言模型提供卓越的上下文层。它提供可适配任意规模企业的端到端 RAG 工作流，凭借融合式[上下文引擎](https://ragflow.io/basics/what-is-agent-context-engine)与预置的 Agent 模板，助力开发者以极致效率与精度将复杂数据转化为高可信、生产级的人工智能系统。

 ## 🎮 Demo 试用

-请登录网址 [https://demo.ragflow.io](https://demo.ragflow.io) 试用 demo。
+请登录网址 [https://cloud.ragflow.io](https://cloud.ragflow.io) 试用 demo。

 <div align="center" style="margin-top:20px;margin-bottom:20px;">
 <img src="https://raw.githubusercontent.com/infiniflow/ragflow-docs/refs/heads/image/image/chunking.gif" width="1200"/>
@@ -85,7 +88,8 @@

 ## 🔥 近期更新

- 2025-12-26 支持AI代理的“记忆”功能。
+- 2026-03-24 发布 [RAGFlow 官方 Skill](https://clawhub.ai/yingfeng/ragflow-skill) — 提供官方 Skill 以通过 OpenClaw 访问 RAGFlow 数据集。
+- 2025-12-26 支持AI代理的"记忆"功能。
 - 2025-11-19 支持 Gemini 3 Pro。
 - 2025-11-12 支持从 Confluence、S3、Notion、Discord、Google Drive 进行数据同步。
 - 2025-10-23 支持 MinerU 和 Docling 作为文档解析方法。
@@ -188,12 +192,12 @@
 > 请注意，目前官方提供的所有 Docker 镜像均基于 x86 架构构建，并不提供基于 ARM64 的 Docker 镜像。
 > 如果你的操作系统是 ARM64 架构，请参考[这篇文档](https://ragflow.io/docs/dev/build_docker_image)自行构建 Docker 镜像。

-   > 运行以下命令会自动下载 RAGFlow Docker 镜像 `v0.23.1`。请参考下表查看不同 Docker 发行版的描述。如需下载不同于 `v0.23.1` 的 Docker 镜像，请在运行 `docker compose` 启动服务之前先更新 **docker/.env** 文件内的 `RAGFLOW_IMAGE` 变量。
+   > 运行以下命令会自动下载 RAGFlow Docker 镜像 `v0.25.1`。请参考下表查看不同 Docker 发行版的描述。如需下载不同于 `v0.25.1` 的 Docker 镜像，请在运行 `docker compose` 启动服务之前先更新 **docker/.env** 文件内的 `RAGFLOW_IMAGE` 变量。

   ```bash
   $ cd ragflow/docker
-   
-   # git checkout v0.23.1
+
+   # git checkout v0.25.1
   # 可选：使用稳定版本标签（查看发布：https://github.com/infiniflow/ragflow/releases）
   # 这一步确保代码中的 entrypoint.sh 文件与 Docker 镜像的版本保持一致。

@@ -204,7 +208,7 @@
   # sed -i '1i DEVICE=gpu' .env
   # docker compose -f docker-compose.yml up -d
   ```
-   
+
   > 注意：在 `v0.22.0` 之前的版本，我们会同时提供包含 embedding 模型的镜像和不含 embedding 模型的 slim 镜像。具体如下：

   | RAGFlow image tag | Image size (GB) | Has embedding models? | Stable?        |
@@ -326,7 +330,7 @@ docker build --platform linux/amd64 \
   git clone https://github.com/infiniflow/ragflow.git
   cd ragflow/
   uv sync --python 3.12 # install RAGFlow dependent python modules
-   uv run download_deps.py
+   uv run python3 download_deps.py
   pre-commit install
   ```

@@ -395,8 +399,8 @@ docker build --platform linux/amd64 \
 - [Quickstart](https://ragflow.io/docs/dev/)
 - [Configuration](https://ragflow.io/docs/dev/configurations)
 - [Release notes](https://ragflow.io/docs/dev/release_notes)
- [User guides](https://ragflow.io/docs/dev/category/guides)
- [Developer guides](https://ragflow.io/docs/dev/category/developers)
+- [User guides](https://ragflow.io/docs/category/user-guides)
+- [Developer guides](https://ragflow.io/docs/category/developer-guides)
 - [References](https://ragflow.io/docs/dev/category/references)
 - [FAQs](https://ragflow.io/docs/dev/faq)

--- a/admin/build_cli_release.sh
+++ b/admin/build_cli_release.sh
@@ -21,7 +21,7 @@ cp pyproject.toml release/$PROJECT_NAME/pyproject.toml
 cp README.md release/$PROJECT_NAME/README.md

 mkdir release/$PROJECT_NAME/$SOURCE_DIR/$PACKAGE_DIR -p
-cp admin_client.py release/$PROJECT_NAME/$SOURCE_DIR/$PACKAGE_DIR/admin_client.py
+cp ragflow_cli.py release/$PROJECT_NAME/$SOURCE_DIR/$PACKAGE_DIR/ragflow_cli.py

 if [ -d "release/$PROJECT_NAME/$SOURCE_DIR" ]; then
    echo "✅ source dir: release/$PROJECT_NAME/$SOURCE_DIR"
--- a/admin/client/COMMAND.md
+++ b/admin/client/COMMAND.md
@@ -0,0 +1,779 @@
+# RAGFlow CLI User Command Reference
+
+This document describes the user commands available in RAGFlow CLI. All commands must end with a semicolon (`;`).
+
+## Command List
+
+### ping_server
+
+**Description**  
+Tests the connection status to the server.
+
+**Usage**  
+```
+PING;
+```
+
+**Parameters**  
+No parameters.
+
+**Example**  
+```
+ragflow> PING;
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### show_current_user
+
+**Description**  
+Displays information about the currently logged-in user.
+
+**Usage**  
+```
+SHOW CURRENT USER;
+```
+
+**Parameters**  
+No parameters.
+
+**Example**  
+```
+ragflow> SHOW CURRENT USER;
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### create_model_provider
+
+**Description**  
+Creates a new model provider.
+
+**Usage**  
+```
+CREATE MODEL PROVIDER <provider_name> <provider_key>;
+```
+
+**Parameters**  
+- `provider_name`: Provider name, quoted string.
+- `provider_key`: Provider key, quoted string.
+
+**Example**  
+```
+ragflow> CREATE MODEL PROVIDER 'openai' 'sk-...';
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### drop_model_provider
+
+**Description**  
+Deletes a model provider.
+
+**Usage**  
+```
+DROP MODEL PROVIDER <provider_name>;
+```
+
+**Parameters**  
+- `provider_name`: Name of the provider to delete, quoted string.
+
+**Example**  
+```
+ragflow> DROP MODEL PROVIDER 'openai';
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### set_default_llm
+
+**Description**  
+Sets the default LLM (Large Language Model).
+
+**Usage**  
+```
+SET DEFAULT LLM <llm_id>;
+```
+
+**Parameters**  
+- `llm_id`: LLM identifier, quoted string.
+
+**Example**  
+```
+ragflow> SET DEFAULT LLM 'gpt-4';
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### set_default_vlm
+
+**Description**  
+Sets the default VLM (Vision Language Model).
+
+**Usage**  
+```
+SET DEFAULT VLM <vlm_id>;
+```
+
+**Parameters**  
+- `vlm_id`: VLM identifier, quoted string.
+
+**Example**  
+```
+ragflow> SET DEFAULT VLM 'clip-vit-large';
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### set_default_embedding
+
+**Description**  
+Sets the default embedding model.
+
+**Usage**  
+```
+SET DEFAULT EMBEDDING <embedding_id>;
+```
+
+**Parameters**  
+- `embedding_id`: Embedding model identifier, quoted string.
+
+**Example**  
+```
+ragflow> SET DEFAULT EMBEDDING 'text-embedding-ada-002';
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### set_default_reranker
+
+**Description**  
+Sets the default reranker model.
+
+**Usage**  
+```
+SET DEFAULT RERANKER <reranker_id>;
+```
+
+**Parameters**  
+- `reranker_id`: Reranker model identifier, quoted string.
+
+**Example**  
+```
+ragflow> SET DEFAULT RERANKER 'bge-reranker-large';
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### set_default_asr
+
+**Description**  
+Sets the default ASR (Automatic Speech Recognition) model.
+
+**Usage**  
+```
+SET DEFAULT ASR <asr_id>;
+```
+
+**Parameters**  
+- `asr_id`: ASR model identifier, quoted string.
+
+**Example**  
+```
+ragflow> SET DEFAULT ASR 'whisper-large';
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### set_default_tts
+
+**Description**  
+Sets the default TTS (Text-to-Speech) model.
+
+**Usage**  
+```
+SET DEFAULT TTS <tts_id>;
+```
+
+**Parameters**  
+- `tts_id`: TTS model identifier, quoted string.
+
+**Example**  
+```
+ragflow> SET DEFAULT TTS 'tts-1';
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### reset_default_llm
+
+**Description**  
+Resets the default LLM to system default.
+
+**Usage**  
+```
+RESET DEFAULT LLM;
+```
+
+**Parameters**  
+No parameters.
+
+**Example**  
+```
+ragflow> RESET DEFAULT LLM;
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### reset_default_vlm
+
+**Description**  
+Resets the default VLM to system default.
+
+**Usage**  
+```
+RESET DEFAULT VLM;
+```
+
+**Parameters**  
+No parameters.
+
+**Example**  
+```
+ragflow> RESET DEFAULT VLM;
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### reset_default_embedding
+
+**Description**  
+Resets the default embedding model to system default.
+
+**Usage**  
+```
+RESET DEFAULT EMBEDDING;
+```
+
+**Parameters**  
+No parameters.
+
+**Example**  
+```
+ragflow> RESET DEFAULT EMBEDDING;
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### reset_default_reranker
+
+**Description**  
+Resets the default reranker model to system default.
+
+**Usage**  
+```
+RESET DEFAULT RERANKER;
+```
+
+**Parameters**  
+No parameters.
+
+**Example**  
+```
+ragflow> RESET DEFAULT RERANKER;
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### reset_default_asr
+
+**Description**  
+Resets the default ASR model to system default.
+
+**Usage**  
+```
+RESET DEFAULT ASR;
+```
+
+**Parameters**  
+No parameters.
+
+**Example**  
+```
+ragflow> RESET DEFAULT ASR;
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### reset_default_tts
+
+**Description**  
+Resets the default TTS model to system default.
+
+**Usage**  
+```
+RESET DEFAULT TTS;
+```
+
+**Parameters**  
+No parameters.
+
+**Example**  
+```
+ragflow> RESET DEFAULT TTS;
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### create_user_dataset_with_parser
+
+**Description**  
+Creates a user dataset with the specified parser.
+
+**Usage**  
+```
+CREATE DATASET <dataset_name> WITH EMBEDDING <embedding> PARSER <parser_type>;
+```
+
+**Parameters**  
+- `dataset_name`: Dataset name, quoted string.
+- `embedding`: Embedding model name, quoted string.
+- `parser_type`: Parser type, quoted string.
+
+**Example**  
+```
+ragflow> CREATE DATASET 'my_dataset' WITH EMBEDDING 'text-embedding-ada-002' PARSER 'pdf';
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### create_user_dataset_with_pipeline
+
+**Description**  
+Creates a user dataset with the specified pipeline.
+
+**Usage**  
+```
+CREATE DATASET <dataset_name> WITH EMBEDDING <embedding> PIPELINE <pipeline>;
+```
+
+**Parameters**  
+- `dataset_name`: Dataset name, quoted string.
+- `embedding`: Embedding model name, quoted string.
+- `pipeline`: Pipeline name, quoted string.
+
+**Example**  
+```
+ragflow> CREATE DATASET 'my_dataset' WITH EMBEDDING 'text-embedding-ada-002' PIPELINE 'standard';
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### drop_user_dataset
+
+**Description**  
+Deletes a user dataset.
+
+**Usage**  
+```
+DROP DATASET <dataset_name>;
+```
+
+**Parameters**  
+- `dataset_name`: Name of the dataset to delete, quoted string.
+
+**Example**  
+```
+ragflow> DROP DATASET 'my_dataset';
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### list_user_datasets
+
+**Description**  
+Lists all datasets for the current user.
+
+**Usage**  
+```
+LIST DATASETS;
+```
+
+**Parameters**  
+No parameters.
+
+**Example**  
+```
+ragflow> LIST DATASETS;
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### list_user_dataset_files
+
+**Description**  
+Lists all files in the specified dataset.
+
+**Usage**  
+```
+LIST FILES OF DATASET <dataset_name>;
+```
+
+**Parameters**  
+- `dataset_name`: Dataset name, quoted string.
+
+**Example**  
+```
+ragflow> LIST FILES OF DATASET 'my_dataset';
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### list_user_agents
+
+**Description**  
+Lists all agents for the current user.
+
+**Usage**  
+```
+LIST AGENTS;
+```
+
+**Parameters**  
+No parameters.
+
+**Example**  
+```
+ragflow> LIST AGENTS;
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### list_user_chats
+
+**Description**  
+Lists all chat sessions for the current user.
+
+**Usage**  
+```
+LIST CHATS;
+```
+
+**Parameters**  
+No parameters.
+
+**Example**  
+```
+ragflow> LIST CHATS;
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### create_user_chat
+
+**Description**  
+Creates a new chat session.
+
+**Usage**  
+```
+CREATE CHAT <chat_name>;
+```
+
+**Parameters**  
+- `chat_name`: Chat session name, quoted string.
+
+**Example**  
+```
+ragflow> CREATE CHAT 'my_chat';
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### drop_user_chat
+
+**Description**  
+Deletes a chat session.
+
+**Usage**  
+```
+DROP CHAT <chat_name>;
+```
+
+**Parameters**  
+- `chat_name`: Name of the chat session to delete, quoted string.
+
+**Example**  
+```
+ragflow> DROP CHAT 'my_chat';
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### list_user_model_providers
+
+**Description**  
+Lists all model providers for the current user.
+
+**Usage**  
+```
+LIST MODEL PROVIDERS;
+```
+
+**Parameters**  
+No parameters.
+
+**Example**  
+```
+ragflow> LIST MODEL PROVIDERS;
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### list_user_default_models
+
+**Description**  
+Lists all default model settings for the current user.
+
+**Usage**  
+```
+LIST DEFAULT MODELS;
+```
+
+**Parameters**  
+No parameters.
+
+**Example**  
+```
+ragflow> LIST DEFAULT MODELS;
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### import_docs_into_dataset
+
+**Description**  
+Imports documents into the specified dataset.
+
+**Usage**  
+```
+IMPORT <document_list> INTO DATASET <dataset_name>;
+```
+
+**Parameters**  
+- `document_list`: List of document paths, multiple paths can be separated by commas, or as a space-separated quoted string.
+- `dataset_name`: Target dataset name, quoted string.
+
+**Example**  
+```
+ragflow> IMPORT '/path/to/doc1.pdf,/path/to/doc2.pdf' INTO DATASET 'my_dataset';
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### search_on_datasets
+
+**Description**  
+Searches in one or more specified datasets.
+
+**Usage**  
+```
+SEARCH <question> ON DATASETS <dataset_list>;
+```
+
+**Parameters**  
+- `question`: Search question, quoted string.
+- `dataset_list`: List of dataset names, multiple names can be separated by commas, or as a space-separated quoted string.
+
+**Example**  
+```
+ragflow> SEARCH 'What is RAG?' ON DATASETS 'dataset1,dataset2';
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### parse_dataset_docs
+
+**Description**  
+Parses specified documents in a dataset.
+
+**Usage**  
+```
+PARSE <document_names> OF DATASET <dataset_name>;
+```
+
+**Parameters**  
+- `document_names`: List of document names, multiple names can be separated by commas, or as a space-separated quoted string.
+- `dataset_name`: Dataset name, quoted string.
+
+**Example**  
+```
+ragflow> PARSE 'doc1.pdf,doc2.pdf' OF DATASET 'my_dataset';
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### parse_dataset_sync
+
+**Description**  
+Synchronously parses the entire dataset.
+
+**Usage**  
+```
+PARSE DATASET <dataset_name> SYNC;
+```
+
+**Parameters**  
+- `dataset_name`: Dataset name, quoted string.
+
+**Example**  
+```
+ragflow> PARSE DATASET 'my_dataset' SYNC;
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### parse_dataset_async
+
+**Description**  
+Asynchronously parses the entire dataset.
+
+**Usage**  
+```
+PARSE DATASET <dataset_name> ASYNC;
+```
+
+**Parameters**  
+- `dataset_name`: Dataset name, quoted string.
+
+**Example**  
+```
+ragflow> PARSE DATASET 'my_dataset' ASYNC;
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+### benchmark
+
+**Description**  
+Performs performance benchmark testing on the specified user command.
+
+**Usage**  
+```
+BENCHMARK <concurrency> <iterations> <user_command>;
+```
+
+**Parameters**  
+- `concurrency`: Concurrency number, positive integer.
+- `iterations`: Number of iterations, positive integer.
+- `user_command`: User command to test (must be a valid user command, such as `PING;`).
+
+**Example**  
+```
+ragflow> BENCHMARK 5 10 PING;
+```
+
+**Display Effect**  
+(Sample output will be provided by the user)
+
+---
+
+**Notes**  
+- All string parameters (such as names, IDs, paths) must be enclosed in single quotes (`'`) or double quotes (`"`).
+- Commands must end with a semicolon (`;`).
+- The prompt is `ragflow>`.
--- a/admin/client/README.md
+++ b/admin/client/README.md
@@ -48,7 +48,7 @@ It consists of a server-side Service and a command-line client (CLI), both imple
 1.  Ensure the Admin Service is running.
 2.  Install ragflow-cli.
    ```bash
-    pip install ragflow-cli==0.23.1
+    pip install ragflow-cli==0.25.1
    ```
 3.  Launch the CLI client:
    ```bash
--- a/admin/client/admin_client.py
+++ b/admin/client/admin_client.py
@@ -1,938 +0,0 @@
-#
-#  Copyright 2025 The InfiniFlow Authors. All Rights Reserved.
-#
-#  Licensed under the Apache License, Version 2.0 (the "License");
-#  you may not use this file except in compliance with the License.
-#  You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-#  Unless required by applicable law or agreed to in writing, software
-#  distributed under the License is distributed on an "AS IS" BASIS,
-#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-#  See the License for the specific language governing permissions and
-#  limitations under the License.
-#
-
-import argparse
-import base64
-import getpass
-from cmd import Cmd
-from typing import Any, Dict, List
-
-import requests
-from Cryptodome.Cipher import PKCS1_v1_5 as Cipher_pkcs1_v1_5
-from Cryptodome.PublicKey import RSA
-from lark import Lark, Transformer, Tree
-
-GRAMMAR = r"""
-start: command
-
-command: sql_command | meta_command
-
-sql_command: list_services
-           | show_service
-           | startup_service
-           | shutdown_service
-           | restart_service
-           | list_users
-           | show_user
-           | drop_user
-           | alter_user
-           | create_user
-           | activate_user
-           | list_datasets
-           | list_agents
-           | create_role
-           | drop_role
-           | alter_role
-           | list_roles
-           | show_role
-           | grant_permission
-           | revoke_permission
-           | alter_user_role
-           | show_user_permission
-           | show_version
-
-// meta command definition
-meta_command: "\\" meta_command_name [meta_args]
-
-meta_command_name: /[a-zA-Z?]+/
-meta_args: (meta_arg)+
-
-meta_arg: /[^\\s"']+/ | quoted_string
-
-// command definition
-
-LIST: "LIST"i
-SERVICES: "SERVICES"i
-SHOW: "SHOW"i
-CREATE: "CREATE"i
-SERVICE: "SERVICE"i
-SHUTDOWN: "SHUTDOWN"i
-STARTUP: "STARTUP"i
-RESTART: "RESTART"i
-USERS: "USERS"i
-DROP: "DROP"i
-USER: "USER"i
-ALTER: "ALTER"i
-ACTIVE: "ACTIVE"i
-PASSWORD: "PASSWORD"i
-DATASETS: "DATASETS"i
-OF: "OF"i
-AGENTS: "AGENTS"i
-ROLE: "ROLE"i
-ROLES: "ROLES"i
-DESCRIPTION: "DESCRIPTION"i
-GRANT: "GRANT"i
-REVOKE: "REVOKE"i
-ALL: "ALL"i
-PERMISSION: "PERMISSION"i
-TO: "TO"i
-FROM: "FROM"i
-FOR: "FOR"i
-RESOURCES: "RESOURCES"i
-ON: "ON"i
-SET: "SET"i
-VERSION: "VERSION"i
-
-list_services: LIST SERVICES ";"
-show_service: SHOW SERVICE NUMBER ";"
-startup_service: STARTUP SERVICE NUMBER ";"
-shutdown_service: SHUTDOWN SERVICE NUMBER ";"
-restart_service: RESTART SERVICE NUMBER ";"
-
-list_users: LIST USERS ";"
-drop_user: DROP USER quoted_string ";"
-alter_user: ALTER USER PASSWORD quoted_string quoted_string ";"
-show_user: SHOW USER quoted_string ";"
-create_user: CREATE USER quoted_string quoted_string ";"
-activate_user: ALTER USER ACTIVE quoted_string status ";"
-
-list_datasets: LIST DATASETS OF quoted_string ";"
-list_agents: LIST AGENTS OF quoted_string ";"
-
-create_role: CREATE ROLE identifier [DESCRIPTION quoted_string] ";"
-drop_role: DROP ROLE identifier ";"
-alter_role: ALTER ROLE identifier SET DESCRIPTION quoted_string ";"
-list_roles: LIST ROLES ";"
-show_role: SHOW ROLE identifier ";"
-
-grant_permission: GRANT action_list ON identifier TO ROLE identifier ";"
-revoke_permission: REVOKE action_list ON identifier FROM ROLE identifier ";"
-alter_user_role: ALTER USER quoted_string SET ROLE identifier ";"
-show_user_permission: SHOW USER PERMISSION quoted_string ";"
-
-show_version: SHOW VERSION ";"
-
-action_list: identifier ("," identifier)*
-
-identifier: WORD
-quoted_string: QUOTED_STRING
-status: WORD
-
-QUOTED_STRING: /'[^']+'/ | /"[^"]+"/
-WORD: /[a-zA-Z0-9_\-\.]+/
-NUMBER: /[0-9]+/
-
-%import common.WS
-%ignore WS
-"""
-
-
-class AdminTransformer(Transformer):
-    def start(self, items):
-        return items[0]
-
-    def command(self, items):
-        return items[0]
-
-    def list_services(self, items):
-        result = {"type": "list_services"}
-        return result
-
-    def show_service(self, items):
-        service_id = int(items[2])
-        return {"type": "show_service", "number": service_id}
-
-    def startup_service(self, items):
-        service_id = int(items[2])
-        return {"type": "startup_service", "number": service_id}
-
-    def shutdown_service(self, items):
-        service_id = int(items[2])
-        return {"type": "shutdown_service", "number": service_id}
-
-    def restart_service(self, items):
-        service_id = int(items[2])
-        return {"type": "restart_service", "number": service_id}
-
-    def list_users(self, items):
-        return {"type": "list_users"}
-
-    def show_user(self, items):
-        user_name = items[2]
-        return {"type": "show_user", "user_name": user_name}
-
-    def drop_user(self, items):
-        user_name = items[2]
-        return {"type": "drop_user", "user_name": user_name}
-
-    def alter_user(self, items):
-        user_name = items[3]
-        new_password = items[4]
-        return {"type": "alter_user", "user_name": user_name, "password": new_password}
-
-    def create_user(self, items):
-        user_name = items[2]
-        password = items[3]
-        return {"type": "create_user", "user_name": user_name, "password": password, "role": "user"}
-
-    def activate_user(self, items):
-        user_name = items[3]
-        activate_status = items[4]
-        return {"type": "activate_user", "activate_status": activate_status, "user_name": user_name}
-
-    def list_datasets(self, items):
-        user_name = items[3]
-        return {"type": "list_datasets", "user_name": user_name}
-
-    def list_agents(self, items):
-        user_name = items[3]
-        return {"type": "list_agents", "user_name": user_name}
-
-    def create_role(self, items):
-        role_name = items[2]
-        if len(items) > 4:
-            description = items[4]
-            return {"type": "create_role", "role_name": role_name, "description": description}
-        else:
-            return {"type": "create_role", "role_name": role_name}
-
-    def drop_role(self, items):
-        role_name = items[2]
-        return {"type": "drop_role", "role_name": role_name}
-
-    def alter_role(self, items):
-        role_name = items[2]
-        description = items[5]
-        return {"type": "alter_role", "role_name": role_name, "description": description}
-
-    def list_roles(self, items):
-        return {"type": "list_roles"}
-
-    def show_role(self, items):
-        role_name = items[2]
-        return {"type": "show_role", "role_name": role_name}
-
-    def grant_permission(self, items):
-        action_list = items[1]
-        resource = items[3]
-        role_name = items[6]
-        return {"type": "grant_permission", "role_name": role_name, "resource": resource, "actions": action_list}
-
-    def revoke_permission(self, items):
-        action_list = items[1]
-        resource = items[3]
-        role_name = items[6]
-        return {"type": "revoke_permission", "role_name": role_name, "resource": resource, "actions": action_list}
-
-    def alter_user_role(self, items):
-        user_name = items[2]
-        role_name = items[5]
-        return {"type": "alter_user_role", "user_name": user_name, "role_name": role_name}
-
-    def show_user_permission(self, items):
-        user_name = items[3]
-        return {"type": "show_user_permission", "user_name": user_name}
-
-    def show_version(self, items):
-        return {"type": "show_version"}
-
-    def action_list(self, items):
-        return items
-
-    def meta_command(self, items):
-        command_name = str(items[0]).lower()
-        args = items[1:] if len(items) > 1 else []
-
-        # handle quoted parameter
-        parsed_args = []
-        for arg in args:
-            if hasattr(arg, "value"):
-                parsed_args.append(arg.value)
-            else:
-                parsed_args.append(str(arg))
-
-        return {"type": "meta", "command": command_name, "args": parsed_args}
-
-    def meta_command_name(self, items):
-        return items[0]
-
-    def meta_args(self, items):
-        return items
-
-
-def encrypt(input_string):
-    pub = "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArq9XTUSeYr2+N1h3Afl/z8Dse/2yD0ZGrKwx+EEEcdsBLca9Ynmx3nIB5obmLlSfmskLpBo0UACBmB5rEjBp2Q2f3AG3Hjd4B+gNCG6BDaawuDlgANIhGnaTLrIqWrrcm4EMzJOnAOI1fgzJRsOOUEfaS318Eq9OVO3apEyCCt0lOQK6PuksduOjVxtltDav+guVAA068NrPYmRNabVKRNLJpL8w4D44sfth5RvZ3q9t+6RTArpEtc5sh5ChzvqPOzKGMXW83C95TxmXqpbK6olN4RevSfVjEAgCydH6HN6OhtOQEcnrU97r9H0iZOWwbw3pVrZiUkuRD1R56Wzs2wIDAQAB\n-----END PUBLIC KEY-----"
-    pub_key = RSA.importKey(pub)
-    cipher = Cipher_pkcs1_v1_5.new(pub_key)
-    cipher_text = cipher.encrypt(base64.b64encode(input_string.encode("utf-8")))
-    return base64.b64encode(cipher_text).decode("utf-8")
-
-
-def encode_to_base64(input_string):
-    base64_encoded = base64.b64encode(input_string.encode("utf-8"))
-    return base64_encoded.decode("utf-8")
-
-
-class AdminCLI(Cmd):
-    def __init__(self):
-        super().__init__()
-        self.parser = Lark(GRAMMAR, start="start", parser="lalr", transformer=AdminTransformer())
-        self.command_history = []
-        self.is_interactive = False
-        self.admin_account = "admin@ragflow.io"
-        self.admin_password: str = "admin"
-        self.session = requests.Session()
-        self.access_token: str = ""
-        self.host: str = ""
-        self.port: int = 0
-
-    intro = r"""Type "\h" for help."""
-    prompt = "admin> "
-
-    def onecmd(self, command: str) -> bool:
-        try:
-            result = self.parse_command(command)
-
-            if isinstance(result, dict):
-                if "type" in result and result.get("type") == "empty":
-                    return False
-
-            self.execute_command(result)
-
-            if isinstance(result, Tree):
-                return False
-
-            if result.get("type") == "meta" and result.get("command") in ["q", "quit", "exit"]:
-                return True
-
-        except KeyboardInterrupt:
-            print("\nUse '\\q' to quit")
-        except EOFError:
-            print("\nGoodbye!")
-            return True
-        return False
-
-    def emptyline(self) -> bool:
-        return False
-
-    def default(self, line: str) -> bool:
-        return self.onecmd(line)
-
-    def parse_command(self, command_str: str) -> dict[str, str]:
-        if not command_str.strip():
-            return {"type": "empty"}
-
-        self.command_history.append(command_str)
-
-        try:
-            result = self.parser.parse(command_str)
-            return result
-        except Exception as e:
-            return {"type": "error", "message": f"Parse error: {str(e)}"}
-
-    def verify_admin(self, arguments: dict, single_command: bool):
-        self.host = arguments["host"]
-        self.port = arguments["port"]
-        print("Attempt to access server for admin login")
-        url = f"http://{self.host}:{self.port}/api/v1/admin/login"
-
-        attempt_count = 3
-        if single_command:
-            attempt_count = 1
-
-        try_count = 0
-        while True:
-            try_count += 1
-            if try_count > attempt_count:
-                return False
-
-            if single_command:
-                admin_passwd = arguments["password"]
-            else:
-                admin_passwd = getpass.getpass(f"password for {self.admin_account}: ").strip()
-            try:
-                self.admin_password = encrypt(admin_passwd)
-                response = self.session.post(url, json={"email": self.admin_account, "password": self.admin_password})
-                if response.status_code == 200:
-                    res_json = response.json()
-                    error_code = res_json.get("code", -1)
-                    if error_code == 0:
-                        self.session.headers.update({"Content-Type": "application/json", "Authorization": response.headers["Authorization"], "User-Agent": "RAGFlow-CLI/0.23.1"})
-                        print("Authentication successful.")
-                        return True
-                    else:
-                        error_message = res_json.get("message", "Unknown error")
-                        print(f"Authentication failed: {error_message}, try again")
-                        continue
-                else:
-                    print(f"Bad response，status: {response.status_code}, password is wrong")
-            except Exception as e:
-                print(str(e))
-                print("Can't access server for admin login (connection failed)")
-
-    def _format_service_detail_table(self, data):
-        if isinstance(data, list):
-            return data
-        if not all([isinstance(v, list) for v in data.values()]):
-            # normal table
-            return data
-        # handle task_executor heartbeats map, for example {'name': [{'done': 2, 'now': timestamp1}, {'done': 3, 'now': timestamp2}]
-        task_executor_list = []
-        for k, v in data.items():
-            # display latest status
-            heartbeats = sorted(v, key=lambda x: x["now"], reverse=True)
-            task_executor_list.append(
-                {
-                    "task_executor_name": k,
-                    **heartbeats[0],
-                }
-                if heartbeats
-                else {"task_executor_name": k}
-            )
-        return task_executor_list
-
-    def _print_table_simple(self, data):
-        if not data:
-            print("No data to print")
-            return
-        if isinstance(data, dict):
-            # handle single row data
-            data = [data]
-
-        columns = list(set().union(*(d.keys() for d in data)))
-        columns.sort()
-        col_widths = {}
-
-        def get_string_width(text):
-            half_width_chars = " !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\t\n\r"
-            width = 0
-            for char in text:
-                if char in half_width_chars:
-                    width += 1
-                else:
-                    width += 2
-            return width
-
-        for col in columns:
-            max_width = get_string_width(str(col))
-            for item in data:
-                value_len = get_string_width(str(item.get(col, "")))
-                if value_len > max_width:
-                    max_width = value_len
-            col_widths[col] = max(2, max_width)
-
-        # Generate delimiter
-        separator = "+" + "+".join(["-" * (col_widths[col] + 2) for col in columns]) + "+"
-
-        # Print header
-        print(separator)
-        header = "|" + "|".join([f" {col:<{col_widths[col]}} " for col in columns]) + "|"
-        print(header)
-        print(separator)
-
-        # Print data
-        for item in data:
-            row = "|"
-            for col in columns:
-                value = str(item.get(col, ""))
-                if get_string_width(value) > col_widths[col]:
-                    value = value[: col_widths[col] - 3] + "..."
-                row += f" {value:<{col_widths[col] - (get_string_width(value) - len(value))}} |"
-            print(row)
-
-        print(separator)
-
-    def run_interactive(self):
-        self.is_interactive = True
-        print("RAGFlow Admin command line interface - Type '\\?' for help, '\\q' to quit")
-
-        while True:
-            try:
-                command = input("admin> ").strip()
-                if not command:
-                    continue
-
-                print(f"command: {command}")
-                result = self.parse_command(command)
-                self.execute_command(result)
-
-                if isinstance(result, Tree):
-                    continue
-
-                if result.get("type") == "meta" and result.get("command") in ["q", "quit", "exit"]:
-                    break
-
-            except KeyboardInterrupt:
-                print("\nUse '\\q' to quit")
-            except EOFError:
-                print("\nGoodbye!")
-                break
-
-    def run_single_command(self, command: str):
-        result = self.parse_command(command)
-        self.execute_command(result)
-
-    def parse_connection_args(self, args: List[str]) -> Dict[str, Any]:
-        parser = argparse.ArgumentParser(description="Admin CLI Client", add_help=False)
-        parser.add_argument("-h", "--host", default="localhost", help="Admin service host")
-        parser.add_argument("-p", "--port", type=int, default=9381, help="Admin service port")
-        parser.add_argument("-w", "--password", default="admin", type=str, help="Superuser password")
-        parser.add_argument("command", nargs="?", help="Single command")
-        try:
-            parsed_args, remaining_args = parser.parse_known_args(args)
-            if remaining_args:
-                command = remaining_args[0]
-                return {"host": parsed_args.host, "port": parsed_args.port, "password": parsed_args.password, "command": command}
-            else:
-                return {
-                    "host": parsed_args.host,
-                    "port": parsed_args.port,
-                }
-        except SystemExit:
-            return {"error": "Invalid connection arguments"}
-
-    def execute_command(self, parsed_command: Dict[str, Any]):
-        command_dict: dict
-        if isinstance(parsed_command, Tree):
-            command_dict = parsed_command.children[0]
-        else:
-            if parsed_command["type"] == "error":
-                print(f"Error: {parsed_command['message']}")
-                return
-            else:
-                command_dict = parsed_command
-
-        # print(f"Parsed command: {command_dict}")
-
-        command_type = command_dict["type"]
-
-        match command_type:
-            case "list_services":
-                self._handle_list_services(command_dict)
-            case "show_service":
-                self._handle_show_service(command_dict)
-            case "restart_service":
-                self._handle_restart_service(command_dict)
-            case "shutdown_service":
-                self._handle_shutdown_service(command_dict)
-            case "startup_service":
-                self._handle_startup_service(command_dict)
-            case "list_users":
-                self._handle_list_users(command_dict)
-            case "show_user":
-                self._handle_show_user(command_dict)
-            case "drop_user":
-                self._handle_drop_user(command_dict)
-            case "alter_user":
-                self._handle_alter_user(command_dict)
-            case "create_user":
-                self._handle_create_user(command_dict)
-            case "activate_user":
-                self._handle_activate_user(command_dict)
-            case "list_datasets":
-                self._handle_list_datasets(command_dict)
-            case "list_agents":
-                self._handle_list_agents(command_dict)
-            case "create_role":
-                self._create_role(command_dict)
-            case "drop_role":
-                self._drop_role(command_dict)
-            case "alter_role":
-                self._alter_role(command_dict)
-            case "list_roles":
-                self._list_roles(command_dict)
-            case "show_role":
-                self._show_role(command_dict)
-            case "grant_permission":
-                self._grant_permission(command_dict)
-            case "revoke_permission":
-                self._revoke_permission(command_dict)
-            case "alter_user_role":
-                self._alter_user_role(command_dict)
-            case "show_user_permission":
-                self._show_user_permission(command_dict)
-            case "show_version":
-                self._show_version(command_dict)
-            case "meta":
-                self._handle_meta_command(command_dict)
-            case _:
-                print(f"Command '{command_type}' would be executed with API")
-
-    def _handle_list_services(self, command):
-        print("Listing all services")
-
-        url = f"http://{self.host}:{self.port}/api/v1/admin/services"
-        response = self.session.get(url)
-        res_json = response.json()
-        if response.status_code == 200:
-            self._print_table_simple(res_json["data"])
-        else:
-            print(f"Fail to get all services, code: {res_json['code']}, message: {res_json['message']}")
-
-    def _handle_show_service(self, command):
-        service_id: int = command["number"]
-        print(f"Showing service: {service_id}")
-
-        url = f"http://{self.host}:{self.port}/api/v1/admin/services/{service_id}"
-        response = self.session.get(url)
-        res_json = response.json()
-        if response.status_code == 200:
-            res_data = res_json["data"]
-            if "status" in res_data and res_data["status"] == "alive":
-                print(f"Service {res_data['service_name']} is alive, ")
-                if isinstance(res_data["message"], str):
-                    print(res_data["message"])
-                else:
-                    data = self._format_service_detail_table(res_data["message"])
-                    self._print_table_simple(data)
-            else:
-                print(f"Service {res_data['service_name']} is down, {res_data['message']}")
-        else:
-            print(f"Fail to show service, code: {res_json['code']}, message: {res_json['message']}")
-
-    def _handle_restart_service(self, command):
-        service_id: int = command["number"]
-        print(f"Restart service {service_id}")
-
-    def _handle_shutdown_service(self, command):
-        service_id: int = command["number"]
-        print(f"Shutdown service {service_id}")
-
-    def _handle_startup_service(self, command):
-        service_id: int = command["number"]
-        print(f"Startup service {service_id}")
-
-    def _handle_list_users(self, command):
-        print("Listing all users")
-
-        url = f"http://{self.host}:{self.port}/api/v1/admin/users"
-        response = self.session.get(url)
-        res_json = response.json()
-        if response.status_code == 200:
-            self._print_table_simple(res_json["data"])
-        else:
-            print(f"Fail to get all users, code: {res_json['code']}, message: {res_json['message']}")
-
-    def _handle_show_user(self, command):
-        username_tree: Tree = command["user_name"]
-        user_name: str = username_tree.children[0].strip("'\"")
-        print(f"Showing user: {user_name}")
-        url = f"http://{self.host}:{self.port}/api/v1/admin/users/{user_name}"
-        response = self.session.get(url)
-        res_json = response.json()
-        if response.status_code == 200:
-            table_data = res_json["data"]
-            table_data.pop("avatar")
-            self._print_table_simple(table_data)
-        else:
-            print(f"Fail to get user {user_name}, code: {res_json['code']}, message: {res_json['message']}")
-
-    def _handle_drop_user(self, command):
-        username_tree: Tree = command["user_name"]
-        user_name: str = username_tree.children[0].strip("'\"")
-        print(f"Drop user: {user_name}")
-        url = f"http://{self.host}:{self.port}/api/v1/admin/users/{user_name}"
-        response = self.session.delete(url)
-        res_json = response.json()
-        if response.status_code == 200:
-            print(res_json["message"])
-        else:
-            print(f"Fail to drop user, code: {res_json['code']}, message: {res_json['message']}")
-
-    def _handle_alter_user(self, command):
-        user_name_tree: Tree = command["user_name"]
-        user_name: str = user_name_tree.children[0].strip("'\"")
-        password_tree: Tree = command["password"]
-        password: str = password_tree.children[0].strip("'\"")
-        print(f"Alter user: {user_name}, password: ******")
-        url = f"http://{self.host}:{self.port}/api/v1/admin/users/{user_name}/password"
-        response = self.session.put(url, json={"new_password": encrypt(password)})
-        res_json = response.json()
-        if response.status_code == 200:
-            print(res_json["message"])
-        else:
-            print(f"Fail to alter password, code: {res_json['code']}, message: {res_json['message']}")
-
-    def _handle_create_user(self, command):
-        user_name_tree: Tree = command["user_name"]
-        user_name: str = user_name_tree.children[0].strip("'\"")
-        password_tree: Tree = command["password"]
-        password: str = password_tree.children[0].strip("'\"")
-        role: str = command["role"]
-        print(f"Create user: {user_name}, password: ******, role: {role}")
-        url = f"http://{self.host}:{self.port}/api/v1/admin/users"
-        response = self.session.post(url, json={"user_name": user_name, "password": encrypt(password), "role": role})
-        res_json = response.json()
-        if response.status_code == 200:
-            self._print_table_simple(res_json["data"])
-        else:
-            print(f"Fail to create user {user_name}, code: {res_json['code']}, message: {res_json['message']}")
-
-    def _handle_activate_user(self, command):
-        user_name_tree: Tree = command["user_name"]
-        user_name: str = user_name_tree.children[0].strip("'\"")
-        activate_tree: Tree = command["activate_status"]
-        activate_status: str = activate_tree.children[0].strip("'\"")
-        if activate_status.lower() in ["on", "off"]:
-            print(f"Alter user {user_name} activate status, turn {activate_status.lower()}.")
-            url = f"http://{self.host}:{self.port}/api/v1/admin/users/{user_name}/activate"
-            response = self.session.put(url, json={"activate_status": activate_status})
-            res_json = response.json()
-            if response.status_code == 200:
-                print(res_json["message"])
-            else:
-                print(f"Fail to alter activate status, code: {res_json['code']}, message: {res_json['message']}")
-        else:
-            print(f"Unknown activate status: {activate_status}.")
-
-    def _handle_list_datasets(self, command):
-        username_tree: Tree = command["user_name"]
-        user_name: str = username_tree.children[0].strip("'\"")
-        print(f"Listing all datasets of user: {user_name}")
-        url = f"http://{self.host}:{self.port}/api/v1/admin/users/{user_name}/datasets"
-        response = self.session.get(url)
-        res_json = response.json()
-        if response.status_code == 200:
-            table_data = res_json["data"]
-            for t in table_data:
-                t.pop("avatar")
-            self._print_table_simple(table_data)
-        else:
-            print(f"Fail to get all datasets of {user_name}, code: {res_json['code']}, message: {res_json['message']}")
-
-    def _handle_list_agents(self, command):
-        username_tree: Tree = command["user_name"]
-        user_name: str = username_tree.children[0].strip("'\"")
-        print(f"Listing all agents of user: {user_name}")
-        url = f"http://{self.host}:{self.port}/api/v1/admin/users/{user_name}/agents"
-        response = self.session.get(url)
-        res_json = response.json()
-        if response.status_code == 200:
-            table_data = res_json["data"]
-            for t in table_data:
-                t.pop("avatar")
-            self._print_table_simple(table_data)
-        else:
-            print(f"Fail to get all agents of {user_name}, code: {res_json['code']}, message: {res_json['message']}")
-
-    def _create_role(self, command):
-        role_name_tree: Tree = command["role_name"]
-        role_name: str = role_name_tree.children[0].strip("'\"")
-        desc_str: str = ""
-        if "description" in command:
-            desc_tree: Tree = command["description"]
-            desc_str = desc_tree.children[0].strip("'\"")
-
-        print(f"create role name: {role_name}, description: {desc_str}")
-        url = f"http://{self.host}:{self.port}/api/v1/admin/roles"
-        response = self.session.post(url, json={"role_name": role_name, "description": desc_str})
-        res_json = response.json()
-        if response.status_code == 200:
-            self._print_table_simple(res_json["data"])
-        else:
-            print(f"Fail to create role {role_name}, code: {res_json['code']}, message: {res_json['message']}")
-
-    def _drop_role(self, command):
-        role_name_tree: Tree = command["role_name"]
-        role_name: str = role_name_tree.children[0].strip("'\"")
-        print(f"drop role name: {role_name}")
-        url = f"http://{self.host}:{self.port}/api/v1/admin/roles/{role_name}"
-        response = self.session.delete(url)
-        res_json = response.json()
-        if response.status_code == 200:
-            self._print_table_simple(res_json["data"])
-        else:
-            print(f"Fail to drop role {role_name}, code: {res_json['code']}, message: {res_json['message']}")
-
-    def _alter_role(self, command):
-        role_name_tree: Tree = command["role_name"]
-        role_name: str = role_name_tree.children[0].strip("'\"")
-        desc_tree: Tree = command["description"]
-        desc_str: str = desc_tree.children[0].strip("'\"")
-
-        print(f"alter role name: {role_name}, description: {desc_str}")
-        url = f"http://{self.host}:{self.port}/api/v1/admin/roles/{role_name}"
-        response = self.session.put(url, json={"description": desc_str})
-        res_json = response.json()
-        if response.status_code == 200:
-            self._print_table_simple(res_json["data"])
-        else:
-            print(f"Fail to update role {role_name} with description: {desc_str}, code: {res_json['code']}, message: {res_json['message']}")
-
-    def _list_roles(self, command):
-        print("Listing all roles")
-        url = f"http://{self.host}:{self.port}/api/v1/admin/roles"
-        response = self.session.get(url)
-        res_json = response.json()
-        if response.status_code == 200:
-            self._print_table_simple(res_json["data"])
-        else:
-            print(f"Fail to list roles, code: {res_json['code']}, message: {res_json['message']}")
-
-    def _show_role(self, command):
-        role_name_tree: Tree = command["role_name"]
-        role_name: str = role_name_tree.children[0].strip("'\"")
-        print(f"show role: {role_name}")
-        url = f"http://{self.host}:{self.port}/api/v1/admin/roles/{role_name}/permission"
-        response = self.session.get(url)
-        res_json = response.json()
-        if response.status_code == 200:
-            self._print_table_simple(res_json["data"])
-        else:
-            print(f"Fail to list roles, code: {res_json['code']}, message: {res_json['message']}")
-
-    def _grant_permission(self, command):
-        role_name_tree: Tree = command["role_name"]
-        role_name_str: str = role_name_tree.children[0].strip("'\"")
-        resource_tree: Tree = command["resource"]
-        resource_str: str = resource_tree.children[0].strip("'\"")
-        action_tree_list: list = command["actions"]
-        actions: list = []
-        for action_tree in action_tree_list:
-            action_str: str = action_tree.children[0].strip("'\"")
-            actions.append(action_str)
-        print(f"grant role_name: {role_name_str}, resource: {resource_str}, actions: {actions}")
-        url = f"http://{self.host}:{self.port}/api/v1/admin/roles/{role_name_str}/permission"
-        response = self.session.post(url, json={"actions": actions, "resource": resource_str})
-        res_json = response.json()
-        if response.status_code == 200:
-            self._print_table_simple(res_json["data"])
-        else:
-            print(f"Fail to grant role {role_name_str} with {actions} on {resource_str}, code: {res_json['code']}, message: {res_json['message']}")
-
-    def _revoke_permission(self, command):
-        role_name_tree: Tree = command["role_name"]
-        role_name_str: str = role_name_tree.children[0].strip("'\"")
-        resource_tree: Tree = command["resource"]
-        resource_str: str = resource_tree.children[0].strip("'\"")
-        action_tree_list: list = command["actions"]
-        actions: list = []
-        for action_tree in action_tree_list:
-            action_str: str = action_tree.children[0].strip("'\"")
-            actions.append(action_str)
-        print(f"revoke role_name: {role_name_str}, resource: {resource_str}, actions: {actions}")
-        url = f"http://{self.host}:{self.port}/api/v1/admin/roles/{role_name_str}/permission"
-        response = self.session.delete(url, json={"actions": actions, "resource": resource_str})
-        res_json = response.json()
-        if response.status_code == 200:
-            self._print_table_simple(res_json["data"])
-        else:
-            print(f"Fail to revoke role {role_name_str} with {actions} on {resource_str}, code: {res_json['code']}, message: {res_json['message']}")
-
-    def _alter_user_role(self, command):
-        role_name_tree: Tree = command["role_name"]
-        role_name_str: str = role_name_tree.children[0].strip("'\"")
-        user_name_tree: Tree = command["user_name"]
-        user_name_str: str = user_name_tree.children[0].strip("'\"")
-        print(f"alter_user_role user_name: {user_name_str}, role_name: {role_name_str}")
-        url = f"http://{self.host}:{self.port}/api/v1/admin/users/{user_name_str}/role"
-        response = self.session.put(url, json={"role_name": role_name_str})
-        res_json = response.json()
-        if response.status_code == 200:
-            self._print_table_simple(res_json["data"])
-        else:
-            print(f"Fail to alter user: {user_name_str} to role {role_name_str}, code: {res_json['code']}, message: {res_json['message']}")
-
-    def _show_user_permission(self, command):
-        user_name_tree: Tree = command["user_name"]
-        user_name_str: str = user_name_tree.children[0].strip("'\"")
-        print(f"show_user_permission user_name: {user_name_str}")
-        url = f"http://{self.host}:{self.port}/api/v1/admin/users/{user_name_str}/permission"
-        response = self.session.get(url)
-        res_json = response.json()
-        if response.status_code == 200:
-            self._print_table_simple(res_json["data"])
-        else:
-            print(f"Fail to show user: {user_name_str} permission, code: {res_json['code']}, message: {res_json['message']}")
-
-    def _show_version(self, command):
-        print("show_version")
-        url = f"http://{self.host}:{self.port}/api/v1/admin/version"
-        response = self.session.get(url)
-        res_json = response.json()
-        if response.status_code == 200:
-            self._print_table_simple(res_json["data"])
-        else:
-            print(f"Fail to show version, code: {res_json['code']}, message: {res_json['message']}")
-
-    def _handle_meta_command(self, command):
-        meta_command = command["command"]
-        args = command.get("args", [])
-
-        if meta_command in ["?", "h", "help"]:
-            self.show_help()
-        elif meta_command in ["q", "quit", "exit"]:
-            print("Goodbye!")
-        else:
-            print(f"Meta command '{meta_command}' with args {args}")
-
-    def show_help(self):
-        """Help info"""
-        help_text = """
-Commands:
-  LIST SERVICES
-  SHOW SERVICE <service>
-  STARTUP SERVICE <service>
-  SHUTDOWN SERVICE <service>
-  RESTART SERVICE <service>
-  LIST USERS
-  SHOW USER <user>
-  DROP USER <user>
-  CREATE USER <user> <password>
-  ALTER USER PASSWORD <user> <new_password>
-  ALTER USER ACTIVE <user> <on/off>
-  LIST DATASETS OF <user>
-  LIST AGENTS OF <user>
-
-Meta Commands:
-  \\?, \\h, \\help     Show this help
-  \\q, \\quit, \\exit   Quit the CLI
-        """
-        print(help_text)
-
-
-def main():
-    import sys
-
-    cli = AdminCLI()
-
-    args = cli.parse_connection_args(sys.argv)
-    if "error" in args:
-        print("Error: Invalid connection arguments")
-        return
-
-    if "command" in args:
-        if "password" not in args:
-            print("Error: password is missing")
-            return
-        if cli.verify_admin(args, single_command=True):
-            command: str = args["command"]
-            # print(f"Run single command: {command}")
-            cli.run_single_command(command)
-    else:
-        if cli.verify_admin(args, single_command=False):
-            print(r"""
-                ____  ___   ______________                 ___       __          _     
-               / __ \/   | / ____/ ____/ /___ _      __   /   | ____/ /___ ___  (_)___ 
-              / /_/ / /| |/ / __/ /_  / / __ \ | /| / /  / /| |/ __  / __ `__ \/ / __ \
-             / _, _/ ___ / /_/ / __/ / / /_/ / |/ |/ /  / ___ / /_/ / / / / / / / / / /
-            /_/ |_/_/  |_\____/_/   /_/\____/|__/|__/  /_/  |_\__,_/_/ /_/ /_/_/_/ /_/ 
-            """)
-            cli.cmdloop()
-
-
-if __name__ == "__main__":
-    main()
--- a/admin/client/http_client.py
+++ b/admin/client/http_client.py
@@ -0,0 +1,182 @@
+#
+#  Copyright 2026 The InfiniFlow Authors. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+
+import time
+import json
+import typing
+from typing import Any, Dict, Optional
+
+import requests
+# from requests.sessions import HTTPAdapter
+
+
+class HttpClient:
+    def __init__(
+            self,
+            host: str = "127.0.0.1",
+            port: int = 9381,
+            api_version: str = "v1",
+            api_key: Optional[str] = None,
+            connect_timeout: float = 5.0,
+            read_timeout: float = 60.0,
+            verify_ssl: bool = False,
+    ) -> None:
+        self.host = host
+        self.port = port
+        self.api_version = api_version
+        self.api_key = api_key
+        self.login_token: str | None = None
+        self.connect_timeout = connect_timeout
+        self.read_timeout = read_timeout
+        self.verify_ssl = verify_ssl
+
+    def api_base(self) -> str:
+        return f"{self.host}:{self.port}/api/{self.api_version}"
+
+    def non_api_base(self) -> str:
+        return f"{self.host}:{self.port}/{self.api_version}"
+
+    def build_url(self, path: str, use_api_base: bool = True) -> str:
+        base = self.api_base() if use_api_base else self.non_api_base()
+        if self.verify_ssl:
+            return f"https://{base}/{path.lstrip('/')}"
+        else:
+            return f"http://{base}/{path.lstrip('/')}"
+
+    def _headers(self, auth_kind: Optional[str], extra: Optional[Dict[str, str]]) -> Dict[str, str]:
+        headers = {}
+        if auth_kind == "api" and self.api_key:
+            headers["Authorization"] = f"Bearer {self.api_key}"
+        elif auth_kind == "web" and self.login_token:
+            headers["Authorization"] = self.login_token
+        elif auth_kind == "admin" and self.login_token:
+            headers["Authorization"] = self.login_token
+        else:
+            pass
+        if extra:
+            headers.update(extra)
+        return headers
+
+    def request(
+            self,
+            method: str,
+            path: str,
+            *,
+            use_api_base: bool = True,
+            auth_kind: Optional[str] = "api",
+            headers: Optional[Dict[str, str]] = None,
+            json_body: Optional[Dict[str, Any]] = None,
+            data: Any = None,
+            files: Any = None,
+            params: Optional[Dict[str, Any]] = None,
+            stream: bool = False,
+            iterations: int = 1,
+    ) -> requests.Response | dict:
+        url = self.build_url(path, use_api_base=use_api_base)
+        merged_headers = self._headers(auth_kind, headers)
+        # timeout: Tuple[float, float] = (self.connect_timeout, self.read_timeout)
+        session = requests.Session()
+        # adapter = HTTPAdapter(pool_connections=100, pool_maxsize=100)
+        # session.mount("http://", adapter)
+        http_function = typing.Any
+        match method:
+            case "GET":
+                http_function = session.get
+            case "POST":
+                http_function = session.post
+            case "PUT":
+                http_function = session.put
+            case "DELETE":
+                http_function = session.delete
+            case "PATCH":
+                http_function = session.patch
+            case _:
+                raise ValueError(f"Invalid HTTP method: {method}")
+
+        if iterations > 1:
+            response_list = []
+            total_duration = 0.0
+            for _ in range(iterations):
+                start_time = time.perf_counter()
+                response = http_function(url, headers=merged_headers, json=json_body, data=data, stream=stream)
+                # response = session.get(url, headers=merged_headers, json=json_body, data=data, stream=stream)
+                # response = requests.request(
+                #     method=method,
+                #     url=url,
+                #     headers=merged_headers,
+                #     json=json_body,
+                #     data=data,
+                #     files=files,
+                #     params=params,
+                #     stream=stream,
+                #     verify=self.verify_ssl,
+                # )
+                end_time = time.perf_counter()
+                total_duration += end_time - start_time
+                response_list.append(response)
+            return {"duration": total_duration, "response_list": response_list}
+        else:
+            return http_function(url, headers=merged_headers, json=json_body, data=data, stream=stream)
+            # return session.get(url, headers=merged_headers, json=json_body, data=data, stream=stream)
+            # return requests.request(
+            #     method=method,
+            #     url=url,
+            #     headers=merged_headers,
+            #     json=json_body,
+            #     data=data,
+            #     files=files,
+            #     params=params,
+            #     stream=stream,
+            #     verify=self.verify_ssl,
+            # )
+
+    def request_json(
+            self,
+            method: str,
+            path: str,
+            *,
+            use_api_base: bool = True,
+            auth_kind: Optional[str] = "api",
+            headers: Optional[Dict[str, str]] = None,
+            json_body: Optional[Dict[str, Any]] = None,
+            data: Any = None,
+            files: Any = None,
+            params: Optional[Dict[str, Any]] = None,
+            stream: bool = False,
+    ) -> Dict[str, Any]:
+        response = self.request(
+            method,
+            path,
+            use_api_base=use_api_base,
+            auth_kind=auth_kind,
+            headers=headers,
+            json_body=json_body,
+            data=data,
+            files=files,
+            params=params,
+            stream=stream,
+        )
+        try:
+            return response.json()
+        except Exception as exc:
+            raise ValueError(f"Non-JSON response from {path}: {exc}") from exc
+
+    @staticmethod
+    def parse_json_bytes(raw: bytes) -> Dict[str, Any]:
+        try:
+            return json.loads(raw.decode("utf-8"))
+        except Exception as exc:
+            raise ValueError(f"Invalid JSON payload: {exc}") from exc
--- a/admin/client/parser.py
+++ b/admin/client/parser.py
@@ -0,0 +1,904 @@
+#
+#  Copyright 2025 The InfiniFlow Authors. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+
+from lark import Transformer
+
+GRAMMAR = r"""
+start: command
+
+command: sql_command | meta_command
+
+sql_command: login_user
+           | ping_server
+           | list_services
+           | show_service
+           | startup_service
+           | shutdown_service
+           | restart_service
+           | register_user
+           | list_users
+           | show_user
+           | drop_user
+           | alter_user
+           | create_user
+           | activate_user
+           | list_datasets
+           | list_agents
+           | create_role
+           | drop_role
+           | alter_role
+           | list_roles
+           | show_role
+           | grant_permission
+           | revoke_permission
+           | alter_user_role
+           | show_user_permission
+           | show_version
+           | grant_admin
+           | revoke_admin
+           | set_variable
+           | show_variable
+           | list_variables
+           | list_configs
+           | list_environments
+           | generate_key
+           | list_keys
+           | drop_key
+           | show_current_user
+           | set_default_llm
+           | set_default_vlm
+           | set_default_embedding
+           | set_default_reranker
+           | set_default_asr
+           | set_default_tts
+           | reset_default_llm
+           | reset_default_vlm
+           | reset_default_embedding
+           | reset_default_reranker
+           | reset_default_asr
+           | reset_default_tts
+           | create_model_provider
+           | drop_model_provider
+           | create_user_dataset_with_parser
+           | create_user_dataset_with_pipeline
+           | drop_user_dataset
+           | list_user_datasets
+           | list_user_dataset_files
+           | list_user_dataset_documents
+           | list_user_datasets_metadata
+           | list_user_documents_metadata_summary
+           | list_user_agents
+           | list_user_chats
+           | create_user_chat
+           | drop_user_chat
+           | create_dataset_table
+           | drop_dataset_table
+           | create_metadata_table
+           | drop_metadata_table
+           | list_user_model_providers
+           | list_user_default_models
+           | parse_dataset_docs
+           | parse_dataset_sync
+           | parse_dataset_async
+           | import_docs_into_dataset
+           | search_on_datasets
+           | get_chunk
+           | list_chunks
+           | insert_dataset_from_file
+           | insert_metadata_from_file
+           | update_chunk
+           | set_metadata
+           | remove_tags
+           | remove_chunks
+           | create_chat_session
+           | drop_chat_session
+           | list_chat_sessions
+           | chat_on_session
+           | list_server_configs
+           | show_fingerprint
+           | set_license
+           | set_license_config
+           | show_license
+           | check_license
+           | benchmark
+
+// meta command definition
+meta_command: "\\" meta_command_name [meta_args]
+
+COMMA: ","
+
+meta_command_name: /[a-zA-Z?]+/
+meta_args: (meta_arg)+
+
+meta_arg: /[^\s"',]+/ | quoted_string
+
+// command definition
+
+LOGIN: "LOGIN"i
+REGISTER: "REGISTER"i
+LIST: "LIST"i
+SERVICES: "SERVICES"i
+SHOW: "SHOW"i
+CREATE: "CREATE"i
+SERVICE: "SERVICE"i
+SHUTDOWN: "SHUTDOWN"i
+STARTUP: "STARTUP"i
+RESTART: "RESTART"i
+USERS: "USERS"i
+DROP: "DROP"i
+USER: "USER"i
+ALTER: "ALTER"i
+ACTIVE: "ACTIVE"i
+ADMIN: "ADMIN"i
+PASSWORD: "PASSWORD"i
+DATASET_TABLE: "DATASET TABLE"i
+DATASET: "DATASET"i
+DATASETS: "DATASETS"i
+OF: "OF"i
+AGENTS: "AGENTS"i
+ROLE: "ROLE"i
+ROLES: "ROLES"i
+DESCRIPTION: "DESCRIPTION"i
+GRANT: "GRANT"i
+REVOKE: "REVOKE"i
+ALL: "ALL"i
+PERMISSION: "PERMISSION"i
+TO: "TO"i
+FROM: "FROM"i
+FOR: "FOR"i
+RESOURCES: "RESOURCES"i
+ON: "ON"i
+SET: "SET"i
+RESET: "RESET"i
+VERSION: "VERSION"i
+VAR: "VAR"i
+VARS: "VARS"i
+CONFIGS: "CONFIGS"i
+ENVS: "ENVS"i
+KEY: "KEY"i
+KEYS: "KEYS"i
+GENERATE: "GENERATE"i
+MODEL: "MODEL"i
+MODELS: "MODELS"i
+PROVIDER: "PROVIDER"i
+PROVIDERS: "PROVIDERS"i
+DEFAULT: "DEFAULT"i
+CHATS: "CHATS"i
+CHAT: "CHAT"i
+FILES: "FILES"i
+DOCUMENT: "DOCUMENT"i
+DOCUMENTS: "DOCUMENTS"i
+METADATA: "METADATA"i
+SUMMARY: "SUMMARY"i
+AS: "AS"i
+PARSE: "PARSE"i
+IMPORT: "IMPORT"i
+INTO: "INTO"i
+IN: "IN"i
+WITH: "WITH"i
+VECTOR: "VECTOR"i
+SIZE: "SIZE"i
+PARSER: "PARSER"i
+PIPELINE: "PIPELINE"i
+SEARCH: "SEARCH"i
+CURRENT: "CURRENT"i
+LLM: "LLM"i
+VLM: "VLM"i
+EMBEDDING: "EMBEDDING"i
+RERANKER: "RERANKER"i
+ASR: "ASR"i
+TTS: "TTS"i
+ASYNC: "ASYNC"i
+SYNC: "SYNC"i
+BENCHMARK: "BENCHMARK"i
+PING: "PING"i
+SESSION: "SESSION"i
+SESSIONS: "SESSIONS"i
+SERVER: "SERVER"i
+FINGERPRINT: "FINGERPRINT"i
+LICENSE: "LICENSE"i
+CHECK: "CHECK"i
+CONFIG: "CONFIG"i
+INDEX: "INDEX"i
+TABLE: "TABLE"i
+CHUNK: "CHUNK"i
+CHUNKS: "CHUNKS"i
+GET: "GET"i
+INSERT: "INSERT"i
+PAGE: "PAGE"i
+KEYWORDS: "KEYWORDS"i
+AVAILABLE: "AVAILABLE"i
+FILE: "FILE"i
+UPDATE: "UPDATE"i
+REMOVE: "REMOVE"i
+TAGS: "TAGS"i
+
+login_user: LOGIN USER quoted_string (PASSWORD quoted_string)? ";"
+list_services: LIST SERVICES ";"
+show_service: SHOW SERVICE NUMBER ";"
+startup_service: STARTUP SERVICE NUMBER ";"
+shutdown_service: SHUTDOWN SERVICE NUMBER ";"
+restart_service: RESTART SERVICE NUMBER ";"
+
+register_user: REGISTER USER quoted_string AS quoted_string PASSWORD quoted_string ";"
+list_users: LIST USERS ";"
+drop_user: DROP USER quoted_string ";"
+alter_user: ALTER USER PASSWORD quoted_string quoted_string ";"
+show_user: SHOW USER quoted_string ";"
+create_user: CREATE USER quoted_string quoted_string ";"
+activate_user: ALTER USER ACTIVE quoted_string status ";"
+
+list_datasets: LIST DATASETS OF quoted_string ";"
+list_agents: LIST AGENTS OF quoted_string ";"
+
+create_role: CREATE ROLE identifier [DESCRIPTION quoted_string] ";"
+drop_role: DROP ROLE identifier ";"
+alter_role: ALTER ROLE identifier SET DESCRIPTION quoted_string ";"
+list_roles: LIST ROLES ";"
+show_role: SHOW ROLE identifier ";"
+
+grant_permission: GRANT identifier_list ON identifier TO ROLE identifier ";"
+revoke_permission: REVOKE identifier_list ON identifier FROM ROLE identifier ";"
+alter_user_role: ALTER USER quoted_string SET ROLE identifier ";"
+show_user_permission: SHOW USER PERMISSION quoted_string ";"
+
+show_version: SHOW VERSION ";"
+
+grant_admin: GRANT ADMIN quoted_string ";"
+revoke_admin: REVOKE ADMIN quoted_string ";"
+
+generate_key: GENERATE KEY FOR USER quoted_string ";"
+list_keys: LIST KEYS OF quoted_string ";"
+drop_key: DROP KEY quoted_string OF quoted_string ";"
+
+set_variable: SET VAR identifier identifier ";"
+show_variable: SHOW VAR identifier ";"
+list_variables: LIST VARS ";"
+list_configs: LIST CONFIGS ";"
+list_environments: LIST ENVS ";"
+
+show_fingerprint: SHOW FINGERPRINT ";"
+set_license: SET LICENSE quoted_string ";"
+set_license_config: SET LICENSE CONFIG NUMBER NUMBER ";"
+show_license: SHOW LICENSE ";"
+check_license: CHECK LICENSE ";"
+
+list_server_configs: LIST SERVER CONFIGS ";"
+
+benchmark: BENCHMARK NUMBER NUMBER user_statement
+
+user_statement: ping_server
+                | show_current_user
+                | create_model_provider
+                | drop_model_provider
+                | set_default_llm
+                | set_default_vlm
+                | set_default_embedding
+                | set_default_reranker
+                | set_default_asr
+                | set_default_tts
+                | reset_default_llm
+                | reset_default_vlm
+                | reset_default_embedding
+                | reset_default_reranker
+                | reset_default_asr
+                | reset_default_tts
+                | create_user_dataset_with_parser
+                | create_user_dataset_with_pipeline
+                | drop_user_dataset
+                | list_user_datasets
+                | list_user_dataset_files
+                | list_user_agents
+                | list_user_chats
+                | create_user_chat
+                | drop_user_chat
+                | list_user_model_providers
+                | list_user_default_models
+                | import_docs_into_dataset
+                | search_on_datasets
+                | update_chunk
+                | set_metadata
+                | remove_tags
+                | create_chat_session
+                | drop_chat_session
+                | list_chat_sessions
+                | chat_on_session
+
+ping_server: PING ";"
+show_current_user: SHOW CURRENT USER ";"
+create_model_provider: CREATE MODEL PROVIDER quoted_string quoted_string ";"
+drop_model_provider: DROP MODEL PROVIDER quoted_string ";"
+set_default_llm: SET DEFAULT LLM quoted_string ";"
+set_default_vlm: SET DEFAULT VLM quoted_string ";"
+set_default_embedding: SET DEFAULT EMBEDDING quoted_string ";"
+set_default_reranker: SET DEFAULT RERANKER quoted_string ";"
+set_default_asr: SET DEFAULT ASR quoted_string ";"
+set_default_tts: SET DEFAULT TTS quoted_string ";"
+
+reset_default_llm: RESET DEFAULT LLM ";"
+reset_default_vlm: RESET DEFAULT VLM ";"
+reset_default_embedding: RESET DEFAULT EMBEDDING ";"
+reset_default_reranker: RESET DEFAULT RERANKER ";"
+reset_default_asr: RESET DEFAULT ASR ";"
+reset_default_tts: RESET DEFAULT TTS ";"
+
+list_user_datasets: LIST DATASETS ";"
+create_user_dataset_with_parser: CREATE DATASET quoted_string WITH EMBEDDING quoted_string PARSER quoted_string ";" 
+create_user_dataset_with_pipeline: CREATE DATASET quoted_string WITH EMBEDDING quoted_string PIPELINE quoted_string ";" 
+drop_user_dataset: DROP DATASET quoted_string ";"
+list_user_dataset_files: LIST FILES OF DATASET quoted_string ";"
+list_user_dataset_documents: LIST DOCUMENTS OF DATASET quoted_string ";"
+list_user_datasets_metadata: LIST METADATA OF DATASETS quoted_string (COMMA quoted_string)* ";"
+list_user_documents_metadata_summary: LIST METADATA SUMMARY OF DATASET quoted_string (DOCUMENTS quoted_string (COMMA quoted_string)*)? ";"
+list_user_agents: LIST AGENTS ";"
+list_user_chats: LIST CHATS ";"
+create_user_chat: CREATE CHAT quoted_string ";"
+drop_user_chat: DROP CHAT quoted_string ";"
+create_chat_session: CREATE CHAT quoted_string SESSION ";"
+drop_chat_session: DROP CHAT quoted_string SESSION quoted_string ";"
+list_chat_sessions: LIST CHAT quoted_string SESSIONS ";"
+chat_on_session: CHAT quoted_string ON quoted_string SESSION quoted_string ";"
+list_user_model_providers: LIST MODEL PROVIDERS ";"
+list_user_default_models: LIST DEFAULT MODELS ";"
+import_docs_into_dataset: IMPORT quoted_string INTO DATASET quoted_string ";"
+search_on_datasets: SEARCH quoted_string ON DATASETS quoted_string ";"
+get_chunk: GET CHUNK quoted_string ";"
+list_chunks: LIST CHUNKS OF DOCUMENT quoted_string ("PAGE" NUMBER)? ("SIZE" NUMBER)? ("KEYWORDS" quoted_string)? ("AVAILABLE" NUMBER)? ";"
+set_metadata: SET METADATA OF DOCUMENT quoted_string TO quoted_string ";"
+remove_tags: REMOVE TAGS quoted_string (COMMA quoted_string)* FROM DATASET quoted_string ";"
+remove_chunks: REMOVE CHUNKS quoted_string (COMMA quoted_string)* FROM DOCUMENT quoted_string ";"
+           | REMOVE ALL CHUNKS FROM DOCUMENT quoted_string ";"
+
+parse_dataset_docs: PARSE quoted_string OF DATASET quoted_string ";"
+parse_dataset_sync: PARSE DATASET quoted_string SYNC ";"
+parse_dataset_async: PARSE DATASET quoted_string ASYNC ";"
+
+// Internal CLI only for GO
+create_dataset_table: CREATE DATASET TABLE quoted_string VECTOR SIZE NUMBER ";"
+drop_dataset_table: DROP DATASET TABLE quoted_string ";"
+create_metadata_table: CREATE METADATA TABLE ";"
+drop_metadata_table: DROP METADATA TABLE ";"
+insert_dataset_from_file: INSERT DATASET FROM FILE quoted_string ";"
+insert_metadata_from_file: INSERT METADATA FROM FILE quoted_string ";"
+update_chunk: UPDATE CHUNK quoted_string OF DATASET quoted_string SET quoted_string ";"
+
+identifier_list: identifier (COMMA identifier)*
+
+identifier: WORD
+quoted_string: QUOTED_STRING
+status: ON | WORD
+
+QUOTED_STRING: /'[^']+'/ | /"[^"]+"/
+WORD: /[a-zA-Z0-9_\-\.]+/
+NUMBER: /[0-9]+/
+
+%import common.WS
+%ignore WS
+"""
+
+
+class RAGFlowCLITransformer(Transformer):
+    def start(self, items):
+        return items[0]
+
+    def command(self, items):
+        return items[0]
+
+    def login_user(self, items):
+        email = items[2].children[0].strip("'\"")
+        if len(items) == 5:
+            # With password: LOGIN USER email PASSWORD password
+            password = items[4].children[0].strip("'\"")
+            return {"type": "login_user", "email": email, "password": password}
+        else:
+            # Without password: LOGIN USER email
+            return {"type": "login_user", "email": email}
+
+    def ping_server(self, items):
+        return {"type": "ping_server"}
+
+    def list_services(self, items):
+        result = {"type": "list_services"}
+        return result
+
+    def show_service(self, items):
+        service_id = int(items[2])
+        return {"type": "show_service", "number": service_id}
+
+    def startup_service(self, items):
+        service_id = int(items[2])
+        return {"type": "startup_service", "number": service_id}
+
+    def shutdown_service(self, items):
+        service_id = int(items[2])
+        return {"type": "shutdown_service", "number": service_id}
+
+    def restart_service(self, items):
+        service_id = int(items[2])
+        return {"type": "restart_service", "number": service_id}
+
+    def register_user(self, items):
+        user_name: str = items[2].children[0].strip("'\"")
+        nickname: str = items[4].children[0].strip("'\"")
+        password: str = items[6].children[0].strip("'\"")
+        return {"type": "register_user", "user_name": user_name, "nickname": nickname, "password": password}
+
+    def list_users(self, items):
+        return {"type": "list_users"}
+
+    def show_user(self, items):
+        user_name = items[2]
+        return {"type": "show_user", "user_name": user_name}
+
+    def drop_user(self, items):
+        user_name = items[2]
+        return {"type": "drop_user", "user_name": user_name}
+
+    def alter_user(self, items):
+        user_name = items[3]
+        new_password = items[4]
+        return {"type": "alter_user", "user_name": user_name, "password": new_password}
+
+    def create_user(self, items):
+        user_name = items[2]
+        password = items[3]
+        return {"type": "create_user", "user_name": user_name, "password": password, "role": "user"}
+
+    def activate_user(self, items):
+        user_name = items[3]
+        activate_status = items[4]
+        return {"type": "activate_user", "activate_status": activate_status, "user_name": user_name}
+
+    def list_datasets(self, items):
+        user_name = items[3]
+        return {"type": "list_datasets", "user_name": user_name}
+
+    def list_agents(self, items):
+        user_name = items[3]
+        return {"type": "list_agents", "user_name": user_name}
+
+    def create_role(self, items):
+        role_name = items[2]
+        if len(items) > 4:
+            description = items[4]
+            return {"type": "create_role", "role_name": role_name, "description": description}
+        else:
+            return {"type": "create_role", "role_name": role_name}
+
+    def drop_role(self, items):
+        role_name = items[2]
+        return {"type": "drop_role", "role_name": role_name}
+
+    def alter_role(self, items):
+        role_name = items[2]
+        description = items[5]
+        return {"type": "alter_role", "role_name": role_name, "description": description}
+
+    def list_roles(self, items):
+        return {"type": "list_roles"}
+
+    def show_role(self, items):
+        role_name = items[2]
+        return {"type": "show_role", "role_name": role_name}
+
+    def grant_permission(self, items):
+        action_list = items[1]
+        resource = items[3]
+        role_name = items[6]
+        return {"type": "grant_permission", "role_name": role_name, "resource": resource, "actions": action_list}
+
+    def revoke_permission(self, items):
+        action_list = items[1]
+        resource = items[3]
+        role_name = items[6]
+        return {"type": "revoke_permission", "role_name": role_name, "resource": resource, "actions": action_list}
+
+    def alter_user_role(self, items):
+        user_name = items[2]
+        role_name = items[5]
+        return {"type": "alter_user_role", "user_name": user_name, "role_name": role_name}
+
+    def show_user_permission(self, items):
+        user_name = items[3]
+        return {"type": "show_user_permission", "user_name": user_name}
+
+    def show_version(self, items):
+        return {"type": "show_version"}
+
+    def grant_admin(self, items):
+        user_name = items[2]
+        return {"type": "grant_admin", "user_name": user_name}
+
+    def revoke_admin(self, items):
+        user_name = items[2]
+        return {"type": "revoke_admin", "user_name": user_name}
+
+    def generate_key(self, items):
+        user_name = items[4]
+        return {"type": "generate_key", "user_name": user_name}
+
+    def list_keys(self, items):
+        user_name = items[3]
+        return {"type": "list_keys", "user_name": user_name}
+
+    def drop_key(self, items):
+        key = items[2]
+        user_name = items[4]
+        return {"type": "drop_key", "key": key, "user_name": user_name}
+
+    def set_variable(self, items):
+        var_name = items[2]
+        var_value = items[3]
+        return {"type": "set_variable", "var_name": var_name, "var_value": var_value}
+
+    def show_variable(self, items):
+        var_name = items[2]
+        return {"type": "show_variable", "var_name": var_name}
+
+    def list_variables(self, items):
+        return {"type": "list_variables"}
+
+    def list_configs(self, items):
+        return {"type": "list_configs"}
+
+    def list_environments(self, items):
+        return {"type": "list_environments"}
+
+    def show_fingerprint(self, items):
+        return {"type": "show_fingerprint"}
+
+    def set_license(self, items):
+        license = items[2].children[0].strip("'\"")
+        return {"type": "set_license", "license": license}
+
+    def set_license_config(self, items):
+        value1: int = int(items[3])
+        value2: int = int(items[4])
+        return {"type": "set_license_config", "value1": value1, "value2": value2}
+
+    def show_license(self, items):
+        return {"type": "show_license"}
+
+    def check_license(self, items):
+        return {"type": "check_license"}
+
+    def list_server_configs(self, items):
+        return {"type": "list_server_configs"}
+
+    def create_model_provider(self, items):
+        provider_name = items[3].children[0].strip("'\"")
+        provider_key = items[4].children[0].strip("'\"")
+        return {"type": "create_model_provider", "provider_name": provider_name, "provider_key": provider_key}
+
+    def drop_model_provider(self, items):
+        provider_name = items[3].children[0].strip("'\"")
+        return {"type": "drop_model_provider", "provider_name": provider_name}
+
+    def show_current_user(self, items):
+        return {"type": "show_current_user"}
+
+    def set_default_llm(self, items):
+        llm_id = items[3].children[0].strip("'\"")
+        return {"type": "set_default_model", "model_type": "llm_id", "model_id": llm_id}
+
+    def set_default_vlm(self, items):
+        vlm_id = items[3].children[0].strip("'\"")
+        return {"type": "set_default_model", "model_type": "img2txt_id", "model_id": vlm_id}
+
+    def set_default_embedding(self, items):
+        embedding_id = items[3].children[0].strip("'\"")
+        return {"type": "set_default_model", "model_type": "embd_id", "model_id": embedding_id}
+
+    def set_default_reranker(self, items):
+        reranker_id = items[3].children[0].strip("'\"")
+        return {"type": "set_default_model", "model_type": "reranker_id", "model_id": reranker_id}
+
+    def set_default_asr(self, items):
+        asr_id = items[3].children[0].strip("'\"")
+        return {"type": "set_default_model", "model_type": "asr_id", "model_id": asr_id}
+
+    def set_default_tts(self, items):
+        tts_id = items[3].children[0].strip("'\"")
+        return {"type": "set_default_model", "model_type": "tts_id", "model_id": tts_id}
+
+    def reset_default_llm(self, items):
+        return {"type": "reset_default_model", "model_type": "llm_id"}
+
+    def reset_default_vlm(self, items):
+        return {"type": "reset_default_model", "model_type": "img2txt_id"}
+
+    def reset_default_embedding(self, items):
+        return {"type": "reset_default_model", "model_type": "embd_id"}
+
+    def reset_default_reranker(self, items):
+        return {"type": "reset_default_model", "model_type": "reranker_id"}
+
+    def reset_default_asr(self, items):
+        return {"type": "reset_default_model", "model_type": "asr_id"}
+
+    def reset_default_tts(self, items):
+        return {"type": "reset_default_model", "model_type": "tts_id"}
+
+    def list_user_datasets(self, items):
+        return {"type": "list_user_datasets"}
+
+    def create_user_dataset_with_parser(self, items):
+        dataset_name = items[2].children[0].strip("'\"")
+        embedding = items[5].children[0].strip("'\"")
+        parser_type = items[7].children[0].strip("'\"")
+        return {"type": "create_user_dataset", "dataset_name": dataset_name, "embedding": embedding,
+                "parser_type": parser_type}
+
+    def create_user_dataset_with_pipeline(self, items):
+        dataset_name = items[2].children[0].strip("'\"")
+        embedding = items[5].children[0].strip("'\"")
+        pipeline = items[7].children[0].strip("'\"")
+        return {"type": "create_user_dataset", "dataset_name": dataset_name, "embedding": embedding,
+                "pipeline": pipeline}
+
+    def drop_user_dataset(self, items):
+        dataset_name = items[2].children[0].strip("'\"")
+        return {"type": "drop_user_dataset", "dataset_name": dataset_name}
+
+    def list_user_dataset_files(self, items):
+        dataset_name = items[4].children[0].strip("'\"")
+        return {"type": "list_user_dataset_files", "dataset_name": dataset_name}
+
+    def list_user_dataset_documents(self, items):
+        dataset_name = items[4].children[0].strip("'\"")
+        return {"type": "list_user_dataset_documents", "dataset_name": dataset_name}
+
+    def list_user_datasets_metadata(self, items):
+        dataset_names = []
+        dataset_names.append(items[4].children[0].strip("'\""))
+        for i in range(5, len(items)):
+            if items[i] and hasattr(items[i], 'children') and items[i].children:
+                dataset_names.append(items[i].children[0].strip("'\""))
+        return {"type": "list_user_datasets_metadata", "dataset_names": dataset_names}
+
+    def list_user_documents_metadata_summary(self, items):
+        dataset_name = items[5].children[0].strip("'\"")
+        doc_ids = []
+        if len(items) > 6 and items[6] == "DOCUMENTS":
+            for i in range(7, len(items)):
+                if items[i] and hasattr(items[i], 'children') and items[i].children:
+                    doc_id = items[i].children[0].strip("'\"")
+                    doc_ids.append(doc_id)
+        return {"type": "list_user_documents_metadata_summary", "dataset_name": dataset_name, "document_ids": doc_ids}
+
+    def list_user_agents(self, items):
+        return {"type": "list_user_agents"}
+
+    def list_user_chats(self, items):
+        return {"type": "list_user_chats"}
+
+    def create_user_chat(self, items):
+        chat_name = items[2].children[0].strip("'\"")
+        return {"type": "create_user_chat", "chat_name": chat_name}
+
+    def drop_user_chat(self, items):
+        chat_name = items[2].children[0].strip("'\"")
+        return {"type": "drop_user_chat", "chat_name": chat_name}
+
+    def create_dataset_table(self, items):
+        dataset_name = None
+        vector_size = None
+        for i, item in enumerate(items):
+            if hasattr(item, 'data') and item.data == 'quoted_string':
+                dataset_name = item.children[0].strip("'\"")
+            if hasattr(item, 'type') and item.type == 'NUMBER':
+                if i > 0 and items[i-1].type == 'SIZE' and items[i-2].type == 'VECTOR':
+                    vector_size = int(item)
+        return {"type": "create_dataset_table", "dataset_name": dataset_name, "vector_size": vector_size}
+
+    def drop_dataset_table(self, items):
+        dataset_name = None
+        for item in items:
+            if hasattr(item, 'data') and item.data == 'quoted_string':
+                dataset_name = item.children[0].strip("'\"")
+        return {"type": "drop_dataset_table", "dataset_name": dataset_name}
+
+    def create_metadata_table(self, items):
+        return {"type": "create_metadata_table"}
+
+    def drop_metadata_table(self, items):
+        return {"type": "drop_metadata_table"}
+
+    def list_user_model_providers(self, items):
+        return {"type": "list_user_model_providers"}
+
+    def list_user_default_models(self, items):
+        return {"type": "list_user_default_models"}
+
+    def parse_dataset_docs(self, items):
+        document_list_str = items[1].children[0].strip("'\"")
+        document_names = document_list_str.split(",")
+        if len(document_names) == 1:
+            document_names = document_names[0]
+            document_names = document_names.split(" ")
+        dataset_name = items[4].children[0].strip("'\"")
+        return {"type": "parse_dataset_docs", "dataset_name": dataset_name, "document_names": document_names}
+
+    def parse_dataset_sync(self, items):
+        dataset_name = items[2].children[0].strip("'\"")
+        return {"type": "parse_dataset", "dataset_name": dataset_name, "method": "sync"}
+
+    def parse_dataset_async(self, items):
+        dataset_name = items[2].children[0].strip("'\"")
+        return {"type": "parse_dataset", "dataset_name": dataset_name, "method": "async"}
+
+    def create_chat_session(self, items):
+        chat_name = items[2].children[0].strip("'\"")
+        return {"type": "create_chat_session", "chat_name": chat_name}
+
+    def drop_chat_session(self, items):
+        chat_name = items[2].children[0].strip("'\"")
+        session_id = items[4].children[0].strip("'\"")
+        return {"type": "drop_chat_session", "chat_name": chat_name, "session_id": session_id}
+
+    def list_chat_sessions(self, items):
+        chat_name = items[2].children[0].strip("'\"")
+        return {"type": "list_chat_sessions", "chat_name": chat_name}
+
+    def chat_on_session(self, items):
+        message = items[1].children[0].strip("'\"")
+        chat_name = items[3].children[0].strip("'\"")
+        session_id = items[5].children[0].strip("'\"")
+        return {"type": "chat_on_session", "message": message, "chat_name": chat_name, "session_id": session_id}
+
+    def import_docs_into_dataset(self, items):
+        document_list_str = items[1].children[0].strip("'\"")
+        document_paths = document_list_str.split(",")
+        if len(document_paths) == 1:
+            document_paths = document_paths[0]
+            document_paths = document_paths.split(" ")
+        dataset_name = items[4].children[0].strip("'\"")
+        return {"type": "import_docs_into_dataset", "dataset_name": dataset_name, "document_paths": document_paths}
+
+    def search_on_datasets(self, items):
+        question = items[1].children[0].strip("'\"")
+        datasets_str = items[4].children[0].strip("'\"")
+        datasets = datasets_str.split(",")
+        if len(datasets) == 1:
+            datasets = datasets[0]
+            datasets = datasets.split(" ")
+        return {"type": "search_on_datasets", "datasets": datasets, "question": question}
+
+    def get_chunk(self, items):
+        chunk_id = items[2].children[0].strip("'\"")
+        return {"type": "get_chunk", "chunk_id": chunk_id}
+
+    def insert_dataset_from_file(self, items):
+        file_path = items[4].children[0].strip("'\"")
+        return {"type": "insert_dataset_from_file", "file_path": file_path}
+
+    def insert_metadata_from_file(self, items):
+        file_path = items[4].children[0].strip("'\"")
+        return {"type": "insert_metadata_from_file", "file_path": file_path}
+
+    def update_chunk(self, items):
+        def get_quoted_value(item):
+            if hasattr(item, 'children') and item.children:
+                return item.children[0].strip("'\"")
+            return str(item).strip("'\"")
+
+        chunk_id = get_quoted_value(items[2])
+        dataset_name = get_quoted_value(items[5])
+        json_body = get_quoted_value(items[7])
+        return {"type": "update_chunk", "chunk_id": chunk_id, "dataset_name": dataset_name, "json_body": json_body}
+
+    def set_metadata(self, items):
+        doc_id = items[4].children[0].strip("'\"")
+        meta_json = items[6].children[0].strip("'\"")
+        return {"type": "set_metadata", "doc_id": doc_id, "meta": meta_json}
+
+    def remove_tags(self, items):
+        # items: REMOVE, TAGS, quoted_string(tag1), quoted_string(tag2), ..., FROM, DATASET, quoted_string(dataset_name), ";"
+        tags = []
+        # Start from index 2 (after TAGS keyword) and parse quoted strings until FROM
+        for i in range(2, len(items)):
+            item = items[i]
+            # Check for FROM token to stop
+            if hasattr(item, 'type') and item.type == 'FROM':
+                break
+            if hasattr(item, 'children') and item.children:
+                tag = item.children[0].strip("'\"")
+                tags.append(tag)
+        # Find dataset_name: quoted_string after DATASET
+        dataset_name = None
+        for i, item in enumerate(items):
+            # Check if item is a DATASET token
+            if hasattr(item, 'type') and item.type == 'DATASET':
+                # Next item should be quoted_string
+                dataset_name = items[i + 1].children[0].strip("'\"")
+                break
+        return {"type": "remove_tags", "dataset_name": dataset_name, "tags": tags}
+
+    def remove_chunks(self, items):
+        # Handle two cases:
+        # 1. REMOVE CHUNKS quoted_string (COMMA quoted_string)* FROM DOCUMENT quoted_string ";"
+        # 2. REMOVE ALL CHUNKS FROM DOCUMENT quoted_string ";"
+
+        # Check if it's "REMOVE ALL CHUNKS"
+        for item in items:
+            if hasattr(item, 'type') and item.type == 'ALL':
+                # Find doc_id
+                for j, inner_item in enumerate(items):
+                    if hasattr(inner_item, 'type') and inner_item.type == 'DOCUMENT':
+                        doc_id = items[j + 1].children[0].strip("'\"")
+                        return {"type": "remove_chunks", "doc_id": doc_id, "delete_all": True}
+
+        # Otherwise, we have chunk_ids
+        chunk_ids = []
+        doc_id = None
+        for i, item in enumerate(items):
+            if hasattr(item, 'type') and item.type == 'DOCUMENT':
+                doc_id = items[i + 1].children[0].strip("'\"")
+            elif hasattr(item, 'children') and item.children:
+                val = item.children[0].strip("'\"")
+                # Skip if it's "FROM" or "DOCUMENT"
+                if val.upper() in ['FROM', 'DOCUMENT']:
+                    continue
+                chunk_ids.append(val)
+
+        return {"type": "remove_chunks", "doc_id": doc_id, "chunk_ids": chunk_ids}
+
+    def list_chunks(self, items):
+        doc_id = items[4].children[0].strip("'\"")
+        result = {"type": "list_chunks", "doc_id": doc_id}
+
+        # Parse optional parameters: PAGE, SIZE, KEYWORDS, AVAILABLE
+        # items structure varies based on which params are present
+        for i, item in enumerate(items):
+            if str(item) == "PAGE":
+                result["page"] = int(items[i + 1])
+            elif str(item) == "SIZE":
+                result["size"] = int(items[i + 1])
+            elif str(item) == "KEYWORDS":
+                result["keywords"] = items[i + 1].children[0].strip("'\"")
+            elif str(item) == "AVAILABLE":
+                result["available_int"] = int(items[i + 1])
+
+        return result
+
+    def benchmark(self, items):
+        concurrency: int = int(items[1])
+        iterations: int = int(items[2])
+        command = items[3].children[0]
+        return {"type": "benchmark", "concurrency": concurrency, "iterations": iterations, "command": command}
+
+    def action_list(self, items):
+        return items
+
+    def meta_command(self, items):
+        command_name = str(items[0]).lower()
+        args = items[1:] if len(items) > 1 else []
+
+        # handle quoted parameter
+        parsed_args = []
+        for arg in args:
+            if hasattr(arg, "value"):
+                parsed_args.append(arg.value)
+            else:
+                parsed_args.append(str(arg))
+
+        return {"type": "meta", "command": command_name, "args": parsed_args}
+
+    def meta_command_name(self, items):
+        return items[0]
+
+    def meta_args(self, items):
+        return items
--- a/admin/client/pyproject.toml
+++ b/admin/client/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "ragflow-cli"
-version = "0.23.1"
+version = "0.25.1"
 description = "Admin Service's client of [RAGFlow](https://github.com/infiniflow/ragflow). The Admin Service provides user management and system monitoring. "
 authors = [{ name = "Lynn", email = "lynn_inf@hotmail.com" }]
 license = { text = "Apache License, Version 2.0" }
@@ -11,14 +11,17 @@ dependencies = [
    "beartype>=0.20.0,<1.0.0",
    "pycryptodomex>=3.10.0",
    "lark>=1.1.0",
+    "requests-toolbelt>=1.0.0",
 ]

 [dependency-groups]
 test = [
    "pytest>=8.3.5",
    "requests>=2.32.3",
-    "requests-toolbelt>=1.0.0",
 ]

+[tool.setuptools]
+py-modules = ["ragflow_cli", "parser", "http_client", "ragflow_client", "user"]
+
 [project.scripts]
-ragflow-cli = "admin_client:main"
+ragflow-cli = "ragflow_cli:main"
--- a/admin/client/ragflow_cli.py
+++ b/admin/client/ragflow_cli.py
@@ -0,0 +1,347 @@
+#
+#  Copyright 2025 The InfiniFlow Authors. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+
+import sys
+import argparse
+import base64
+import getpass
+import os
+import atexit
+import readline
+from cmd import Cmd
+from typing import Any, Dict, List
+
+import requests
+import warnings
+from Cryptodome.Cipher import PKCS1_v1_5 as Cipher_pkcs1_v1_5
+from Cryptodome.PublicKey import RSA
+from lark import Lark, Tree
+from parser import GRAMMAR, RAGFlowCLITransformer
+from http_client import HttpClient
+from ragflow_client import RAGFlowClient, run_command
+from user import login_user
+
+warnings.filterwarnings("ignore", category=getpass.GetPassWarning)
+
+def encrypt(input_string):
+    pub = "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArq9XTUSeYr2+N1h3Afl/z8Dse/2yD0ZGrKwx+EEEcdsBLca9Ynmx3nIB5obmLlSfmskLpBo0UACBmB5rEjBp2Q2f3AG3Hjd4B+gNCG6BDaawuDlgANIhGnaTLrIqWrrcm4EMzJOnAOI1fgzJRsOOUEfaS318Eq9OVO3apEyCCt0lOQK6PuksduOjVxtltDav+guVAA068NrPYmRNabVKRNLJpL8w4D44sfth5RvZ3q9t+6RTArpEtc5sh5ChzvqPOzKGMXW83C95TxmXqpbK6olN4RevSfVjEAgCydH6HN6OhtOQEcnrU97r9H0iZOWwbw3pVrZiUkuRD1R56Wzs2wIDAQAB\n-----END PUBLIC KEY-----"
+    pub_key = RSA.importKey(pub)
+    cipher = Cipher_pkcs1_v1_5.new(pub_key)
+    cipher_text = cipher.encrypt(base64.b64encode(input_string.encode("utf-8")))
+    return base64.b64encode(cipher_text).decode("utf-8")
+
+
+def encode_to_base64(input_string):
+    base64_encoded = base64.b64encode(input_string.encode("utf-8"))
+    return base64_encoded.decode("utf-8")
+
+
+
+
+
+class RAGFlowCLI(Cmd):
+    def __init__(self):
+        super().__init__()
+        self.parser = Lark(GRAMMAR, start="start", parser="lalr", transformer=RAGFlowCLITransformer())
+        self.command_history = []
+        self.account = "admin@ragflow.io"
+        self.account_password: str = "admin"
+        self.session = requests.Session()
+        self.host: str = ""
+        self.port: int = 0
+        self.mode: str = "admin"
+        self.ragflow_client = None
+        # History file for readline persistence
+        self.history_file = os.path.expanduser("~/.ragflow_cli_history")
+        # Load existing history
+        self._load_history()
+        # Register cleanup to save history on exit
+        atexit.register(self._save_history)
+
+    intro = r"""Type "\h" for help."""
+    prompt = "ragflow> "
+
+    def onecmd(self, command: str) -> bool:
+        try:
+            result = self.parse_command(command)
+
+            if isinstance(result, dict):
+                if "type" in result and result.get("type") == "empty":
+                    return False
+
+            self.execute_command(result)
+
+            if isinstance(result, Tree):
+                return False
+
+            if result.get("type") == "meta" and result.get("command") in ["q", "quit", "exit"]:
+                return True
+
+        except KeyboardInterrupt:
+            print("\nUse '\\q' to quit")
+        except EOFError:
+            print("\nGoodbye!")
+            return True
+        return False
+
+    def emptyline(self) -> bool:
+        return False
+
+    def default(self, line: str) -> bool:
+        return self.onecmd(line)
+
+    def parse_command(self, command_str: str) -> dict[str, str]:
+        if not command_str.strip():
+            return {"type": "empty"}
+
+        self.command_history.append(command_str)
+        readline.add_history(command_str)
+
+        try:
+            result = self.parser.parse(command_str)
+            return result
+        except Exception as e:
+            return {"type": "error", "message": f"Parse error: {str(e)}"}
+
+    def verify_auth(self, arguments: dict, single_command: bool, auth: bool):
+        server_type = arguments.get("type", "admin")
+        http_client = HttpClient(arguments["host"], arguments["port"])
+        if not auth:
+            self.ragflow_client = RAGFlowClient(http_client, server_type)
+            return True
+
+        user_name = arguments["username"]
+        attempt_count = 3
+        if single_command:
+            attempt_count = 1
+
+        try_count = 0
+        while True:
+            try_count += 1
+            if try_count > attempt_count:
+                return False
+
+            if single_command:
+                user_password = arguments["password"]
+            else:
+                user_password = getpass.getpass(f"password for {user_name}: ").strip()
+
+            try:
+                token = login_user(http_client, server_type, user_name, user_password)
+                http_client.login_token = token
+                self.ragflow_client = RAGFlowClient(http_client, server_type)
+                return True
+            except Exception as e:
+                print(str(e))
+                print("Can't access server for login (connection failed)")
+
+    def _format_service_detail_table(self, data):
+        if isinstance(data, list):
+            return data
+        if not all([isinstance(v, list) for v in data.values()]):
+            # normal table
+            return data
+        # handle task_executor heartbeats map, for example {'name': [{'done': 2, 'now': timestamp1}, {'done': 3, 'now': timestamp2}]
+        task_executor_list = []
+        for k, v in data.items():
+            # display latest status
+            heartbeats = sorted(v, key=lambda x: x["now"], reverse=True)
+            task_executor_list.append(
+                {
+                    "task_executor_name": k,
+                    **heartbeats[0],
+                }
+                if heartbeats
+                else {"task_executor_name": k}
+            )
+        return task_executor_list
+
+    def _print_table_simple(self, data):
+        if not data:
+            print("No data to print")
+            return
+        if isinstance(data, dict):
+            # handle single row data
+            data = [data]
+
+        columns = list(set().union(*(d.keys() for d in data)))
+        columns.sort()
+        col_widths = {}
+
+        def get_string_width(text):
+            half_width_chars = " !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\t\n\r"
+            width = 0
+            for char in text:
+                if char in half_width_chars:
+                    width += 1
+                else:
+                    width += 2
+            return width
+
+        for col in columns:
+            max_width = get_string_width(str(col))
+            for item in data:
+                value_len = get_string_width(str(item.get(col, "")))
+                if value_len > max_width:
+                    max_width = value_len
+            col_widths[col] = max(2, max_width)
+
+        # Generate delimiter
+        separator = "+" + "+".join(["-" * (col_widths[col] + 2) for col in columns]) + "+"
+
+        # Print header
+        print(separator)
+        header = "|" + "|".join([f" {col:<{col_widths[col]}} " for col in columns]) + "|"
+        print(header)
+        print(separator)
+
+        # Print data
+        for item in data:
+            row = "|"
+            for col in columns:
+                value = str(item.get(col, ""))
+                if get_string_width(value) > col_widths[col]:
+                    value = value[: col_widths[col] - 3] + "..."
+                row += f" {value:<{col_widths[col] - (get_string_width(value) - len(value))}} |"
+            print(row)
+
+        print(separator)
+
+    def _load_history(self):
+        """Load command history from file."""
+        try:
+            if os.path.exists(self.history_file):
+                readline.read_history_file(self.history_file)
+        except Exception:
+            pass  # Ignore errors loading history
+
+    def _save_history(self):
+        """Save command history to file."""
+        try:
+            readline.write_history_file(self.history_file)
+        except Exception:
+            pass  # Ignore errors saving history
+
+    def run_interactive(self, args):
+        if self.verify_auth(args, single_command=False, auth=args["auth"]):
+            print(r"""
+                ____  ___   ______________                 ________    ____
+               / __ \/   | / ____/ ____/ /___ _      __   / ____/ /   /  _/
+              / /_/ / /| |/ / __/ /_  / / __ \ | /| / /  / /   / /    / /  
+             / _, _/ ___ / /_/ / __/ / / /_/ / |/ |/ /  / /___/ /____/ /   
+            /_/ |_/_/  |_\____/_/   /_/\____/|__/|__/   \____/_____/___/   
+            """)
+            self.cmdloop()
+
+        print("RAGFlow command line interface - Type '\\?' for help, '\\q' to quit")
+
+    def run_single_command(self, args):
+        if self.verify_auth(args, single_command=True, auth=args["auth"]):
+            command = args["command"]
+            result = self.parse_command(command)
+            self.execute_command(result)
+
+
+    def parse_connection_args(self, args: List[str]) -> Dict[str, Any]:
+        parser = argparse.ArgumentParser(description="RAGFlow CLI Client", add_help=False)
+        parser.add_argument("-h", "--host", default="127.0.0.1", help="Admin or RAGFlow service host")
+        parser.add_argument("-p", "--port", type=int, default=9381, help="Admin or RAGFlow service port")
+        parser.add_argument("-w", "--password", default="admin", type=str, help="Superuser password")
+        parser.add_argument("-t", "--type", default="admin", type=str, help="CLI mode, admin or user")
+        parser.add_argument("-u", "--username", default=None,
+                            help="Username (email). In admin mode defaults to admin@ragflow.io, in user mode required.")
+        parser.add_argument("command", nargs="?", help="Single command")
+        try:
+            parsed_args, remaining_args = parser.parse_known_args(args)
+            # Determine username based on mode
+            username = parsed_args.username
+            if parsed_args.type == "admin":
+                if username is None:
+                    username = "admin@ragflow.io"
+
+            if remaining_args:
+                if remaining_args[0] == "command":
+                    command_str = ' '.join(remaining_args[1:]) + ';'
+                    auth = True
+                    if remaining_args[1] == "register":
+                        auth = False
+                    else:
+                        if username is None:
+                            print("Error: username (-u) is required in user mode")
+                            return {"error": "Username required"}
+                    return {
+                        "host": parsed_args.host,
+                        "port": parsed_args.port,
+                        "password": parsed_args.password,
+                        "type": parsed_args.type,
+                        "username": username,
+                        "command": command_str,
+                        "auth": auth
+                    }
+                else:
+                    return {"error": "Invalid command"}
+            else:
+                auth = True
+                if username is None:
+                    auth = False
+                return {
+                    "host": parsed_args.host,
+                    "port": parsed_args.port,
+                    "type": parsed_args.type,
+                    "username": username,
+                    "auth": auth
+                }
+        except SystemExit:
+            return {"error": "Invalid connection arguments"}
+
+    def execute_command(self, parsed_command: Dict[str, Any]):
+        command_dict: dict
+        if isinstance(parsed_command, Tree):
+            command_dict = parsed_command.children[0]
+        else:
+            if parsed_command["type"] == "error":
+                print(f"Error: {parsed_command['message']}")
+                return
+            else:
+                command_dict = parsed_command
+
+        # print(f"Parsed command: {command_dict}")
+        run_command(self.ragflow_client, command_dict)
+
+def main():
+
+    cli = RAGFlowCLI()
+
+    args = cli.parse_connection_args(sys.argv)
+    if "error" in args:
+        print("Error: Invalid connection arguments")
+        return
+
+    if "command" in args:
+        # single command mode
+        # for user mode, api key or password is ok
+        # for admin mode, only password
+        if "password" not in args:
+            print("Error: password is missing")
+            return
+
+        cli.run_single_command(args)
+    else:
+        cli.run_interactive(args)
+
+
+if __name__ == "__main__":
+    main()
--- a/admin/client/ragflow_client.py
+++ b/admin/client/ragflow_client.py
--- a/admin/client/user.py
+++ b/admin/client/user.py
@@ -0,0 +1,77 @@
+#
+#  Copyright 2025 The InfiniFlow Authors. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+
+from http_client import HttpClient
+
+
+class AuthException(Exception):
+    def __init__(self, message, code=401):
+        super().__init__(message)
+        self.code = code
+        self.message = message
+
+
+def encrypt_password(password_plain: str) -> str:
+    try:
+        import base64
+        from Cryptodome.PublicKey import RSA
+        from Cryptodome.Cipher import PKCS1_v1_5 as Cipher_pkcs1_v1_5
+        def crypt(line):
+            """
+            decrypt(crypt(input_string)) == base64(input_string), which frontend and ragflow_cli use.
+            """
+            pub = "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArq9XTUSeYr2+N1h3Afl/z8Dse/2yD0ZGrKwx+EEEcdsBLca9Ynmx3nIB5obmLlSfmskLpBo0UACBmB5rEjBp2Q2f3AG3Hjd4B+gNCG6BDaawuDlgANIhGnaTLrIqWrrcm4EMzJOnAOI1fgzJRsOOUEfaS318Eq9OVO3apEyCCt0lOQK6PuksduOjVxtltDav+guVAA068NrPYmRNabVKRNLJpL8w4D44sfth5RvZ3q9t+6RTArpEtc5sh5ChzvqPOzKGMXW83C95TxmXqpbK6olN4RevSfVjEAgCydH6HN6OhtOQEcnrU97r9H0iZOWwbw3pVrZiUkuRD1R56Wzs2wIDAQAB\n-----END PUBLIC KEY-----"
+            rsa_key = RSA.importKey(pub)
+            cipher = Cipher_pkcs1_v1_5.new(rsa_key)
+            password_base64 = base64.b64encode(line.encode('utf-8')).decode("utf-8")
+            encrypted_password = cipher.encrypt(password_base64.encode())
+            return base64.b64encode(encrypted_password).decode('utf-8')
+    except Exception as exc:
+        raise AuthException(
+            "Password encryption unavailable; install pycryptodomex (uv sync --python 3.12 --group test)."
+        ) from exc
+    return crypt(password_plain)
+
+
+def register_user(client: HttpClient, email: str, nickname: str, password: str) -> None:
+    password_enc = encrypt_password(password)
+    payload = {"email": email, "nickname": nickname, "password": password_enc}
+    res = client.request_json("POST", "/user/register", use_api_base=False, auth_kind=None, json_body=payload)
+    if res.get("code") == 0:
+        return
+    msg = res.get("message", "")
+    if "has already registered" in msg:
+        return
+    raise AuthException(f"Register failed: {msg}")
+
+
+def login_user(client: HttpClient, server_type: str, email: str, password: str) -> str:
+    password_enc = encrypt_password(password)
+    payload = {"email": email, "password": password_enc}
+    if server_type == "admin":
+        response = client.request("POST", "/admin/login", use_api_base=True, auth_kind=None, json_body=payload)
+    else:
+        response = client.request("POST", "/user/login", use_api_base=False, auth_kind=None, json_body=payload)
+    try:
+        res = response.json()
+    except Exception as exc:
+        raise AuthException(f"Login failed: invalid JSON response ({exc})") from exc
+    if res.get("code") != 0:
+        raise AuthException(f"Login failed: {res.get('message')}")
+    token = response.headers.get("Authorization")
+    if not token:
+        raise AuthException("Login failed: missing Authorization header")
+    return token
--- a/admin/client/uv.lock
+++ b/admin/client/uv.lock
@@ -1,6 +1,6 @@
 version = 1
 revision = 3
-requires-python = ">=3.10, <3.13"
+requires-python = ">=3.12, <3.15"

 [[package]]
 name = "beartype"
@@ -26,38 +26,6 @@ version = "3.4.4"
 source = { registry = "https://pypi.tuna.tsinghua.edu.cn/simple" }
 sdist = { url = "https://pypi.tuna.tsinghua.edu.cn/packages/13/69/33ddede1939fdd074bce5434295f38fae7136463422fe4fd3e0e89b98062/charset_normalizer-3.4.4.tar.gz", hash = "sha256:94537985111c35f28720e43603b8e7b43a6ecfb2ce1d3058bbe955b73404e21a", size = 129418, upload-time = "2025-10-14T04:42:32.879Z" }
 wheels = [
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/1f/b8/6d51fc1d52cbd52cd4ccedd5b5b2f0f6a11bbf6765c782298b0f3e808541/charset_normalizer-3.4.4-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:e824f1492727fa856dd6eda4f7cee25f8518a12f3c4a56a74e8095695089cf6d", size = 209709, upload-time = "2025-10-14T04:40:11.385Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/5c/af/1f9d7f7faafe2ddfb6f72a2e07a548a629c61ad510fe60f9630309908fef/charset_normalizer-3.4.4-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:4bd5d4137d500351a30687c2d3971758aac9a19208fc110ccb9d7188fbe709e8", size = 148814, upload-time = "2025-10-14T04:40:13.135Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/79/3d/f2e3ac2bbc056ca0c204298ea4e3d9db9b4afe437812638759db2c976b5f/charset_normalizer-3.4.4-cp310-cp310-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:027f6de494925c0ab2a55eab46ae5129951638a49a34d87f4c3eda90f696b4ad", size = 144467, upload-time = "2025-10-14T04:40:14.728Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/ec/85/1bf997003815e60d57de7bd972c57dc6950446a3e4ccac43bc3070721856/charset_normalizer-3.4.4-cp310-cp310-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:f820802628d2694cb7e56db99213f930856014862f3fd943d290ea8438d07ca8", size = 162280, upload-time = "2025-10-14T04:40:16.14Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/3e/8e/6aa1952f56b192f54921c436b87f2aaf7c7a7c3d0d1a765547d64fd83c13/charset_normalizer-3.4.4-cp310-cp310-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:798d75d81754988d2565bff1b97ba5a44411867c0cf32b77a7e8f8d84796b10d", size = 159454, upload-time = "2025-10-14T04:40:17.567Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/36/3b/60cbd1f8e93aa25d1c669c649b7a655b0b5fb4c571858910ea9332678558/charset_normalizer-3.4.4-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:9d1bb833febdff5c8927f922386db610b49db6e0d4f4ee29601d71e7c2694313", size = 153609, upload-time = "2025-10-14T04:40:19.08Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/64/91/6a13396948b8fd3c4b4fd5bc74d045f5637d78c9675585e8e9fbe5636554/charset_normalizer-3.4.4-cp310-cp310-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:9cd98cdc06614a2f768d2b7286d66805f94c48cde050acdbbb7db2600ab3197e", size = 151849, upload-time = "2025-10-14T04:40:20.607Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/b7/7a/59482e28b9981d105691e968c544cc0df3b7d6133152fb3dcdc8f135da7a/charset_normalizer-3.4.4-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:077fbb858e903c73f6c9db43374fd213b0b6a778106bc7032446a8e8b5b38b93", size = 151586, upload-time = "2025-10-14T04:40:21.719Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/92/59/f64ef6a1c4bdd2baf892b04cd78792ed8684fbc48d4c2afe467d96b4df57/charset_normalizer-3.4.4-cp310-cp310-musllinux_1_2_armv7l.whl", hash = "sha256:244bfb999c71b35de57821b8ea746b24e863398194a4014e4c76adc2bbdfeff0", size = 145290, upload-time = "2025-10-14T04:40:23.069Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/6b/63/3bf9f279ddfa641ffa1962b0db6a57a9c294361cc2f5fcac997049a00e9c/charset_normalizer-3.4.4-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:64b55f9dce520635f018f907ff1b0df1fdc31f2795a922fb49dd14fbcdf48c84", size = 163663, upload-time = "2025-10-14T04:40:24.17Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/ed/09/c9e38fc8fa9e0849b172b581fd9803bdf6e694041127933934184e19f8c3/charset_normalizer-3.4.4-cp310-cp310-musllinux_1_2_riscv64.whl", hash = "sha256:faa3a41b2b66b6e50f84ae4a68c64fcd0c44355741c6374813a800cd6695db9e", size = 151964, upload-time = "2025-10-14T04:40:25.368Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/d2/d1/d28b747e512d0da79d8b6a1ac18b7ab2ecfd81b2944c4c710e166d8dd09c/charset_normalizer-3.4.4-cp310-cp310-musllinux_1_2_s390x.whl", hash = "sha256:6515f3182dbe4ea06ced2d9e8666d97b46ef4c75e326b79bb624110f122551db", size = 161064, upload-time = "2025-10-14T04:40:26.806Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/bb/9a/31d62b611d901c3b9e5500c36aab0ff5eb442043fb3a1c254200d3d397d9/charset_normalizer-3.4.4-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:cc00f04ed596e9dc0da42ed17ac5e596c6ccba999ba6bd92b0e0aef2f170f2d6", size = 155015, upload-time = "2025-10-14T04:40:28.284Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/1f/f3/107e008fa2bff0c8b9319584174418e5e5285fef32f79d8ee6a430d0039c/charset_normalizer-3.4.4-cp310-cp310-win32.whl", hash = "sha256:f34be2938726fc13801220747472850852fe6b1ea75869a048d6f896838c896f", size = 99792, upload-time = "2025-10-14T04:40:29.613Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/eb/66/e396e8a408843337d7315bab30dbf106c38966f1819f123257f5520f8a96/charset_normalizer-3.4.4-cp310-cp310-win_amd64.whl", hash = "sha256:a61900df84c667873b292c3de315a786dd8dac506704dea57bc957bd31e22c7d", size = 107198, upload-time = "2025-10-14T04:40:30.644Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/b5/58/01b4f815bf0312704c267f2ccb6e5d42bcc7752340cd487bc9f8c3710597/charset_normalizer-3.4.4-cp310-cp310-win_arm64.whl", hash = "sha256:cead0978fc57397645f12578bfd2d5ea9138ea0fac82b2f63f7f7c6877986a69", size = 100262, upload-time = "2025-10-14T04:40:32.108Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/ed/27/c6491ff4954e58a10f69ad90aca8a1b6fe9c5d3c6f380907af3c37435b59/charset_normalizer-3.4.4-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:6e1fcf0720908f200cd21aa4e6750a48ff6ce4afe7ff5a79a90d5ed8a08296f8", size = 206988, upload-time = "2025-10-14T04:40:33.79Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/94/59/2e87300fe67ab820b5428580a53cad894272dbb97f38a7a814a2a1ac1011/charset_normalizer-3.4.4-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:5f819d5fe9234f9f82d75bdfa9aef3a3d72c4d24a6e57aeaebba32a704553aa0", size = 147324, upload-time = "2025-10-14T04:40:34.961Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/07/fb/0cf61dc84b2b088391830f6274cb57c82e4da8bbc2efeac8c025edb88772/charset_normalizer-3.4.4-cp311-cp311-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:a59cb51917aa591b1c4e6a43c132f0cdc3c76dbad6155df4e28ee626cc77a0a3", size = 142742, upload-time = "2025-10-14T04:40:36.105Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/62/8b/171935adf2312cd745d290ed93cf16cf0dfe320863ab7cbeeae1dcd6535f/charset_normalizer-3.4.4-cp311-cp311-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:8ef3c867360f88ac904fd3f5e1f902f13307af9052646963ee08ff4f131adafc", size = 160863, upload-time = "2025-10-14T04:40:37.188Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/09/73/ad875b192bda14f2173bfc1bc9a55e009808484a4b256748d931b6948442/charset_normalizer-3.4.4-cp311-cp311-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:d9e45d7faa48ee908174d8fe84854479ef838fc6a705c9315372eacbc2f02897", size = 157837, upload-time = "2025-10-14T04:40:38.435Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/6d/fc/de9cce525b2c5b94b47c70a4b4fb19f871b24995c728e957ee68ab1671ea/charset_normalizer-3.4.4-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:840c25fb618a231545cbab0564a799f101b63b9901f2569faecd6b222ac72381", size = 151550, upload-time = "2025-10-14T04:40:40.053Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/55/c2/43edd615fdfba8c6f2dfbd459b25a6b3b551f24ea21981e23fb768503ce1/charset_normalizer-3.4.4-cp311-cp311-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:ca5862d5b3928c4940729dacc329aa9102900382fea192fc5e52eb69d6093815", size = 149162, upload-time = "2025-10-14T04:40:41.163Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/03/86/bde4ad8b4d0e9429a4e82c1e8f5c659993a9a863ad62c7df05cf7b678d75/charset_normalizer-3.4.4-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:d9c7f57c3d666a53421049053eaacdd14bbd0a528e2186fcb2e672effd053bb0", size = 150019, upload-time = "2025-10-14T04:40:42.276Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/1f/86/a151eb2af293a7e7bac3a739b81072585ce36ccfb4493039f49f1d3cae8c/charset_normalizer-3.4.4-cp311-cp311-musllinux_1_2_armv7l.whl", hash = "sha256:277e970e750505ed74c832b4bf75dac7476262ee2a013f5574dd49075879e161", size = 143310, upload-time = "2025-10-14T04:40:43.439Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/b5/fe/43dae6144a7e07b87478fdfc4dbe9efd5defb0e7ec29f5f58a55aeef7bf7/charset_normalizer-3.4.4-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:31fd66405eaf47bb62e8cd575dc621c56c668f27d46a61d975a249930dd5e2a4", size = 162022, upload-time = "2025-10-14T04:40:44.547Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/80/e6/7aab83774f5d2bca81f42ac58d04caf44f0cc2b65fc6db2b3b2e8a05f3b3/charset_normalizer-3.4.4-cp311-cp311-musllinux_1_2_riscv64.whl", hash = "sha256:0d3d8f15c07f86e9ff82319b3d9ef6f4bf907608f53fe9d92b28ea9ae3d1fd89", size = 149383, upload-time = "2025-10-14T04:40:46.018Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/4f/e8/b289173b4edae05c0dde07f69f8db476a0b511eac556dfe0d6bda3c43384/charset_normalizer-3.4.4-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:9f7fcd74d410a36883701fafa2482a6af2ff5ba96b9a620e9e0721e28ead5569", size = 159098, upload-time = "2025-10-14T04:40:47.081Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/d8/df/fe699727754cae3f8478493c7f45f777b17c3ef0600e28abfec8619eb49c/charset_normalizer-3.4.4-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:ebf3e58c7ec8a8bed6d66a75d7fb37b55e5015b03ceae72a8e7c74495551e224", size = 152991, upload-time = "2025-10-14T04:40:48.246Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/1a/86/584869fe4ddb6ffa3bd9f491b87a01568797fb9bd8933f557dba9771beaf/charset_normalizer-3.4.4-cp311-cp311-win32.whl", hash = "sha256:eecbc200c7fd5ddb9a7f16c7decb07b566c29fa2161a16cf67b8d068bd21690a", size = 99456, upload-time = "2025-10-14T04:40:49.376Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/65/f6/62fdd5feb60530f50f7e38b4f6a1d5203f4d16ff4f9f0952962c044e919a/charset_normalizer-3.4.4-cp311-cp311-win_amd64.whl", hash = "sha256:5ae497466c7901d54b639cf42d5b8c1b6a4fead55215500d2f486d34db48d016", size = 106978, upload-time = "2025-10-14T04:40:50.844Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/7a/9d/0710916e6c82948b3be62d9d398cb4fcf4e97b56d6a6aeccd66c4b2f2bd5/charset_normalizer-3.4.4-cp311-cp311-win_arm64.whl", hash = "sha256:65e2befcd84bc6f37095f5961e68a6f077bf44946771354a28ad434c2cce0ae1", size = 99969, upload-time = "2025-10-14T04:40:52.272Z" },
    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/f3/85/1637cd4af66fa687396e757dec650f28025f2a2f5a5531a3208dc0ec43f2/charset_normalizer-3.4.4-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:0a98e6759f854bd25a58a73fa88833fba3b7c491169f86ce1180c948ab3fd394", size = 208425, upload-time = "2025-10-14T04:40:53.353Z" },
    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/9d/6a/04130023fef2a0d9c62d0bae2649b69f7b7d8d24ea5536feef50551029df/charset_normalizer-3.4.4-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:b5b290ccc2a263e8d185130284f8501e3e36c5e02750fc6b6bdeb2e9e96f1e25", size = 148162, upload-time = "2025-10-14T04:40:54.558Z" },
    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/78/29/62328d79aa60da22c9e0b9a66539feae06ca0f5a4171ac4f7dc285b83688/charset_normalizer-3.4.4-cp312-cp312-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:74bb723680f9f7a6234dcf67aea57e708ec1fbdf5699fb91dfd6f511b0a320ef", size = 144558, upload-time = "2025-10-14T04:40:55.677Z" },
@@ -74,6 +42,38 @@ wheels = [
    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/a8/ef/89297262b8092b312d29cdb2517cb1237e51db8ecef2e9af5edbe7b683b1/charset_normalizer-3.4.4-cp312-cp312-win32.whl", hash = "sha256:5833d2c39d8896e4e19b689ffc198f08ea58116bee26dea51e362ecc7cd3ed26", size = 99694, upload-time = "2025-10-14T04:41:09.23Z" },
    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/3d/2d/1e5ed9dd3b3803994c155cd9aacb60c82c331bad84daf75bcb9c91b3295e/charset_normalizer-3.4.4-cp312-cp312-win_amd64.whl", hash = "sha256:a79cfe37875f822425b89a82333404539ae63dbdddf97f84dcbc3d339aae9525", size = 107131, upload-time = "2025-10-14T04:41:10.467Z" },
    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/d0/d9/0ed4c7098a861482a7b6a95603edce4c0d9db2311af23da1fb2b75ec26fc/charset_normalizer-3.4.4-cp312-cp312-win_arm64.whl", hash = "sha256:376bec83a63b8021bb5c8ea75e21c4ccb86e7e45ca4eb81146091b56599b80c3", size = 100390, upload-time = "2025-10-14T04:41:11.915Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/97/45/4b3a1239bbacd321068ea6e7ac28875b03ab8bc0aa0966452db17cd36714/charset_normalizer-3.4.4-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:e1f185f86a6f3403aa2420e815904c67b2f9ebc443f045edd0de921108345794", size = 208091, upload-time = "2025-10-14T04:41:13.346Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/7d/62/73a6d7450829655a35bb88a88fca7d736f9882a27eacdca2c6d505b57e2e/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:6b39f987ae8ccdf0d2642338faf2abb1862340facc796048b604ef14919e55ed", size = 147936, upload-time = "2025-10-14T04:41:14.461Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/89/c5/adb8c8b3d6625bef6d88b251bbb0d95f8205831b987631ab0c8bb5d937c2/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:3162d5d8ce1bb98dd51af660f2121c55d0fa541b46dff7bb9b9f86ea1d87de72", size = 144180, upload-time = "2025-10-14T04:41:15.588Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/91/ed/9706e4070682d1cc219050b6048bfd293ccf67b3d4f5a4f39207453d4b99/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:81d5eb2a312700f4ecaa977a8235b634ce853200e828fbadf3a9c50bab278328", size = 161346, upload-time = "2025-10-14T04:41:16.738Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/d5/0d/031f0d95e4972901a2f6f09ef055751805ff541511dc1252ba3ca1f80cf5/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:5bd2293095d766545ec1a8f612559f6b40abc0eb18bb2f5d1171872d34036ede", size = 158874, upload-time = "2025-10-14T04:41:17.923Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/f5/83/6ab5883f57c9c801ce5e5677242328aa45592be8a00644310a008d04f922/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:a8a8b89589086a25749f471e6a900d3f662d1d3b6e2e59dcecf787b1cc3a1894", size = 153076, upload-time = "2025-10-14T04:41:19.106Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/75/1e/5ff781ddf5260e387d6419959ee89ef13878229732732ee73cdae01800f2/charset_normalizer-3.4.4-cp313-cp313-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:bc7637e2f80d8530ee4a78e878bce464f70087ce73cf7c1caf142416923b98f1", size = 150601, upload-time = "2025-10-14T04:41:20.245Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/d7/57/71be810965493d3510a6ca79b90c19e48696fb1ff964da319334b12677f0/charset_normalizer-3.4.4-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:f8bf04158c6b607d747e93949aa60618b61312fe647a6369f88ce2ff16043490", size = 150376, upload-time = "2025-10-14T04:41:21.398Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/e5/d5/c3d057a78c181d007014feb7e9f2e65905a6c4ef182c0ddf0de2924edd65/charset_normalizer-3.4.4-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:554af85e960429cf30784dd47447d5125aaa3b99a6f0683589dbd27e2f45da44", size = 144825, upload-time = "2025-10-14T04:41:22.583Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/e6/8c/d0406294828d4976f275ffbe66f00266c4b3136b7506941d87c00cab5272/charset_normalizer-3.4.4-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:74018750915ee7ad843a774364e13a3db91682f26142baddf775342c3f5b1133", size = 162583, upload-time = "2025-10-14T04:41:23.754Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/d7/24/e2aa1f18c8f15c4c0e932d9287b8609dd30ad56dbe41d926bd846e22fb8d/charset_normalizer-3.4.4-cp313-cp313-musllinux_1_2_riscv64.whl", hash = "sha256:c0463276121fdee9c49b98908b3a89c39be45d86d1dbaa22957e38f6321d4ce3", size = 150366, upload-time = "2025-10-14T04:41:25.27Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/e4/5b/1e6160c7739aad1e2df054300cc618b06bf784a7a164b0f238360721ab86/charset_normalizer-3.4.4-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:362d61fd13843997c1c446760ef36f240cf81d3ebf74ac62652aebaf7838561e", size = 160300, upload-time = "2025-10-14T04:41:26.725Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/7a/10/f882167cd207fbdd743e55534d5d9620e095089d176d55cb22d5322f2afd/charset_normalizer-3.4.4-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:9a26f18905b8dd5d685d6d07b0cdf98a79f3c7a918906af7cc143ea2e164c8bc", size = 154465, upload-time = "2025-10-14T04:41:28.322Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/89/66/c7a9e1b7429be72123441bfdbaf2bc13faab3f90b933f664db506dea5915/charset_normalizer-3.4.4-cp313-cp313-win32.whl", hash = "sha256:9b35f4c90079ff2e2edc5b26c0c77925e5d2d255c42c74fdb70fb49b172726ac", size = 99404, upload-time = "2025-10-14T04:41:29.95Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/c4/26/b9924fa27db384bdcd97ab83b4f0a8058d96ad9626ead570674d5e737d90/charset_normalizer-3.4.4-cp313-cp313-win_amd64.whl", hash = "sha256:b435cba5f4f750aa6c0a0d92c541fb79f69a387c91e61f1795227e4ed9cece14", size = 107092, upload-time = "2025-10-14T04:41:31.188Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/af/8f/3ed4bfa0c0c72a7ca17f0380cd9e4dd842b09f664e780c13cff1dcf2ef1b/charset_normalizer-3.4.4-cp313-cp313-win_arm64.whl", hash = "sha256:542d2cee80be6f80247095cc36c418f7bddd14f4a6de45af91dfad36d817bba2", size = 100408, upload-time = "2025-10-14T04:41:32.624Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/2a/35/7051599bd493e62411d6ede36fd5af83a38f37c4767b92884df7301db25d/charset_normalizer-3.4.4-cp314-cp314-macosx_10_13_universal2.whl", hash = "sha256:da3326d9e65ef63a817ecbcc0df6e94463713b754fe293eaa03da99befb9a5bd", size = 207746, upload-time = "2025-10-14T04:41:33.773Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/10/9a/97c8d48ef10d6cd4fcead2415523221624bf58bcf68a802721a6bc807c8f/charset_normalizer-3.4.4-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:8af65f14dc14a79b924524b1e7fffe304517b2bff5a58bf64f30b98bbc5079eb", size = 147889, upload-time = "2025-10-14T04:41:34.897Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/10/bf/979224a919a1b606c82bd2c5fa49b5c6d5727aa47b4312bb27b1734f53cd/charset_normalizer-3.4.4-cp314-cp314-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:74664978bb272435107de04e36db5a9735e78232b85b77d45cfb38f758efd33e", size = 143641, upload-time = "2025-10-14T04:41:36.116Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/ba/33/0ad65587441fc730dc7bd90e9716b30b4702dc7b617e6ba4997dc8651495/charset_normalizer-3.4.4-cp314-cp314-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:752944c7ffbfdd10c074dc58ec2d5a8a4cd9493b314d367c14d24c17684ddd14", size = 160779, upload-time = "2025-10-14T04:41:37.229Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/67/ed/331d6b249259ee71ddea93f6f2f0a56cfebd46938bde6fcc6f7b9a3d0e09/charset_normalizer-3.4.4-cp314-cp314-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:d1f13550535ad8cff21b8d757a3257963e951d96e20ec82ab44bc64aeb62a191", size = 159035, upload-time = "2025-10-14T04:41:38.368Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/67/ff/f6b948ca32e4f2a4576aa129d8bed61f2e0543bf9f5f2b7fc3758ed005c9/charset_normalizer-3.4.4-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:ecaae4149d99b1c9e7b88bb03e3221956f68fd6d50be2ef061b2381b61d20838", size = 152542, upload-time = "2025-10-14T04:41:39.862Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/16/85/276033dcbcc369eb176594de22728541a925b2632f9716428c851b149e83/charset_normalizer-3.4.4-cp314-cp314-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:cb6254dc36b47a990e59e1068afacdcd02958bdcce30bb50cc1700a8b9d624a6", size = 149524, upload-time = "2025-10-14T04:41:41.319Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/9e/f2/6a2a1f722b6aba37050e626530a46a68f74e63683947a8acff92569f979a/charset_normalizer-3.4.4-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:c8ae8a0f02f57a6e61203a31428fa1d677cbe50c93622b4149d5c0f319c1d19e", size = 150395, upload-time = "2025-10-14T04:41:42.539Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/60/bb/2186cb2f2bbaea6338cad15ce23a67f9b0672929744381e28b0592676824/charset_normalizer-3.4.4-cp314-cp314-musllinux_1_2_armv7l.whl", hash = "sha256:47cc91b2f4dd2833fddaedd2893006b0106129d4b94fdb6af1f4ce5a9965577c", size = 143680, upload-time = "2025-10-14T04:41:43.661Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/7d/a5/bf6f13b772fbb2a90360eb620d52ed8f796f3c5caee8398c3b2eb7b1c60d/charset_normalizer-3.4.4-cp314-cp314-musllinux_1_2_ppc64le.whl", hash = "sha256:82004af6c302b5d3ab2cfc4cc5f29db16123b1a8417f2e25f9066f91d4411090", size = 162045, upload-time = "2025-10-14T04:41:44.821Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/df/c5/d1be898bf0dc3ef9030c3825e5d3b83f2c528d207d246cbabe245966808d/charset_normalizer-3.4.4-cp314-cp314-musllinux_1_2_riscv64.whl", hash = "sha256:2b7d8f6c26245217bd2ad053761201e9f9680f8ce52f0fcd8d0755aeae5b2152", size = 149687, upload-time = "2025-10-14T04:41:46.442Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/a5/42/90c1f7b9341eef50c8a1cb3f098ac43b0508413f33affd762855f67a410e/charset_normalizer-3.4.4-cp314-cp314-musllinux_1_2_s390x.whl", hash = "sha256:799a7a5e4fb2d5898c60b640fd4981d6a25f1c11790935a44ce38c54e985f828", size = 160014, upload-time = "2025-10-14T04:41:47.631Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/76/be/4d3ee471e8145d12795ab655ece37baed0929462a86e72372fd25859047c/charset_normalizer-3.4.4-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:99ae2cffebb06e6c22bdc25801d7b30f503cc87dbd283479e7b606f70aff57ec", size = 154044, upload-time = "2025-10-14T04:41:48.81Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/b0/6f/8f7af07237c34a1defe7defc565a9bc1807762f672c0fde711a4b22bf9c0/charset_normalizer-3.4.4-cp314-cp314-win32.whl", hash = "sha256:f9d332f8c2a2fcbffe1378594431458ddbef721c1769d78e2cbc06280d8155f9", size = 99940, upload-time = "2025-10-14T04:41:49.946Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/4b/51/8ade005e5ca5b0d80fb4aff72a3775b325bdc3d27408c8113811a7cbe640/charset_normalizer-3.4.4-cp314-cp314-win_amd64.whl", hash = "sha256:8a6562c3700cce886c5be75ade4a5db4214fda19fede41d9792d100288d8f94c", size = 107104, upload-time = "2025-10-14T04:41:51.051Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/da/5f/6b8f83a55bb8278772c5ae54a577f3099025f9ade59d0136ac24a0df4bde/charset_normalizer-3.4.4-cp314-cp314-win_arm64.whl", hash = "sha256:de00632ca48df9daf77a2c65a484531649261ec9f25489917f09e455cb09ddb2", size = 100743, upload-time = "2025-10-14T04:41:52.122Z" },
    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/0a/4c/925909008ed5a988ccbb72dcc897407e5d6d3bd72410d69e051fc0c14647/charset_normalizer-3.4.4-py3-none-any.whl", hash = "sha256:7a32c560861a02ff789ad905a2fe94e3f840803362c84fecf1851cb4cf3dc37f", size = 53402, upload-time = "2025-10-14T04:42:31.76Z" },
 ]

@@ -86,18 +86,6 @@ wheels = [
    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/d1/d6/3965ed04c63042e047cb6a3e6ed1a63a35087b6a609aa3a15ed8ac56c221/colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6", size = 25335, upload-time = "2022-10-25T02:36:20.889Z" },
 ]

-[[package]]
-name = "exceptiongroup"
-version = "1.3.1"
-source = { registry = "https://pypi.tuna.tsinghua.edu.cn/simple" }
-dependencies = [
-    { name = "typing-extensions" },
-]
-sdist = { url = "https://pypi.tuna.tsinghua.edu.cn/packages/50/79/66800aadf48771f6b62f7eb014e352e5d06856655206165d775e675a02c9/exceptiongroup-1.3.1.tar.gz", hash = "sha256:8b412432c6055b0b7d14c310000ae93352ed6754f70fa8f7c34141f91c4e3219", size = 30371, upload-time = "2025-11-21T23:01:54.787Z" }
-wheels = [
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/8a/0e/97c33bf5009bdbac74fd2beace167cab3f978feb69cc36f1ef79360d6c4e/exceptiongroup-1.3.1-py3-none-any.whl", hash = "sha256:a7a39a3bd276781e98394987d3a5701d0c4edffb633bb7a5144577f82c773598", size = 16740, upload-time = "2025-11-21T23:01:53.443Z" },
-]
-
 [[package]]
 name = "idna"
 version = "3.11"
@@ -149,6 +137,17 @@ version = "3.23.0"
 source = { registry = "https://pypi.tuna.tsinghua.edu.cn/simple" }
 sdist = { url = "https://pypi.tuna.tsinghua.edu.cn/packages/c9/85/e24bf90972a30b0fcd16c73009add1d7d7cd9140c2498a68252028899e41/pycryptodomex-3.23.0.tar.gz", hash = "sha256:71909758f010c82bc99b0abf4ea12012c98962fbf0583c2164f8b84533c2e4da", size = 4922157, upload-time = "2025-05-17T17:23:41.434Z" }
 wheels = [
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/2e/00/10edb04777069a42490a38c137099d4b17ba6e36a4e6e28bdc7470e9e853/pycryptodomex-3.23.0-cp313-cp313t-macosx_10_13_universal2.whl", hash = "sha256:7b37e08e3871efe2187bc1fd9320cc81d87caf19816c648f24443483005ff886", size = 2498764, upload-time = "2025-05-17T17:22:21.453Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/6b/3f/2872a9c2d3a27eac094f9ceaa5a8a483b774ae69018040ea3240d5b11154/pycryptodomex-3.23.0-cp313-cp313t-macosx_10_13_x86_64.whl", hash = "sha256:91979028227543010d7b2ba2471cf1d1e398b3f183cb105ac584df0c36dac28d", size = 1643012, upload-time = "2025-05-17T17:22:23.702Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/70/af/774c2e2b4f6570fbf6a4972161adbb183aeeaa1863bde31e8706f123bf92/pycryptodomex-3.23.0-cp313-cp313t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6b8962204c47464d5c1c4038abeadd4514a133b28748bcd9fa5b6d62e3cec6fa", size = 2187643, upload-time = "2025-05-17T17:22:26.37Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/de/a3/71065b24cb889d537954cedc3ae5466af00a2cabcff8e29b73be047e9a19/pycryptodomex-3.23.0-cp313-cp313t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a33986a0066860f7fcf7c7bd2bc804fa90e434183645595ae7b33d01f3c91ed8", size = 2273762, upload-time = "2025-05-17T17:22:28.313Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/c9/0b/ff6f43b7fbef4d302c8b981fe58467b8871902cdc3eb28896b52421422cc/pycryptodomex-3.23.0-cp313-cp313t-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c7947ab8d589e3178da3d7cdeabe14f841b391e17046954f2fbcd941705762b5", size = 2313012, upload-time = "2025-05-17T17:22:30.57Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/02/de/9d4772c0506ab6da10b41159493657105d3f8bb5c53615d19452afc6b315/pycryptodomex-3.23.0-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:c25e30a20e1b426e1f0fa00131c516f16e474204eee1139d1603e132acffc314", size = 2186856, upload-time = "2025-05-17T17:22:32.819Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/28/ad/8b30efcd6341707a234e5eba5493700a17852ca1ac7a75daa7945fcf6427/pycryptodomex-3.23.0-cp313-cp313t-musllinux_1_2_i686.whl", hash = "sha256:da4fa650cef02db88c2b98acc5434461e027dce0ae8c22dd5a69013eaf510006", size = 2347523, upload-time = "2025-05-17T17:22:35.386Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/0f/02/16868e9f655b7670dbb0ac4f2844145cbc42251f916fc35c414ad2359849/pycryptodomex-3.23.0-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:58b851b9effd0d072d4ca2e4542bf2a4abcf13c82a29fd2c93ce27ee2a2e9462", size = 2272825, upload-time = "2025-05-17T17:22:37.632Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/ca/18/4ca89ac737230b52ac8ffaca42f9c6f1fd07c81a6cd821e91af79db60632/pycryptodomex-3.23.0-cp313-cp313t-win32.whl", hash = "sha256:a9d446e844f08299236780f2efa9898c818fe7e02f17263866b8550c7d5fb328", size = 1772078, upload-time = "2025-05-17T17:22:40Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/73/34/13e01c322db027682e00986873eca803f11c56ade9ba5bbf3225841ea2d4/pycryptodomex-3.23.0-cp313-cp313t-win_amd64.whl", hash = "sha256:bc65bdd9fc8de7a35a74cab1c898cab391a4add33a8fe740bda00f5976ca4708", size = 1803656, upload-time = "2025-05-17T17:22:42.139Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/54/68/9504c8796b1805d58f4425002bcca20f12880e6fa4dc2fc9a668705c7a08/pycryptodomex-3.23.0-cp313-cp313t-win_arm64.whl", hash = "sha256:c885da45e70139464f082018ac527fdaad26f1657a99ee13eecdce0f0ca24ab4", size = 1707172, upload-time = "2025-05-17T17:22:44.704Z" },
    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/dd/9c/1a8f35daa39784ed8adf93a694e7e5dc15c23c741bbda06e1d45f8979e9e/pycryptodomex-3.23.0-cp37-abi3-macosx_10_9_universal2.whl", hash = "sha256:06698f957fe1ab229a99ba2defeeae1c09af185baa909a31a5d1f9d42b1aaed6", size = 2499240, upload-time = "2025-05-17T17:22:46.953Z" },
    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/7a/62/f5221a191a97157d240cf6643747558759126c76ee92f29a3f4aee3197a5/pycryptodomex-3.23.0-cp37-abi3-macosx_10_9_x86_64.whl", hash = "sha256:b2c2537863eccef2d41061e82a881dcabb04944c5c06c5aa7110b577cc487545", size = 1644042, upload-time = "2025-05-17T17:22:49.098Z" },
    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/8c/fd/5a054543c8988d4ed7b612721d7e78a4b9bf36bc3c5ad45ef45c22d0060e/pycryptodomex-3.23.0-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:43c446e2ba8df8889e0e16f02211c25b4934898384c1ec1ec04d7889c0333587", size = 2186227, upload-time = "2025-05-17T17:22:51.139Z" },
@@ -160,11 +159,6 @@ wheels = [
    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/8d/67/09ee8500dd22614af5fbaa51a4aee6e342b5fa8aecf0a6cb9cbf52fa6d45/pycryptodomex-3.23.0-cp37-abi3-win32.whl", hash = "sha256:189afbc87f0b9f158386bf051f720e20fa6145975f1e76369303d0f31d1a8d7c", size = 1771969, upload-time = "2025-05-17T17:23:07.115Z" },
    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/69/96/11f36f71a865dd6df03716d33bd07a67e9d20f6b8d39820470b766af323c/pycryptodomex-3.23.0-cp37-abi3-win_amd64.whl", hash = "sha256:52e5ca58c3a0b0bd5e100a9fbc8015059b05cffc6c66ce9d98b4b45e023443b9", size = 1803124, upload-time = "2025-05-17T17:23:09.267Z" },
    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/f9/93/45c1cdcbeb182ccd2e144c693eaa097763b08b38cded279f0053ed53c553/pycryptodomex-3.23.0-cp37-abi3-win_arm64.whl", hash = "sha256:02d87b80778c171445d67e23d1caef279bf4b25c3597050ccd2e13970b57fd51", size = 1707161, upload-time = "2025-05-17T17:23:11.414Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/f3/b8/3e76d948c3c4ac71335bbe75dac53e154b40b0f8f1f022dfa295257a0c96/pycryptodomex-3.23.0-pp310-pypy310_pp73-macosx_10_15_x86_64.whl", hash = "sha256:ebfff755c360d674306e5891c564a274a47953562b42fb74a5c25b8fc1fb1cb5", size = 1627695, upload-time = "2025-05-17T17:23:17.38Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/6a/cf/80f4297a4820dfdfd1c88cf6c4666a200f204b3488103d027b5edd9176ec/pycryptodomex-3.23.0-pp310-pypy310_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:eca54f4bb349d45afc17e3011ed4264ef1cc9e266699874cdd1349c504e64798", size = 1675772, upload-time = "2025-05-17T17:23:19.202Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/d1/42/1e969ee0ad19fe3134b0e1b856c39bd0b70d47a4d0e81c2a8b05727394c9/pycryptodomex-3.23.0-pp310-pypy310_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:4f2596e643d4365e14d0879dc5aafe6355616c61c2176009270f3048f6d9a61f", size = 1668083, upload-time = "2025-05-17T17:23:21.867Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/6e/c3/1de4f7631fea8a992a44ba632aa40e0008764c0fb9bf2854b0acf78c2cf2/pycryptodomex-3.23.0-pp310-pypy310_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:fdfac7cda115bca3a5abb2f9e43bc2fb66c2b65ab074913643803ca7083a79ea", size = 1706056, upload-time = "2025-05-17T17:23:24.031Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/f2/5f/af7da8e6f1e42b52f44a24d08b8e4c726207434e2593732d39e7af5e7256/pycryptodomex-3.23.0-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:14c37aaece158d0ace436f76a7bb19093db3b4deade9797abfc39ec6cd6cc2fe", size = 1806478, upload-time = "2025-05-17T17:23:26.066Z" },
 ]

 [[package]]
@@ -182,12 +176,10 @@ version = "9.0.1"
 source = { registry = "https://pypi.tuna.tsinghua.edu.cn/simple" }
 dependencies = [
    { name = "colorama", marker = "sys_platform == 'win32'" },
-    { name = "exceptiongroup", marker = "python_full_version < '3.11'" },
    { name = "iniconfig" },
    { name = "packaging" },
    { name = "pluggy" },
    { name = "pygments" },
-    { name = "tomli", marker = "python_full_version < '3.11'" },
 ]
 sdist = { url = "https://pypi.tuna.tsinghua.edu.cn/packages/07/56/f013048ac4bc4c1d9be45afd4ab209ea62822fb1598f40687e6bf45dcea4/pytest-9.0.1.tar.gz", hash = "sha256:3e9c069ea73583e255c3b21cf46b8d3c56f6e3a1a8f6da94ccb0fcf57b9d73c8", size = 1564125, upload-time = "2025-11-12T13:05:09.333Z" }
 wheels = [
@@ -196,7 +188,7 @@ wheels = [

 [[package]]
 name = "ragflow-cli"
-version = "0.23.1"
+version = "0.25.1"
 source = { virtual = "." }
 dependencies = [
    { name = "beartype" },
@@ -254,45 +246,11 @@ wheels = [
    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/3f/51/d4db610ef29373b879047326cbf6fa98b6c1969d6f6dc423279de2b1be2c/requests_toolbelt-1.0.0-py2.py3-none-any.whl", hash = "sha256:cccfdd665f0a24fcf4726e690f65639d272bb0637b9b92dfd91a5568ccf6bd06", size = 54481, upload-time = "2023-05-01T04:11:28.427Z" },
 ]

-[[package]]
-name = "tomli"
-version = "2.3.0"
-source = { registry = "https://pypi.tuna.tsinghua.edu.cn/simple" }
-sdist = { url = "https://pypi.tuna.tsinghua.edu.cn/packages/52/ed/3f73f72945444548f33eba9a87fc7a6e969915e7b1acc8260b30e1f76a2f/tomli-2.3.0.tar.gz", hash = "sha256:64be704a875d2a59753d80ee8a533c3fe183e3f06807ff7dc2232938ccb01549", size = 17392, upload-time = "2025-10-08T22:01:47.119Z" }
-wheels = [
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/b3/2e/299f62b401438d5fe1624119c723f5d877acc86a4c2492da405626665f12/tomli-2.3.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:88bd15eb972f3664f5ed4b57c1634a97153b4bac4479dcb6a495f41921eb7f45", size = 153236, upload-time = "2025-10-08T22:01:00.137Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/86/7f/d8fffe6a7aefdb61bced88fcb5e280cfd71e08939da5894161bd71bea022/tomli-2.3.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:883b1c0d6398a6a9d29b508c331fa56adbcdff647f6ace4dfca0f50e90dfd0ba", size = 148084, upload-time = "2025-10-08T22:01:01.63Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/47/5c/24935fb6a2ee63e86d80e4d3b58b222dafaf438c416752c8b58537c8b89a/tomli-2.3.0-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:d1381caf13ab9f300e30dd8feadb3de072aeb86f1d34a8569453ff32a7dea4bf", size = 234832, upload-time = "2025-10-08T22:01:02.543Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/89/da/75dfd804fc11e6612846758a23f13271b76d577e299592b4371a4ca4cd09/tomli-2.3.0-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:a0e285d2649b78c0d9027570d4da3425bdb49830a6156121360b3f8511ea3441", size = 242052, upload-time = "2025-10-08T22:01:03.836Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/70/8c/f48ac899f7b3ca7eb13af73bacbc93aec37f9c954df3c08ad96991c8c373/tomli-2.3.0-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:0a154a9ae14bfcf5d8917a59b51ffd5a3ac1fd149b71b47a3a104ca4edcfa845", size = 239555, upload-time = "2025-10-08T22:01:04.834Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/ba/28/72f8afd73f1d0e7829bfc093f4cb98ce0a40ffc0cc997009ee1ed94ba705/tomli-2.3.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:74bf8464ff93e413514fefd2be591c3b0b23231a77f901db1eb30d6f712fc42c", size = 245128, upload-time = "2025-10-08T22:01:05.84Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/b6/eb/a7679c8ac85208706d27436e8d421dfa39d4c914dcf5fa8083a9305f58d9/tomli-2.3.0-cp311-cp311-win32.whl", hash = "sha256:00b5f5d95bbfc7d12f91ad8c593a1659b6387b43f054104cda404be6bda62456", size = 96445, upload-time = "2025-10-08T22:01:06.896Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/0a/fe/3d3420c4cb1ad9cb462fb52967080575f15898da97e21cb6f1361d505383/tomli-2.3.0-cp311-cp311-win_amd64.whl", hash = "sha256:4dc4ce8483a5d429ab602f111a93a6ab1ed425eae3122032db7e9acf449451be", size = 107165, upload-time = "2025-10-08T22:01:08.107Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/ff/b7/40f36368fcabc518bb11c8f06379a0fd631985046c038aca08c6d6a43c6e/tomli-2.3.0-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:d7d86942e56ded512a594786a5ba0a5e521d02529b3826e7761a05138341a2ac", size = 154891, upload-time = "2025-10-08T22:01:09.082Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/f9/3f/d9dd692199e3b3aab2e4e4dd948abd0f790d9ded8cd10cbaae276a898434/tomli-2.3.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:73ee0b47d4dad1c5e996e3cd33b8a76a50167ae5f96a2607cbe8cc773506ab22", size = 148796, upload-time = "2025-10-08T22:01:10.266Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/60/83/59bff4996c2cf9f9387a0f5a3394629c7efa5ef16142076a23a90f1955fa/tomli-2.3.0-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:792262b94d5d0a466afb5bc63c7daa9d75520110971ee269152083270998316f", size = 242121, upload-time = "2025-10-08T22:01:11.332Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/45/e5/7c5119ff39de8693d6baab6c0b6dcb556d192c165596e9fc231ea1052041/tomli-2.3.0-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:4f195fe57ecceac95a66a75ac24d9d5fbc98ef0962e09b2eddec5d39375aae52", size = 250070, upload-time = "2025-10-08T22:01:12.498Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/45/12/ad5126d3a278f27e6701abde51d342aa78d06e27ce2bb596a01f7709a5a2/tomli-2.3.0-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:e31d432427dcbf4d86958c184b9bfd1e96b5b71f8eb17e6d02531f434fd335b8", size = 245859, upload-time = "2025-10-08T22:01:13.551Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/fb/a1/4d6865da6a71c603cfe6ad0e6556c73c76548557a8d658f9e3b142df245f/tomli-2.3.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:7b0882799624980785240ab732537fcfc372601015c00f7fc367c55308c186f6", size = 250296, upload-time = "2025-10-08T22:01:14.614Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/a0/b7/a7a7042715d55c9ba6e8b196d65d2cb662578b4d8cd17d882d45322b0d78/tomli-2.3.0-cp312-cp312-win32.whl", hash = "sha256:ff72b71b5d10d22ecb084d345fc26f42b5143c5533db5e2eaba7d2d335358876", size = 97124, upload-time = "2025-10-08T22:01:15.629Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/06/1e/f22f100db15a68b520664eb3328fb0ae4e90530887928558112c8d1f4515/tomli-2.3.0-cp312-cp312-win_amd64.whl", hash = "sha256:1cb4ed918939151a03f33d4242ccd0aa5f11b3547d0cf30f7c74a408a5b99878", size = 107698, upload-time = "2025-10-08T22:01:16.51Z" },
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/77/b8/0135fadc89e73be292b473cb820b4f5a08197779206b33191e801feeae40/tomli-2.3.0-py3-none-any.whl", hash = "sha256:e95b1af3c5b07d9e643909b5abbec77cd9f1217e6d0bca72b0234736b9fb1f1b", size = 14408, upload-time = "2025-10-08T22:01:46.04Z" },
-]
-
-[[package]]
-name = "typing-extensions"
-version = "4.15.0"
-source = { registry = "https://pypi.tuna.tsinghua.edu.cn/simple" }
-sdist = { url = "https://pypi.tuna.tsinghua.edu.cn/packages/72/94/1a15dd82efb362ac84269196e94cf00f187f7ed21c242792a923cdb1c61f/typing_extensions-4.15.0.tar.gz", hash = "sha256:0cea48d173cc12fa28ecabc3b837ea3cf6f38c6d1136f85cbaaf598984861466", size = 109391, upload-time = "2025-08-25T13:49:26.313Z" }
-wheels = [
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/18/67/36e9267722cc04a6b9f15c7f3441c2363321a3ea07da7ae0c0707beb2a9c/typing_extensions-4.15.0-py3-none-any.whl", hash = "sha256:f0fa19c6845758ab08074a0cfa8b7aecb71c999ca73d62883bc25cc018c4e548", size = 44614, upload-time = "2025-08-25T13:49:24.86Z" },
-]
-
 [[package]]
 name = "urllib3"
-version = "2.5.0"
+version = "2.6.3"
 source = { registry = "https://pypi.tuna.tsinghua.edu.cn/simple" }
-sdist = { url = "https://pypi.tuna.tsinghua.edu.cn/packages/15/22/9ee70a2574a4f4599c47dd506532914ce044817c7752a79b6a51286319bc/urllib3-2.5.0.tar.gz", hash = "sha256:3fc47733c7e419d4bc3f6b3dc2b4f890bb743906a30d56ba4a5bfa4bbff92760", size = 393185, upload-time = "2025-06-18T14:07:41.644Z" }
+sdist = { url = "https://pypi.tuna.tsinghua.edu.cn/packages/c7/24/5f1b3bdffd70275f6661c76461e25f024d5a38a46f04aaca912426a2b1d3/urllib3-2.6.3.tar.gz", hash = "sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed", size = 435556, upload-time = "2026-01-07T16:24:43.925Z" }
 wheels = [
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/a7/c2/fe1e52489ae3122415c51f387e221dd0773709bad6c6cdaa599e8a2c5185/urllib3-2.5.0-py3-none-any.whl", hash = "sha256:e6b01673c0fa6a13e374b50871808eb3bf7046c4b125b216f6bf1cc604cff0dc", size = 129795, upload-time = "2025-06-18T14:07:40.39Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/39/08/aaaad47bc4e9dc8c725e68f9d04865dbcb2052843ff09c97b08904852d84/urllib3-2.6.3-py3-none-any.whl", hash = "sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4", size = 131584, upload-time = "2026-01-07T16:24:42.685Z" },
 ]
--- a/admin/server/admin_server.py
+++ b/admin/server/admin_server.py
@@ -14,12 +14,13 @@
 #  limitations under the License.
 #

+import time
+start_ts = time.time()
+
 import os
 import signal
 import logging
-import time
 import threading
-import traceback
 import faulthandler

 from flask import Flask
@@ -56,7 +57,7 @@ if __name__ == '__main__':
        os.environ.get("MAX_CONTENT_LENGTH", 1024 * 1024 * 1024)
    )
    Session(app)
-    logging.info(f'RAGFlow version: {get_ragflow_version()}')
+    logging.info(f'RAGFlow admin version: {get_ragflow_version()}')
    show_configs()
    login_manager = LoginManager()
    login_manager.init_app(app)
@@ -66,17 +67,17 @@ if __name__ == '__main__':
    SERVICE_CONFIGS.configs = load_configurations(SERVICE_CONF)

    try:
-        logging.info("RAGFlow Admin service start...")
+        logging.info(f"RAGFlow admin is ready after {time.time() - start_ts}s initialization.")
        run_simple(
            hostname="0.0.0.0",
            port=9381,
            application=app,
            threaded=True,
            use_reloader=False,
-            use_debugger=True,
+            use_debugger=False,
        )
-    except Exception:
-        traceback.print_exc()
+    except Exception as e:
+        logging.exception(f"Unhandled exception: {e}")
        stop_event.set()
        time.sleep(1)
        os.kill(os.getpid(), signal.SIGKILL)
--- a/admin/server/auth.py
+++ b/admin/server/auth.py
@@ -22,11 +22,12 @@ from datetime import datetime

 from flask import jsonify, request
 from flask_login import current_user, login_user
-from itsdangerous.url_safe import URLSafeTimedSerializer as Serializer

 from api.common.exceptions import AdminException, UserNotFoundError
 from api.common.base64 import encode_to_base64
 from api.db.services import UserService
+from api.db import UserTenantRole
+from api.db.services.user_service import TenantService, UserTenantService
 from common.constants import ActiveEnum, StatusEnum
 from api.utils.crypt import decrypt
 from common.misc_utils import get_uuid
@@ -38,18 +39,34 @@ from common import settings
 def setup_auth(login_manager):
    @login_manager.request_loader
    def load_user(web_request):
-        jwt = Serializer(secret_key=settings.SECRET_KEY)
+        # Authorization header contains JWT-encoded access token
+        # First decode JWT to get the UUID, then query database
+        from itsdangerous.url_safe import URLSafeTimedSerializer as Serializer
+        from common import settings
+
        authorization = web_request.headers.get("Authorization")
        if authorization:
            try:
-                access_token = str(jwt.loads(authorization))
+                # Strip "Bearer " prefix if present
+                jwt_token = authorization
+                if jwt_token.startswith("Bearer "):
+                    jwt_token = jwt_token[7:]

-                if not access_token or not access_token.strip():
-                    logging.warning("Authentication attempt with empty access token")
+                jwt_token = jwt_token.strip()
+                if not jwt_token:
+                    logging.warning("Authentication attempt with empty JWT token")
                    return None

-                # Access tokens should be UUIDs (32 hex characters)
-                if len(access_token.strip()) < 32:
+                # Decode JWT to get the UUID access_token
+                jwt = Serializer(secret_key=settings.SECRET_KEY)
+                access_token = str(jwt.loads(jwt_token))
+
+                if not access_token or not access_token.strip():
+                    logging.warning("Authentication attempt with empty access token after JWT decode")
+                    return None
+
+                # Access tokens stored in database are UUIDs (32 hex characters)
+                if len(access_token) < 32:
                    logging.warning(f"Authentication attempt with invalid token format: {len(access_token)} chars")
                    return None

@@ -85,8 +102,45 @@ def init_default_admin():
        }
        if not UserService.save(**default_admin):
            raise AdminException("Can't init admin.", 500)
+        add_tenant_for_admin(default_admin, UserTenantRole.OWNER)
    elif not any([u.is_active == ActiveEnum.ACTIVE.value for u in users]):
        raise AdminException("No active admin. Please update 'is_active' in db manually.", 500)
+    else:
+        default_admin_rows = [u for u in users if u.email == "admin@ragflow.io"]
+        if default_admin_rows:
+            default_admin = default_admin_rows[0].to_dict()
+            exist, default_admin_tenant = TenantService.get_by_id(default_admin["id"])
+            if not exist:
+                add_tenant_for_admin(default_admin, UserTenantRole.OWNER)
+
+
+def add_tenant_for_admin(user_info: dict, role: str):
+    from api.db.services.tenant_llm_service import TenantLLMService
+    from api.db.services.llm_service import get_init_tenant_llm
+
+    tenant = {
+        "id": user_info["id"],
+        "name": user_info["nickname"] + "‘s Kingdom",
+        "llm_id": settings.CHAT_MDL,
+        "embd_id": settings.EMBEDDING_MDL,
+        "asr_id": settings.ASR_MDL,
+        "parser_ids": settings.PARSERS,
+        "img2txt_id": settings.IMAGE2TEXT_MDL,
+        "rerank_id": settings.RERANK_MDL,
+    }
+    usr_tenant = {
+        "tenant_id": user_info["id"],
+        "user_id": user_info["id"],
+        "invited_by": user_info["id"],
+        "role": role
+    }
+
+    tenant_llm = get_init_tenant_llm(user_info["id"])
+    TenantService.insert(**tenant)
+    UserTenantService.insert(**usr_tenant)
+    TenantLLMService.insert_many(tenant_llm)
+    logging.info(
+        f"Added tenant for email: {user_info['email']}, A default tenant has been set; changing the default models after login is strongly recommended.")


 def check_admin_auth(func):
--- a/admin/server/config.py
+++ b/admin/server/config.py
@@ -264,6 +264,19 @@ def load_configurations(config_path: str) -> list[BaseConfig]:
                                        db_name=database, detail_func_name="get_infinity_status")
                configurations.append(config)
                id_count += 1
+            case "minio_0":
+                name: str = 'minio_0'
+                url = v['host']
+                parts = url.split(':', 1)
+                host = parts[0]
+                port = int(parts[1])
+                user = v.get('user')
+                password = v.get('password')
+                config = MinioConfig(id=id_count, name=name, host=host, port=port, user=user, password=password,
+                                     service_type="file_store",
+                                     store_type="minio", detail_func_name="check_minio_alive")
+                configurations.append(config)
+                id_count += 1
            case "minio":
                name: str = 'minio'
                url = v['host']
@@ -310,6 +323,14 @@ def load_configurations(config_path: str) -> list[BaseConfig]:
                                            service_type="task_executor", detail_func_name="check_task_executor_alive")
                configurations.append(config)
                id_count += 1
+            case "rabbitmq":
+                name: str = 'rabbitmq'
+                host: str = v.get('host')
+                port: int = v.get('port')
+                config = RabbitMQConfig(id=id_count, name=name, host=host, port=port,
+                                        service_type="message_queue", mq_type="rabbitmq", detail_func_name="check_rabbitmq_alive")
+                configurations.append(config)
+                id_count += 1
            case _:
                logging.warning(f"Unknown configuration key: {k}")
                continue
--- a/admin/server/routes.py
+++ b/admin/server/routes.py
@@ -15,29 +15,35 @@
 #

 import secrets
+import logging
+from typing import Any

-from flask import Blueprint, request
+from common.time_utils import current_timestamp, datetime_format
+from datetime import datetime
+from flask import Blueprint, Response, request
 from flask_login import current_user, login_required, logout_user

 from auth import login_verify, login_admin, check_admin_auth
 from responses import success_response, error_response
-from services import UserMgr, ServiceMgr, UserServiceMgr
+from services import UserMgr, ServiceMgr, UserServiceMgr, SettingsMgr, ConfigMgr, EnvironmentsMgr, SandboxMgr
 from roles import RoleMgr
 from api.common.exceptions import AdminException
 from common.versions import get_ragflow_version
+from api.utils.api_utils import generate_confirmation_token
+from common.log_utils import get_log_levels, set_log_level

-admin_bp = Blueprint('admin', __name__, url_prefix='/api/v1/admin')
+admin_bp = Blueprint("admin", __name__, url_prefix="/api/v1/admin")


-@admin_bp.route('/ping', methods=['GET'])
+@admin_bp.route("/ping", methods=["GET"])
 def ping():
-    return success_response('PONG')
+    return success_response(message="pong")


-@admin_bp.route('/login', methods=['POST'])
+@admin_bp.route("/login", methods=["POST"])
 def login():
    if not request.json:
-        return error_response('Authorize admin failed.' ,400)
+        return error_response("Authorize admin failed.", 400)
    try:
        email = request.json.get("email", "")
        password = request.json.get("password", "")
@@ -46,7 +52,7 @@ def login():
        return error_response(str(e), 500)


-@admin_bp.route('/logout', methods=['GET'])
+@admin_bp.route("/logout", methods=["GET"])
@login_required
 def logout():
    try:
@@ -58,7 +64,7 @@ def logout():
        return error_response(str(e), 500)


-@admin_bp.route('/auth', methods=['GET'])
+@admin_bp.route("/auth", methods=["GET"])
@login_verify
 def auth_admin():
    try:
@@ -67,7 +73,7 @@ def auth_admin():
        return error_response(str(e), 500)


-@admin_bp.route('/users', methods=['GET'])
+@admin_bp.route("/users", methods=["GET"])
@login_required
@check_admin_auth
 def list_users():
@@ -78,18 +84,18 @@ def list_users():
        return error_response(str(e), 500)


-@admin_bp.route('/users', methods=['POST'])
+@admin_bp.route("/users", methods=["POST"])
@login_required
@check_admin_auth
 def create_user():
    try:
        data = request.get_json()
-        if not data or 'username' not in data or 'password' not in data:
+        if not data or "username" not in data or "password" not in data:
            return error_response("Username and password are required", 400)

-        username = data['username']
-        password = data['password']
-        role = data.get('role', 'user')
+        username = data["username"]
+        password = data["password"]
+        role = data.get("role", "user")

        res = UserMgr.create_user(username, password, role)
        if res["success"]:
@@ -105,7 +111,7 @@ def create_user():
        return error_response(str(e))


-@admin_bp.route('/users/<username>', methods=['DELETE'])
+@admin_bp.route("/users/<username>", methods=["DELETE"])
@login_required
@check_admin_auth
 def delete_user(username):
@@ -122,16 +128,16 @@ def delete_user(username):
        return error_response(str(e), 500)


-@admin_bp.route('/users/<username>/password', methods=['PUT'])
+@admin_bp.route("/users/<username>/password", methods=["PUT"])
@login_required
@check_admin_auth
 def change_password(username):
    try:
        data = request.get_json()
-        if not data or 'new_password' not in data:
+        if not data or "new_password" not in data:
            return error_response("New password is required", 400)

-        new_password = data['new_password']
+        new_password = data["new_password"]
        msg = UserMgr.update_user_password(username, new_password)
        return success_response(None, msg)

@@ -141,15 +147,15 @@ def change_password(username):
        return error_response(str(e), 500)


-@admin_bp.route('/users/<username>/activate', methods=['PUT'])
+@admin_bp.route("/users/<username>/activate", methods=["PUT"])
@login_required
@check_admin_auth
 def alter_user_activate_status(username):
    try:
        data = request.get_json()
-        if not data or 'activate_status' not in data:
+        if not data or "activate_status" not in data:
            return error_response("Activation status is required", 400)
-        activate_status = data['activate_status']
+        activate_status = data["activate_status"]
        msg = UserMgr.update_user_activate_status(username, activate_status)
        return success_response(None, msg)
    except AdminException as e:
@@ -158,7 +164,39 @@ def alter_user_activate_status(username):
        return error_response(str(e), 500)


-@admin_bp.route('/users/<username>', methods=['GET'])
+@admin_bp.route("/users/<username>/admin", methods=["PUT"])
+@login_required
+@check_admin_auth
+def grant_admin(username):
+    try:
+        if current_user.email == username:
+            return error_response(f"can't grant current user: {username}", 409)
+        msg = UserMgr.grant_admin(username)
+        return success_response(None, msg)
+
+    except AdminException as e:
+        return error_response(e.message, e.code)
+    except Exception as e:
+        return error_response(str(e), 500)
+
+
+@admin_bp.route("/users/<username>/admin", methods=["DELETE"])
+@login_required
+@check_admin_auth
+def revoke_admin(username):
+    try:
+        if current_user.email == username:
+            return error_response(f"can't grant current user: {username}", 409)
+        msg = UserMgr.revoke_admin(username)
+        return success_response(None, msg)
+
+    except AdminException as e:
+        return error_response(e.message, e.code)
+    except Exception as e:
+        return error_response(str(e), 500)
+
+
+@admin_bp.route("/users/<username>", methods=["GET"])
@login_required
@check_admin_auth
 def get_user_details(username):
@@ -172,7 +210,7 @@ def get_user_details(username):
        return error_response(str(e), 500)


-@admin_bp.route('/users/<username>/datasets', methods=['GET'])
+@admin_bp.route("/users/<username>/datasets", methods=["GET"])
@login_required
@check_admin_auth
 def get_user_datasets(username):
@@ -186,7 +224,7 @@ def get_user_datasets(username):
        return error_response(str(e), 500)


-@admin_bp.route('/users/<username>/agents', methods=['GET'])
+@admin_bp.route("/users/<username>/agents", methods=["GET"])
@login_required
@check_admin_auth
 def get_user_agents(username):
@@ -200,7 +238,7 @@ def get_user_agents(username):
        return error_response(str(e), 500)


-@admin_bp.route('/services', methods=['GET'])
+@admin_bp.route("/services", methods=["GET"])
@login_required
@check_admin_auth
 def get_services():
@@ -211,7 +249,7 @@ def get_services():
        return error_response(str(e), 500)


-@admin_bp.route('/service_types/<service_type>', methods=['GET'])
+@admin_bp.route("/service_types/<service_type>", methods=["GET"])
@login_required
@check_admin_auth
 def get_services_by_type(service_type_str):
@@ -222,7 +260,7 @@ def get_services_by_type(service_type_str):
        return error_response(str(e), 500)


-@admin_bp.route('/services/<service_id>', methods=['GET'])
+@admin_bp.route("/services/<service_id>", methods=["GET"])
@login_required
@check_admin_auth
 def get_service(service_id):
@@ -233,7 +271,7 @@ def get_service(service_id):
        return error_response(str(e), 500)


-@admin_bp.route('/services/<service_id>', methods=['DELETE'])
+@admin_bp.route("/services/<service_id>", methods=["DELETE"])
@login_required
@check_admin_auth
 def shutdown_service(service_id):
@@ -244,7 +282,7 @@ def shutdown_service(service_id):
        return error_response(str(e), 500)


-@admin_bp.route('/services/<service_id>', methods=['PUT'])
+@admin_bp.route("/services/<service_id>", methods=["PUT"])
@login_required
@check_admin_auth
 def restart_service(service_id):
@@ -255,38 +293,38 @@ def restart_service(service_id):
        return error_response(str(e), 500)


-@admin_bp.route('/roles', methods=['POST'])
+@admin_bp.route("/roles", methods=["POST"])
@login_required
@check_admin_auth
 def create_role():
    try:
        data = request.get_json()
-        if not data or 'role_name' not in data:
+        if not data or "role_name" not in data:
            return error_response("Role name is required", 400)
-        role_name: str = data['role_name']
-        description: str = data['description']
+        role_name: str = data["role_name"]
+        description: str = data["description"]
        res = RoleMgr.create_role(role_name, description)
        return success_response(res)
    except Exception as e:
        return error_response(str(e), 500)


-@admin_bp.route('/roles/<role_name>', methods=['PUT'])
+@admin_bp.route("/roles/<role_name>", methods=["PUT"])
@login_required
@check_admin_auth
 def update_role(role_name: str):
    try:
        data = request.get_json()
-        if not data or 'description' not in data:
+        if not data or "description" not in data:
            return error_response("Role description is required", 400)
-        description: str = data['description']
+        description: str = data["description"]
        res = RoleMgr.update_role_description(role_name, description)
        return success_response(res)
    except Exception as e:
        return error_response(str(e), 500)


-@admin_bp.route('/roles/<role_name>', methods=['DELETE'])
+@admin_bp.route("/roles/<role_name>", methods=["DELETE"])
@login_required
@check_admin_auth
 def delete_role(role_name: str):
@@ -297,7 +335,7 @@ def delete_role(role_name: str):
        return error_response(str(e), 500)


-@admin_bp.route('/roles', methods=['GET'])
+@admin_bp.route("/roles", methods=["GET"])
@login_required
@check_admin_auth
 def list_roles():
@@ -308,7 +346,7 @@ def list_roles():
        return error_response(str(e), 500)


-@admin_bp.route('/roles/<role_name>/permission', methods=['GET'])
+@admin_bp.route("/roles/<role_name>/permission", methods=["GET"])
@login_required
@check_admin_auth
 def get_role_permission(role_name: str):
@@ -319,54 +357,54 @@ def get_role_permission(role_name: str):
        return error_response(str(e), 500)


-@admin_bp.route('/roles/<role_name>/permission', methods=['POST'])
+@admin_bp.route("/roles/<role_name>/permission", methods=["POST"])
@login_required
@check_admin_auth
 def grant_role_permission(role_name: str):
    try:
        data = request.get_json()
-        if not data or 'actions' not in data or 'resource' not in data:
+        if not data or "actions" not in data or "resource" not in data:
            return error_response("Permission is required", 400)
-        actions: list = data['actions']
-        resource: str = data['resource']
+        actions: list = data["actions"]
+        resource: str = data["resource"]
        res = RoleMgr.grant_role_permission(role_name, actions, resource)
        return success_response(res)
    except Exception as e:
        return error_response(str(e), 500)


-@admin_bp.route('/roles/<role_name>/permission', methods=['DELETE'])
+@admin_bp.route("/roles/<role_name>/permission", methods=["DELETE"])
@login_required
@check_admin_auth
 def revoke_role_permission(role_name: str):
    try:
        data = request.get_json()
-        if not data or 'actions' not in data or 'resource' not in data:
+        if not data or "actions" not in data or "resource" not in data:
            return error_response("Permission is required", 400)
-        actions: list = data['actions']
-        resource: str = data['resource']
+        actions: list = data["actions"]
+        resource: str = data["resource"]
        res = RoleMgr.revoke_role_permission(role_name, actions, resource)
        return success_response(res)
    except Exception as e:
        return error_response(str(e), 500)


-@admin_bp.route('/users/<user_name>/role', methods=['PUT'])
+@admin_bp.route("/users/<user_name>/role", methods=["PUT"])
@login_required
@check_admin_auth
 def update_user_role(user_name: str):
    try:
        data = request.get_json()
-        if not data or 'role_name' not in data:
+        if not data or "role_name" not in data:
            return error_response("Role name is required", 400)
-        role_name: str = data['role_name']
+        role_name: str = data["role_name"]
        res = RoleMgr.update_user_role(user_name, role_name)
        return success_response(res)
    except Exception as e:
        return error_response(str(e), 500)


-@admin_bp.route('/users/<user_name>/permission', methods=['GET'])
+@admin_bp.route("/users/<user_name>/permission", methods=["GET"])
@login_required
@check_admin_auth
 def get_user_permission(user_name: str):
@@ -376,7 +414,140 @@ def get_user_permission(user_name: str):
    except Exception as e:
        return error_response(str(e), 500)

-@admin_bp.route('/version', methods=['GET'])
+
+@admin_bp.route("/variables", methods=["PUT"])
+@login_required
+@check_admin_auth
+def set_variable():
+    try:
+        data = request.get_json()
+        if not data and "var_name" not in data:
+            return error_response("Var name is required", 400)
+
+        if "var_value" not in data:
+            return error_response("Var value is required", 400)
+        var_name: str = data["var_name"]
+        var_value: str = data["var_value"]
+
+        SettingsMgr.update_by_name(var_name, var_value)
+        return success_response(None, "Set variable successfully")
+    except AdminException as e:
+        return error_response(str(e), 400)
+    except Exception as e:
+        return error_response(str(e), 500)
+
+
+@admin_bp.route("/variables", methods=["GET"])
+@login_required
+@check_admin_auth
+def get_variable():
+    try:
+        if request.content_length is None or request.content_length == 0:
+            # list variables
+            res = list(SettingsMgr.get_all())
+            return success_response(res)
+
+        # get var
+        data = request.get_json()
+        if not data and "var_name" not in data:
+            return error_response("Var name is required", 400)
+        var_name: str = data["var_name"]
+        res = SettingsMgr.get_by_name(var_name)
+        return success_response(res)
+    except AdminException as e:
+        return error_response(str(e), 400)
+    except Exception as e:
+        return error_response(str(e), 500)
+
+
+@admin_bp.route("/configs", methods=["GET"])
+@login_required
+@check_admin_auth
+def get_config():
+    try:
+        res = list(ConfigMgr.get_all())
+        return success_response(res)
+    except AdminException as e:
+        return error_response(str(e), 400)
+    except Exception as e:
+        return error_response(str(e), 500)
+
+
+@admin_bp.route("/environments", methods=["GET"])
+@login_required
+@check_admin_auth
+def get_environments():
+    try:
+        res = list(EnvironmentsMgr.get_all())
+        return success_response(res)
+    except AdminException as e:
+        return error_response(str(e), 400)
+    except Exception as e:
+        return error_response(str(e), 500)
+
+
+@admin_bp.route("/users/<username>/keys", methods=["POST"])
+@login_required
+@check_admin_auth
+def generate_user_api_key(username: str) -> tuple[Response, int]:
+    try:
+        user_details: list[dict[str, Any]] = UserMgr.get_user_details(username)
+        if not user_details:
+            return error_response("User not found!", 404)
+        tenants: list[dict[str, Any]] = UserServiceMgr.get_user_tenants(username)
+        if not tenants:
+            return error_response("Tenant not found!", 404)
+        tenant_id: str = tenants[0]["tenant_id"]
+        key: str = generate_confirmation_token()
+        obj: dict[str, Any] = {
+            "tenant_id": tenant_id,
+            "token": key,
+            "beta": generate_confirmation_token().replace("ragflow-", "")[:32],
+            "create_time": current_timestamp(),
+            "create_date": datetime_format(datetime.now()),
+            "update_time": None,
+            "update_date": None,
+        }
+
+        if not UserMgr.save_api_key(obj):
+            return error_response("Failed to generate API key!", 500)
+        return success_response(obj, "API key generated successfully")
+    except AdminException as e:
+        return error_response(e.message, e.code)
+    except Exception as e:
+        return error_response(str(e), 500)
+
+
+@admin_bp.route("/users/<username>/keys", methods=["GET"])
+@login_required
+@check_admin_auth
+def get_user_api_keys(username: str) -> tuple[Response, int]:
+    try:
+        api_keys: list[dict[str, Any]] = UserMgr.get_user_api_key(username)
+        return success_response(api_keys, "Get user API keys")
+    except AdminException as e:
+        return error_response(e.message, e.code)
+    except Exception as e:
+        return error_response(str(e), 500)
+
+
+@admin_bp.route("/users/<username>/keys/<key>", methods=["DELETE"])
+@login_required
+@check_admin_auth
+def delete_user_api_key(username: str, key: str) -> tuple[Response, int]:
+    try:
+        deleted = UserMgr.delete_api_key(username, key)
+        if deleted:
+            return success_response(None, "API key deleted successfully")
+        else:
+            return error_response("API key not found or could not be deleted", 404)
+    except AdminException as e:
+        return error_response(e.message, e.code)
+    except Exception as e:
+        return error_response(str(e), 500)
+
+
+@admin_bp.route("/version", methods=["GET"])
@login_required
@check_admin_auth
 def show_version():
@@ -385,3 +556,136 @@ def show_version():
        return success_response(res)
    except Exception as e:
        return error_response(str(e), 500)
+
+
+@admin_bp.route("/sandbox/providers", methods=["GET"])
+@login_required
+@check_admin_auth
+def list_sandbox_providers():
+    """List all available sandbox providers."""
+    try:
+        res = SandboxMgr.list_providers()
+        return success_response(res)
+    except AdminException as e:
+        return error_response(str(e), 400)
+    except Exception as e:
+        return error_response(str(e), 500)
+
+
+@admin_bp.route("/sandbox/providers/<provider_id>/schema", methods=["GET"])
+@login_required
+@check_admin_auth
+def get_sandbox_provider_schema(provider_id: str):
+    """Get configuration schema for a specific provider."""
+    try:
+        res = SandboxMgr.get_provider_config_schema(provider_id)
+        return success_response(res)
+    except AdminException as e:
+        return error_response(str(e), 400)
+    except Exception as e:
+        return error_response(str(e), 500)
+
+
+@admin_bp.route("/sandbox/config", methods=["GET"])
+@login_required
+@check_admin_auth
+def get_sandbox_config():
+    """Get current sandbox configuration."""
+    try:
+        res = SandboxMgr.get_config()
+        return success_response(res)
+    except AdminException as e:
+        return error_response(str(e), 400)
+    except Exception as e:
+        return error_response(str(e), 500)
+
+
+@admin_bp.route("/sandbox/config", methods=["POST"])
+@login_required
+@check_admin_auth
+def set_sandbox_config():
+    """Set sandbox provider configuration."""
+    try:
+        data = request.get_json()
+        if not data:
+            logging.error("set_sandbox_config: Request body is required")
+            return error_response("Request body is required", 400)
+
+        provider_type = data.get("provider_type")
+        if not provider_type:
+            logging.error("set_sandbox_config: provider_type is required")
+            return error_response("provider_type is required", 400)
+
+        config = data.get("config", {})
+        set_active = data.get("set_active", True)  # Default to True for backward compatibility
+
+        logging.info(f"set_sandbox_config: provider_type={provider_type}, set_active={set_active}")
+        logging.info(f"set_sandbox_config: config keys={list(config.keys())}")
+
+        res = SandboxMgr.set_config(provider_type, config, set_active)
+        return success_response(res, "Sandbox configuration updated successfully")
+    except AdminException as e:
+        logging.exception("set_sandbox_config AdminException")
+        return error_response(str(e), 400)
+    except Exception as e:
+        logging.exception("set_sandbox_config unexpected error")
+        return error_response(str(e), 500)
+
+
+@admin_bp.route("/sandbox/test", methods=["POST"])
+@login_required
+@check_admin_auth
+def test_sandbox_connection():
+    """Test connection to sandbox provider."""
+    try:
+        data = request.get_json()
+        if not data:
+            return error_response("Request body is required", 400)
+
+        provider_type = data.get("provider_type")
+        if not provider_type:
+            return error_response("provider_type is required", 400)
+
+        config = data.get("config", {})
+        res = SandboxMgr.test_connection(provider_type, config)
+        return success_response(res)
+    except AdminException as e:
+        return error_response(str(e), 400)
+    except Exception as e:
+        return error_response(str(e), 500)
+
+
+@admin_bp.route("/log_levels", methods=["GET"])
+@login_required
+@check_admin_auth
+def get_logger_levels():
+    """Get current log levels for all packages."""
+    try:
+        res = get_log_levels()
+        return success_response(res, "Get log levels", 0)
+    except Exception as e:
+        return error_response(str(e), 500)
+
+
+@admin_bp.route("/log_levels", methods=["PUT"])
+@login_required
+@check_admin_auth
+def set_logger_level():
+    """Set log level for a package."""
+    try:
+        data = request.get_json()
+        if not data or "pkg_name" not in data or "level" not in data:
+            return error_response("pkg_name and level are required", 400)
+
+        pkg_name = data["pkg_name"]
+        level = data["level"]
+        if not isinstance(pkg_name, str) or not isinstance(level, str):
+            return error_response("pkg_name and level must be strings", 400)
+
+        success = set_log_level(pkg_name, level)
+        if success:
+            return success_response({"pkg_name": pkg_name, "level": level}, "Log level updated successfully")
+        else:
+            return error_response(f"Invalid log level: {level}", 400)
+    except Exception as e:
+        return error_response(str(e), 500)
--- a/admin/server/services.py
+++ b/admin/server/services.py
@@ -14,16 +14,22 @@
 #  limitations under the License.
 #

+import json
 import os
 import logging
 import re
+from typing import Any
+
 from werkzeug.security import check_password_hash
 from common.constants import ActiveEnum
 from api.db.services import UserService
 from api.db.joint_services.user_account_service import create_new_user, delete_user_data
 from api.db.services.canvas_service import UserCanvasService
-from api.db.services.user_service import TenantService
+from api.db.services.user_service import TenantService, UserTenantService
 from api.db.services.knowledgebase_service import KnowledgebaseService
+from api.db.services.system_settings_service import SystemSettingsService
+from api.db.services.api_service import APITokenService
+from api.db.db_models import APIToken
 from api.utils.crypt import decrypt
 from api.utils import health_utils

@@ -37,13 +43,15 @@ class UserMgr:
        users = UserService.get_all_users()
        result = []
        for user in users:
-            result.append({
-                'email': user.email,
-                'nickname': user.nickname,
-                'create_date': user.create_date,
-                'is_active': user.is_active,
-                'is_superuser': user.is_superuser,
-            })
+            result.append(
+                {
+                    "email": user.email,
+                    "nickname": user.nickname,
+                    "create_date": user.create_date,
+                    "is_active": user.is_active,
+                    "is_superuser": user.is_superuser,
+                }
+            )
        return result

    @staticmethod
@@ -52,19 +60,21 @@ class UserMgr:
        users = UserService.query_user_by_email(username)
        result = []
        for user in users:
-            result.append({
-                'avatar': user.avatar,
-                'email': user.email,
-                'language': user.language,
-                'last_login_time': user.last_login_time,
-                'is_active': user.is_active,
-                'is_anonymous': user.is_anonymous,
-                'login_channel': user.login_channel,
-                'status': user.status,
-                'is_superuser': user.is_superuser,
-                'create_date': user.create_date,
-                'update_date': user.update_date
-            })
+            result.append(
+                {
+                    "avatar": user.avatar,
+                    "email": user.email,
+                    "language": user.language,
+                    "last_login_time": user.last_login_time,
+                    "is_active": user.is_active,
+                    "is_anonymous": user.is_anonymous,
+                    "login_channel": user.login_channel,
+                    "status": user.status,
+                    "is_superuser": user.is_superuser,
+                    "create_date": user.create_date,
+                    "update_date": user.update_date,
+                }
+            )
        return result

    @staticmethod
@@ -126,8 +136,8 @@ class UserMgr:
        # format activate_status before handle
        _activate_status = activate_status.lower()
        target_status = {
-            'on': ActiveEnum.ACTIVE.value,
-            'off': ActiveEnum.INACTIVE.value,
+            "on": ActiveEnum.ACTIVE.value,
+            "off": ActiveEnum.INACTIVE.value,
        }.get(_activate_status)
        if not target_status:
            raise AdminException(f"Invalid activate_status: {activate_status}")
@@ -137,9 +147,84 @@ class UserMgr:
        UserService.update_user(usr.id, {"is_active": target_status})
        return f"Turn {_activate_status} user activate status successfully!"

+    @staticmethod
+    def get_user_api_key(username: str) -> list[dict[str, Any]]:
+        # use email to find user. check exist and unique.
+        user_list: list[Any] = UserService.query_user_by_email(username)
+        if not user_list:
+            raise UserNotFoundError(username)
+        elif len(user_list) > 1:
+            raise AdminException(f"More than one user with username '{username}' found!")
+
+        usr: Any = user_list[0]
+        # tenant_id is typically the same as user_id for the owner tenant
+        tenant_id: str = usr.id
+
+        # Query all API keys for this tenant
+        api_keys: Any = APITokenService.query(tenant_id=tenant_id)
+
+        result: list[dict[str, Any]] = []
+        for key in api_keys:
+            result.append(key.to_dict())
+
+        return result
+
+    @staticmethod
+    def save_api_key(api_key: dict[str, Any]) -> bool:
+        return APITokenService.save(**api_key)
+
+    @staticmethod
+    def delete_api_key(username: str, key: str) -> bool:
+        # use email to find user. check exist and unique.
+        user_list: list[Any] = UserService.query_user_by_email(username)
+        if not user_list:
+            raise UserNotFoundError(username)
+        elif len(user_list) > 1:
+            raise AdminException(f"Exist more than 1 user: {username}!")
+
+        usr: Any = user_list[0]
+        # tenant_id is typically the same as user_id for the owner tenant
+        tenant_id: str = usr.id
+
+        # Delete the API key
+        deleted_count: int = APITokenService.filter_delete([APIToken.tenant_id == tenant_id, APIToken.token == key])
+        return deleted_count > 0
+
+    @staticmethod
+    def grant_admin(username: str):
+        # use email to find user. check exist and unique.
+        user_list = UserService.query_user_by_email(username)
+        if not user_list:
+            raise UserNotFoundError(username)
+        elif len(user_list) > 1:
+            raise AdminException(f"Exist more than 1 user: {username}!")
+
+        # check activate status different from new
+        usr = user_list[0]
+        if usr.is_superuser:
+            return f"{usr} is already superuser!"
+        # update is_active
+        UserService.update_user(usr.id, {"is_superuser": True})
+        return "Grant successfully!"
+
+    @staticmethod
+    def revoke_admin(username: str):
+        # use email to find user. check exist and unique.
+        user_list = UserService.query_user_by_email(username)
+        if not user_list:
+            raise UserNotFoundError(username)
+        elif len(user_list) > 1:
+            raise AdminException(f"Exist more than 1 user: {username}!")
+        # check activate status different from new
+        usr = user_list[0]
+        if not usr.is_superuser:
+            return f"{usr} isn't superuser, yet!"
+        # update is_active
+        UserService.update_user(usr.id, {"is_superuser": False})
+        return "Revoke successfully!"
+

 class UserServiceMgr:
-
    @staticmethod
    def get_user_datasets(username):
        # use email to find user.
@@ -169,39 +254,43 @@ class UserServiceMgr:
        tenant_ids = [m["tenant_id"] for m in tenants]
        # filter permitted agents and owned agents
        res = UserCanvasService.get_all_agents_by_tenant_ids(tenant_ids, usr.id)
-        return [{
-            'title': r['title'],
-            'permission': r['permission'],
-            'canvas_category': r['canvas_category'].split('_')[0],
-            'avatar': r['avatar']
-        } for r in res]
+        return [{"title": r["title"], "permission": r["permission"], "canvas_category": r["canvas_category"].split("_")[0], "avatar": r["avatar"]} for r in res]
+
+    @staticmethod
+    def get_user_tenants(email: str) -> list[dict[str, Any]]:
+        users: list[Any] = UserService.query_user_by_email(email)
+        if not users:
+            raise UserNotFoundError(email)
+        user: Any = users[0]
+
+        tenants: list[dict[str, Any]] = UserTenantService.get_tenants_by_user_id(user.id)
+        return tenants


 class ServiceMgr:
-
    @staticmethod
    def get_all_services():
-        doc_engine = os.getenv('DOC_ENGINE', 'elasticsearch')
+        doc_engine = os.getenv("DOC_ENGINE", "elasticsearch")
        result = []
        configs = SERVICE_CONFIGS.configs
        for service_id, config in enumerate(configs):
            config_dict = config.to_dict()
-            if config_dict['service_type'] == 'retrieval':
-                if config_dict['extra']['retrieval_type'] != doc_engine:
+            if config_dict["service_type"] == "retrieval":
+                if config_dict["extra"]["retrieval_type"] != doc_engine:
                    continue
            try:
                service_detail = ServiceMgr.get_service_details(service_id)
                if "status" in service_detail:
-                    config_dict['status'] = service_detail['status']
+                    config_dict["status"] = service_detail["status"]
                else:
-                    config_dict['status'] = 'timeout'
+                    config_dict["status"] = "timeout"
            except Exception as e:
                logging.warning(f"Can't get service details, error: {e}")
-                config_dict['status'] = 'timeout'
-            if not config_dict['host']:
-                config_dict['host'] = '-'
-            if not config_dict['port']:
-                config_dict['port'] = '-'
+                config_dict["status"] = "timeout"
+            if not config_dict["host"]:
+                config_dict["host"] = "-"
+            if not config_dict["port"]:
+                config_dict["port"] = "-"
            result.append(config_dict)
        return result

@@ -217,11 +306,18 @@ class ServiceMgr:
            raise AdminException(f"invalid service_index: {service_idx}")

        service_config = configs[service_idx]
-        service_info = {'name': service_config.name, 'detail_func_name': service_config.detail_func_name}

-        detail_func = getattr(health_utils, service_info.get('detail_func_name'))
+        # exclude retrieval service if retrieval_type is not matched
+        doc_engine = os.getenv("DOC_ENGINE", "elasticsearch")
+        if service_config.service_type == "retrieval":
+            if service_config.retrieval_type != doc_engine:
+                raise AdminException(f"invalid service_index: {service_idx}")
+
+        service_info = {"name": service_config.name, "detail_func_name": service_config.detail_func_name}
+
+        detail_func = getattr(health_utils, service_info.get("detail_func_name"))
        res = detail_func()
-        res.update({'service_name': service_info.get('name')})
+        res.update({"service_name": service_info.get("name")})
        return res

    @staticmethod
@@ -231,3 +327,397 @@ class ServiceMgr:
    @staticmethod
    def restart_service(service_id: int):
        raise AdminException("restart_service: not implemented")
+
+
+class SettingsMgr:
+    @staticmethod
+    def get_all():
+        settings = SystemSettingsService.get_all()
+        result = []
+        for setting in settings:
+            result.append(
+                {
+                    "name": setting.name,
+                    "source": setting.source,
+                    "data_type": setting.data_type,
+                    "value": setting.value,
+                }
+            )
+        return result
+
+    @staticmethod
+    def get_by_name(name: str):
+        settings = SystemSettingsService.get_by_name(name)
+        if len(settings) == 0:
+            raise AdminException(f"Can't get setting: {name}")
+        result = []
+        for setting in settings:
+            result.append(
+                {
+                    "name": setting.name,
+                    "source": setting.source,
+                    "data_type": setting.data_type,
+                    "value": setting.value,
+                }
+            )
+        return result
+
+    @staticmethod
+    def update_by_name(name: str, value: str):
+        settings = SystemSettingsService.get_by_name(name)
+        if len(settings) == 1:
+            setting = settings[0]
+            setting.value = value
+            setting_dict = setting.to_dict()
+            SystemSettingsService.update_by_name(name, setting_dict)
+        elif len(settings) > 1:
+            raise AdminException(f"Can't update more than 1 setting: {name}")
+        else:
+            # Create new setting if it doesn't exist
+
+            # Determine data_type based on name and value
+            if name.startswith("sandbox."):
+                data_type = "json"
+            elif name.endswith(".enabled"):
+                data_type = "boolean"
+            else:
+                data_type = "string"
+
+            new_setting = {
+                "name": name,
+                "value": str(value),
+                "source": "admin",
+                "data_type": data_type,
+            }
+            SystemSettingsService.save(**new_setting)
+
+
+class ConfigMgr:
+    @staticmethod
+    def get_all():
+        result = []
+        configs = SERVICE_CONFIGS.configs
+        for config in configs:
+            config_dict = config.to_dict()
+            result.append(config_dict)
+        return result
+
+
+class EnvironmentsMgr:
+    @staticmethod
+    def get_all():
+        result = []
+
+        env_kv = {"env": "DOC_ENGINE", "value": os.getenv("DOC_ENGINE")}
+        result.append(env_kv)
+
+        env_kv = {"env": "DEFAULT_SUPERUSER_EMAIL", "value": os.getenv("DEFAULT_SUPERUSER_EMAIL", "admin@ragflow.io")}
+        result.append(env_kv)
+
+        env_kv = {"env": "DB_TYPE", "value": os.getenv("DB_TYPE", "mysql")}
+        result.append(env_kv)
+
+        env_kv = {"env": "DEVICE", "value": os.getenv("DEVICE", "cpu")}
+        result.append(env_kv)
+
+        env_kv = {"env": "STORAGE_IMPL", "value": os.getenv("STORAGE_IMPL", "MINIO")}
+        result.append(env_kv)
+
+        return result
+
+
+class SandboxMgr:
+    """Manager for sandbox provider configuration and operations."""
+
+    # Provider registry with metadata
+    PROVIDER_REGISTRY = {
+        "self_managed": {
+            "name": "Self-Managed",
+            "description": "On-premise deployment using Daytona/Docker",
+            "tags": ["self-hosted", "low-latency", "secure"],
+        },
+        "aliyun_codeinterpreter": {
+            "name": "Aliyun Code Interpreter",
+            "description": "Aliyun Function Compute Code Interpreter - Code execution in serverless microVMs",
+            "tags": ["saas", "cloud", "scalable", "aliyun"],
+        },
+        "e2b": {
+            "name": "E2B",
+            "description": "E2B Cloud - Code Execution Sandboxes",
+            "tags": ["saas", "fast", "global"],
+        },
+    }
+
+    @staticmethod
+    def list_providers():
+        """List all available sandbox providers."""
+        result = []
+        for provider_id, metadata in SandboxMgr.PROVIDER_REGISTRY.items():
+            result.append({
+                "id": provider_id,
+                **metadata
+            })
+        return result
+
+    @staticmethod
+    def get_provider_config_schema(provider_id: str):
+        """Get configuration schema for a specific provider."""
+        from agent.sandbox.providers import (
+            SelfManagedProvider,
+            AliyunCodeInterpreterProvider,
+            E2BProvider,
+        )
+
+        schemas = {
+            "self_managed": SelfManagedProvider.get_config_schema(),
+            "aliyun_codeinterpreter": AliyunCodeInterpreterProvider.get_config_schema(),
+            "e2b": E2BProvider.get_config_schema(),
+        }
+
+        if provider_id not in schemas:
+            raise AdminException(f"Unknown provider: {provider_id}")
+
+        return schemas.get(provider_id, {})
+
+    @staticmethod
+    def get_config():
+        """Get current sandbox configuration."""
+        try:
+            # Get active provider type
+            provider_type_settings = SystemSettingsService.get_by_name("sandbox.provider_type")
+            if not provider_type_settings:
+                # Return default config if not set
+                provider_type = "self_managed"
+            else:
+                provider_type = provider_type_settings[0].value
+
+            # Get provider-specific config
+            provider_config_settings = SystemSettingsService.get_by_name(f"sandbox.{provider_type}")
+            if not provider_config_settings:
+                provider_config = {}
+            else:
+                try:
+                    provider_config = json.loads(provider_config_settings[0].value)
+                except json.JSONDecodeError:
+                    provider_config = {}
+
+            return {
+                "provider_type": provider_type,
+                "config": provider_config,
+            }
+        except Exception as e:
+            raise AdminException(f"Failed to get sandbox config: {str(e)}")
+
+    @staticmethod
+    def set_config(provider_type: str, config: dict, set_active: bool = True):
+        """
+        Set sandbox provider configuration.
+
+        Args:
+            provider_type: Provider identifier (e.g., "self_managed", "e2b")
+            config: Provider configuration dictionary
+            set_active: If True, also update the active provider. If False,
+                       only update the configuration without switching providers.
+                       Default: True
+
+        Returns:
+            Dictionary with updated provider_type and config
+        """
+        from agent.sandbox.providers import (
+            SelfManagedProvider,
+            AliyunCodeInterpreterProvider,
+            E2BProvider,
+        )
+
+        try:
+            # Validate provider type
+            if provider_type not in SandboxMgr.PROVIDER_REGISTRY:
+                raise AdminException(f"Unknown provider type: {provider_type}")
+
+            # Get provider schema for validation
+            schema = SandboxMgr.get_provider_config_schema(provider_type)
+
+            # Validate config against schema
+            for field_name, field_schema in schema.items():
+                if field_schema.get("required", False) and field_name not in config:
+                    raise AdminException(f"Required field '{field_name}' is missing")
+
+                # Type validation
+                if field_name in config:
+                    field_type = field_schema.get("type")
+                    if field_type == "integer":
+                        if not isinstance(config[field_name], int):
+                            raise AdminException(f"Field '{field_name}' must be an integer")
+                    elif field_type == "string":
+                        if not isinstance(config[field_name], str):
+                            raise AdminException(f"Field '{field_name}' must be a string")
+                    elif field_type == "bool":
+                        if not isinstance(config[field_name], bool):
+                            raise AdminException(f"Field '{field_name}' must be a boolean")
+
+                    # Range validation for integers
+                    if field_type == "integer" and field_name in config:
+                        min_val = field_schema.get("min")
+                        max_val = field_schema.get("max")
+                        if min_val is not None and config[field_name] < min_val:
+                            raise AdminException(f"Field '{field_name}' must be >= {min_val}")
+                        if max_val is not None and config[field_name] > max_val:
+                            raise AdminException(f"Field '{field_name}' must be <= {max_val}")
+
+            # Provider-specific custom validation
+            provider_classes = {
+                "self_managed": SelfManagedProvider,
+                "aliyun_codeinterpreter": AliyunCodeInterpreterProvider,
+                "e2b": E2BProvider,
+            }
+            provider = provider_classes[provider_type]()
+            is_valid, error_msg = provider.validate_config(config)
+            if not is_valid:
+                raise AdminException(f"Provider validation failed: {error_msg}")
+
+            # Update provider_type only if set_active is True
+            if set_active:
+                SettingsMgr.update_by_name("sandbox.provider_type", provider_type)
+
+            # Always update the provider config
+            config_json = json.dumps(config)
+            SettingsMgr.update_by_name(f"sandbox.{provider_type}", config_json)
+
+            return {"provider_type": provider_type, "config": config}
+        except AdminException:
+            raise
+        except Exception as e:
+            raise AdminException(f"Failed to set sandbox config: {str(e)}")
+
+    @staticmethod
+    def test_connection(provider_type: str, config: dict):
+        """
+        Test connection to sandbox provider by executing a simple Python script.
+
+        This creates a temporary sandbox instance and runs a test code to verify:
+        - Connection credentials are valid
+        - Sandbox can be created
+        - Code execution works correctly
+
+        Args:
+            provider_type: Provider identifier
+            config: Provider configuration dictionary
+
+        Returns:
+            dict with test results including stdout, stderr, exit_code, execution_time
+        """
+        try:
+            from agent.sandbox.providers import (
+                SelfManagedProvider,
+                AliyunCodeInterpreterProvider,
+                E2BProvider,
+            )
+
+            # Instantiate provider based on type
+            provider_classes = {
+                "self_managed": SelfManagedProvider,
+                "aliyun_codeinterpreter": AliyunCodeInterpreterProvider,
+                "e2b": E2BProvider,
+            }
+
+            if provider_type not in provider_classes:
+                raise AdminException(f"Unknown provider type: {provider_type}")
+
+            provider = provider_classes[provider_type]()
+
+            # Initialize with config
+            if not provider.initialize(config):
+                raise AdminException(f"Failed to initialize provider '{provider_type}'")
+
+            # Create a temporary sandbox instance for testing
+            instance = provider.create_instance(template="python")
+
+            if not instance or instance.status != "READY":
+                raise AdminException(f"Failed to create sandbox instance. Status: {instance.status if instance else 'None'}")
+
+            # Simple test code that exercises basic Python functionality
+            test_code = """
+# Test basic Python functionality
+import sys
+import json
+import math
+
+print("Python version:", sys.version)
+print("Platform:", sys.platform)
+
+# Test basic calculations
+result = 2 + 2
+print(f"2 + 2 = {result}")
+
+# Test JSON operations
+data = {"test": "data", "value": 123}
+print(f"JSON dump: {json.dumps(data)}")
+
+# Test math operations
+print(f"Math.sqrt(16) = {math.sqrt(16)}")
+
+# Test error handling
+try:
+    x = 1 / 1
+    print("Division test: OK")
+except Exception as e:
+    print(f"Error: {e}")
+
+# Return success indicator
+print("TEST_PASSED")
+"""
+
+            # Execute test code with timeout
+            execution_result = provider.execute_code(
+                instance_id=instance.instance_id,
+                code=test_code,
+                language="python",
+                timeout=10  # 10 seconds timeout
+            )
+
+            # Clean up the test instance (if provider supports it)
+            try:
+                if hasattr(provider, 'terminate_instance'):
+                    provider.terminate_instance(instance.instance_id)
+                    logging.info(f"Cleaned up test instance {instance.instance_id}")
+                else:
+                    logging.warning(f"Provider {provider_type} does not support terminate_instance, test instance may leak")
+            except Exception as cleanup_error:
+                logging.warning(f"Failed to cleanup test instance {instance.instance_id}: {cleanup_error}")
+
+            # Build detailed result message
+            success = execution_result.exit_code == 0 and "TEST_PASSED" in execution_result.stdout
+
+            message_parts = [
+                f"Test {success and 'PASSED' or 'FAILED'}",
+                f"Exit code: {execution_result.exit_code}",
+                f"Execution time: {execution_result.execution_time:.2f}s"
+            ]
+
+            if execution_result.stdout.strip():
+                stdout_preview = execution_result.stdout.strip()[:200]
+                message_parts.append(f"Output: {stdout_preview}...")
+
+            if execution_result.stderr.strip():
+                stderr_preview = execution_result.stderr.strip()[:200]
+                message_parts.append(f"Errors: {stderr_preview}...")
+
+            message = " | ".join(message_parts)
+
+            return {
+                "success": success,
+                "message": message,
+                "details": {
+                    "exit_code": execution_result.exit_code,
+                    "execution_time": execution_result.execution_time,
+                    "stdout": execution_result.stdout,
+                    "stderr": execution_result.stderr,
+                }
+            }
+
+        except AdminException:
+            raise
+        except Exception as e:
+            import traceback
+            error_details = traceback.format_exc()
+            raise AdminException(f"Connection test failed: {str(e)}\\n\\nStack trace:\\n{error_details}")
--- a/agent/canvas.py
+++ b/agent/canvas.py
@@ -15,6 +15,7 @@
 #
 import asyncio
 import base64
+import datetime
 import inspect
 import binascii
 import json
@@ -28,9 +29,11 @@ from typing import Any, Union, Tuple

 from agent.component import component_class
 from agent.component.base import ComponentBase
+from agent.dsl_migration import normalize_chunker_dsl
 from api.db.services.file_service import FileService
 from api.db.services.llm_service import LLMBundle
 from api.db.services.task_service import has_canceled
+from api.db.joint_services.tenant_model_service import get_tenant_default_model_by_type
 from common.constants import LLMType
 from common.misc_utils import get_uuid, hash_str2int
 from common.exceptions import TaskCanceledException
@@ -78,13 +81,15 @@ class Graph:
        }
        """

-    def __init__(self, dsl: str, tenant_id=None, task_id=None):
+    def __init__(self, dsl: str, tenant_id=None, task_id=None, custom_header=None):
        self.path = []
        self.components = {}
        self.error = ""
-        self.dsl = json.loads(dsl)
+        # Accept legacy DSL on read, but keep the in-memory canvas in the latest schema.
+        self.dsl = normalize_chunker_dsl(json.loads(dsl))
        self._tenant_id = tenant_id
        self.task_id = task_id if task_id else get_uuid()
+        self.custom_header = custom_header
        self._thread_pool = ThreadPoolExecutor(max_workers=5)
        self.load()

@@ -94,6 +99,7 @@ class Graph:
        for k, cpn in self.components.items():
            cpn_nms.add(cpn["obj"]["component_name"])
            param = component_class(cpn["obj"]["component_name"] + "Param")()
+            cpn["obj"]["params"]["custom_header"] = self.custom_header
            param.update(cpn["obj"]["params"])
            try:
                param.check()
@@ -278,15 +284,17 @@ class Graph:

 class Canvas(Graph):

-    def __init__(self, dsl: str, tenant_id=None, task_id=None, canvas_id=None):
+    def __init__(self, dsl: str, tenant_id=None, task_id=None, canvas_id=None, custom_header=None):
        self.globals = {
            "sys.query": "",
            "sys.user_id": tenant_id,
            "sys.conversation_turns": 0,
-            "sys.files": []
+            "sys.files": [],
+            "sys.history": [],
+            "sys.date": datetime.datetime.now(datetime.timezone.utc).strftime("%Y-%m-%d %H:%M:%S")
        }
        self.variables = {}
-        super().__init__(dsl, tenant_id, task_id)
+        super().__init__(dsl, tenant_id, task_id, custom_header=custom_header)
        self._id = canvas_id

    def load(self):
@@ -294,12 +302,18 @@ class Canvas(Graph):
        self.history = self.dsl["history"]
        if "globals" in self.dsl:
            self.globals = self.dsl["globals"]
+            if "sys.history" not in self.globals:
+                self.globals["sys.history"] = []
+            if "sys.date" not in self.globals:
+                self.globals["sys.date"] = datetime.datetime.now(datetime.timezone.utc).strftime("%Y-%m-%d %H:%M:%S")
        else:
            self.globals = {
            "sys.query": "",
            "sys.user_id": "",
            "sys.conversation_turns": 0,
-            "sys.files": []
+            "sys.files": [],
+            "sys.history": [],
+            "sys.date": datetime.datetime.now(datetime.timezone.utc).strftime("%Y-%m-%d %H:%M:%S")
        }
        if "variables" in self.dsl:
            self.variables = self.dsl["variables"]
@@ -340,25 +354,26 @@ class Canvas(Graph):
                key = k[4:]
                if key in self.variables:
                    variable = self.variables[key]
-                    if variable["value"]:
-                        self.globals[k] = variable["value"]
+                    value = variable.get("value")
+                    if value is not None:
+                        self.globals[k] = value
                    else:
-                        if variable["type"] == "string":
-                            self.globals[k] = ""
-                        elif variable["type"] == "number":
+                        var_type = variable.get("type", "")
+                        if var_type == "number":
                            self.globals[k] = 0
-                        elif variable["type"] == "boolean":
+                        elif var_type == "boolean":
                            self.globals[k] = False
-                        elif variable["type"] == "object":
+                        elif var_type == "object":
                            self.globals[k] = {}
-                        elif variable["type"].startswith("array"):
+                        elif var_type.startswith("array"):
                            self.globals[k] = []
-                        else:
+                        else:  # "string" or unknown
                            self.globals[k] = ""
                else:
                    self.globals[k] = ""

    async def run(self, **kwargs):
+        self.globals["sys.date"] = datetime.datetime.now(datetime.timezone.utc).strftime("%Y-%m-%d %H:%M:%S")
        st = time.perf_counter()
        self._loop = asyncio.get_running_loop()
        self.message_id = get_uuid()
@@ -378,10 +393,16 @@ class Canvas(Graph):
                            continue
                        self.components[k]["obj"].set_output(kk, vv)

+        layout_recognize = None
+        for cpn in self.components.values():
+            if cpn["obj"].component_name.lower() == "begin":
+                layout_recognize = getattr(cpn["obj"]._param, "layout_recognize", None)
+                break
+
        for k in kwargs.keys():
            if k in ["query", "user_id", "files"] and kwargs[k]:
                if k == "files":
-                    self.globals[f"sys.{k}"] = await self.get_files_async(kwargs[k])
+                    self.globals[f"sys.{k}"] = await self.get_files_async(kwargs[k], layout_recognize)
                else:
                    self.globals[f"sys.{k}"] = kwargs[k]
        if not self.globals["sys.conversation_turns"] :
@@ -419,9 +440,15 @@ class Canvas(Graph):

            loop = asyncio.get_running_loop()
            tasks = []
+            max_concurrency = getattr(self._thread_pool, "_max_workers", 5)
+            sem = asyncio.Semaphore(max_concurrency)

-            def _run_async_in_thread(coro_func, **call_kwargs):
-                return asyncio.run(coro_func(**call_kwargs))
+            async def _invoke_one(cpn_obj, sync_fn, call_kwargs, use_async: bool):
+                async with sem:
+                    if use_async:
+                        await cpn_obj.invoke_async(**(call_kwargs or {}))
+                        return
+                    await loop.run_in_executor(self._thread_pool, partial(sync_fn, **(call_kwargs or {})))

            i = f
            while i < t:
@@ -447,11 +474,9 @@ class Canvas(Graph):
                if task_fn is None:
                    continue

-                invoke_async = getattr(cpn, "invoke_async", None)
-                if invoke_async and asyncio.iscoroutinefunction(invoke_async):
-                    tasks.append(loop.run_in_executor(self._thread_pool, partial(_run_async_in_thread, invoke_async, **(call_kwargs or {}))))
-                else:
-                    tasks.append(loop.run_in_executor(self._thread_pool, partial(task_fn, **(call_kwargs or {}))))
+                fn_invoke_async = getattr(cpn, "_invoke_async", None)
+                use_async = (fn_invoke_async and asyncio.iscoroutinefunction(fn_invoke_async)) or asyncio.iscoroutinefunction(getattr(cpn, "_invoke", None))
+                tasks.append(asyncio.create_task(_invoke_one(cpn, task_fn, call_kwargs, use_async)))

            if tasks:
                await asyncio.gather(*tasks)
@@ -490,7 +515,8 @@ class Canvas(Graph):
                cpn_obj = self.get_component_obj(self.path[i])
                if cpn_obj.component_name.lower() == "message":
                    if cpn_obj.get_param("auto_play"):
-                        tts_mdl = LLMBundle(self._tenant_id, LLMType.TTS)
+                        tts_model_config = get_tenant_default_model_by_type(self._tenant_id, LLMType.TTS)
+                        tts_mdl = LLMBundle(self._tenant_id, tts_model_config)
                    if isinstance(cpn_obj.output("content"), partial):
                        _m = ""
                        buff_m = ""
@@ -535,18 +561,10 @@ class Canvas(Graph):
                            yield decorate("message", {"content": "", "audio_binary": self.tts(tts_mdl, buff_m)})
                            buff_m = ""
                        cpn_obj.set_output("content", _m)
-                        cite = re.search(r"\[ID:[ 0-9]+\]", _m)
                    else:
                        yield decorate("message", {"content": cpn_obj.output("content")})
-                        cite = re.search(r"\[ID:[ 0-9]+\]",  cpn_obj.output("content"))

-                    message_end = {}
-                    if cpn_obj.get_param("status"):
-                        message_end["status"] = cpn_obj.get_param("status")
-                    if isinstance(cpn_obj.output("attachment"), dict):
-                        message_end["attachment"] = cpn_obj.output("attachment")
-                    if cite:
-                        message_end["reference"] = self.get_reference()
+                    message_end = self._build_message_end(cpn_obj)
                    yield decorate("message_end", message_end)

                    while partials:
@@ -638,6 +656,7 @@ class Canvas(Graph):
                           "created_at": st,
                       })
            self.history.append(("assistant", self.get_component_obj(self.path[-1]).output()))
+            self.globals["sys.history"].append(f"{self.history[-1][0]}: {self.history[-1][1]}")
        elif "Task has been canceled" in self.error:
            yield decorate("workflow_finished",
                       {
@@ -715,6 +734,7 @@ class Canvas(Graph):

    def add_user_input(self, question):
        self.history.append(("user", question))
+        self.globals["sys.history"].append(f"{self.history[-1][0]}: {self.history[-1][1]}")

    def get_prologue(self):
        return self.components["begin"]["obj"]._param.prologue
@@ -734,30 +754,33 @@ class Canvas(Graph):
    def get_component_input_elements(self, cpnnm):
        return self.components[cpnnm]["obj"].get_input_elements()

-    async def get_files_async(self, files: Union[None, list[dict]]) -> list[str]:
+    async def get_files_async(self, files: Union[None, list[dict]], layout_recognize: str = None) -> list[str]:
        if not files:
            return  []
        def image_to_base64(file):
            return "data:{};base64,{}".format(file["mime_type"],
                                        base64.b64encode(FileService.get_blob(file["created_by"], file["id"])).decode("utf-8"))
+        def parse_file(file):
+            blob = FileService.get_blob(file["created_by"], file["id"])
+            return FileService.parse(file["name"], blob, True, file["created_by"], layout_recognize)
        loop = asyncio.get_running_loop()
        tasks = []
        for file in files:
            if file["mime_type"].find("image") >=0:
                tasks.append(loop.run_in_executor(self._thread_pool, image_to_base64, file))
                continue
-            tasks.append(loop.run_in_executor(self._thread_pool, FileService.parse, file["name"], FileService.get_blob(file["created_by"], file["id"]), True, file["created_by"]))
+            tasks.append(loop.run_in_executor(self._thread_pool, parse_file, file))
        return await asyncio.gather(*tasks)

-    def get_files(self, files: Union[None, list[dict]]) -> list[str]:
+    def get_files(self, files: Union[None, list[dict]], layout_recognize: str = None) -> list[str]:
        """
        Synchronous wrapper for get_files_async, used by sync component invoke paths.
        """
        loop = getattr(self, "_loop", None)
        if loop and loop.is_running():
-            return asyncio.run_coroutine_threadsafe(self.get_files_async(files), loop).result()
+            return asyncio.run_coroutine_threadsafe(self.get_files_async(files, layout_recognize), loop).result()

-        return asyncio.run(self.get_files_async(files))
+        return asyncio.run(self.get_files_async(files, layout_recognize))

    def tool_use_callback(self, agent_id: str, func_name: str, params: dict, result: Any, elapsed_time=None):
        agent_ids = agent_id.split("-->")
@@ -803,6 +826,22 @@ class Canvas(Graph):
            return {"chunks": {}, "doc_aggs": {}}
        return self.retrieval[-1]

+    def _has_reference(self) -> bool:
+        ref = self.get_reference()
+        if not isinstance(ref, dict):
+            return False
+        return bool(ref.get("chunks") or ref.get("doc_aggs"))
+
+    def _build_message_end(self, cpn_obj) -> dict:
+        message_end = {}
+        if cpn_obj.get_param("status"):
+            message_end["status"] = cpn_obj.get_param("status")
+        if isinstance(cpn_obj.output("attachment"), dict):
+            message_end["attachment"] = cpn_obj.output("attachment")
+        if self._has_reference():
+            message_end["reference"] = self.get_reference()
+        return message_end
+
    def add_memory(self, user:str, assist:str, summ: str):
        self.memory.append((user, assist, summ))

--- a/agent/component/agent_with_tools.py
+++ b/agent/component/agent_with_tools.py
@@ -20,19 +20,20 @@ import os
 import re
 from copy import deepcopy
 from functools import partial
+from timeit import default_timer as timer
 from typing import Any

 import json_repair
-from timeit import default_timer as timer
-from agent.tools.base import LLMToolPluginCallSession, ToolParamBase, ToolBase, ToolMeta
+
+from agent.component.llm import LLM, LLMParam
+from agent.tools.base import LLMToolPluginCallSession, ToolBase, ToolMeta, ToolParamBase
+from api.db.joint_services.tenant_model_service import get_model_config_by_type_and_name
 from api.db.services.llm_service import LLMBundle
-from api.db.services.tenant_llm_service import TenantLLMService
 from api.db.services.mcp_server_service import MCPServerService
+from api.db.services.tenant_llm_service import TenantLLMService
 from common.connection_utils import timeout
-from rag.prompts.generator import next_step_async, COMPLETE_TASK, \
-    citation_prompt, kb_prompt, citation_plus, full_question, message_fit_in, structured_output_prompt
 from common.mcp_tool_call_conn import MCPToolCallSession, mcp_tool_metadata_to_openai_tool
-from agent.component.llm import LLMParam, LLM
+from rag.prompts.generator import citation_plus, citation_prompt, full_question, kb_prompt, message_fit_in, structured_output_prompt


 class AgentParam(LLMParam, ToolParamBase):
@@ -41,41 +42,32 @@ class AgentParam(LLMParam, ToolParamBase):
    """

    def __init__(self):
-        self.meta:ToolMeta = {
-                "name": "agent",
-                "description": "This is an agent for a specific task.",
-                "parameters": {
-                    "user_prompt": {
-                        "type": "string",
-                        "description": "This is the order you need to send to the agent.",
-                        "default": "",
-                        "required": True
-                    },
-                    "reasoning": {
-                        "type": "string",
-                        "description": (
-                            "Supervisor's reasoning for choosing the this agent. "
-                            "Explain why this agent is being invoked and what is expected of it."
-                        ),
-                        "required": True
-                    },
-                    "context": {
-                        "type": "string",
-                        "description": (
-                                "All relevant background information, prior facts, decisions, "
-                                "and state needed by the agent to solve the current query. "
-                                "Should be as detailed and self-contained as possible."
-                            ),
-                        "required": True
-                    },
-                }
-            }
+        self.meta: ToolMeta = {
+            "name": "agent",
+            "description": "This is an agent for a specific task.",
+            "parameters": {
+                "user_prompt": {"type": "string", "description": "This is the order you need to send to the agent.", "default": "", "required": True},
+                "reasoning": {
+                    "type": "string",
+                    "description": ("Supervisor's reasoning for choosing the this agent. Explain why this agent is being invoked and what is expected of it."),
+                    "required": True,
+                },
+                "context": {
+                    "type": "string",
+                    "description": (
+                        "All relevant background information, prior facts, decisions, and state needed by the agent to solve the current query. Should be as detailed and self-contained as possible."
+                    ),
+                    "required": True,
+                },
+            },
+        }
        super().__init__()
        self.function_name = "agent"
        self.tools = []
        self.mcp = []
        self.max_rounds = 5
        self.description = ""
+        self.custom_header = {}


 class Agent(LLM, ToolBase):
@@ -89,13 +81,15 @@ class Agent(LLM, ToolBase):
            original_name = cpn.get_meta()["function"]["name"]
            indexed_name = f"{original_name}_{idx}"
            self.tools[indexed_name] = cpn
-
-        self.chat_mdl = LLMBundle(self._canvas.get_tenant_id(), TenantLLMService.llm_id2llm_type(self._param.llm_id), self._param.llm_id,
-                                  max_retries=self._param.max_retries,
-                                  retry_interval=self._param.delay_after_error,
-                                  max_rounds=self._param.max_rounds,
-                                  verbose_tool_use=True
-                                  )
+        chat_model_config = get_model_config_by_type_and_name(self._canvas.get_tenant_id(), TenantLLMService.llm_id2llm_type(self._param.llm_id), self._param.llm_id)
+        self.chat_mdl = LLMBundle(
+            self._canvas.get_tenant_id(),
+            chat_model_config,
+            max_retries=self._param.max_retries,
+            retry_interval=self._param.delay_after_error,
+            max_rounds=self._param.max_rounds,
+            verbose_tool_use=False,
+        )
        self.tool_meta = []
        for indexed_name, tool_obj in self.tools.items():
            original_meta = tool_obj.get_meta()
@@ -105,16 +99,37 @@ class Agent(LLM, ToolBase):

        for mcp in self._param.mcp:
            _, mcp_server = MCPServerService.get_by_id(mcp["mcp_id"])
-            tool_call_session = MCPToolCallSession(mcp_server, mcp_server.variables)
+            custom_header = self._param.custom_header
+            tool_call_session = MCPToolCallSession(mcp_server, mcp_server.variables, custom_header)
            for tnm, meta in mcp["tools"].items():
                self.tool_meta.append(mcp_tool_metadata_to_openai_tool(meta))
                self.tools[tnm] = tool_call_session
        self.callback = partial(self._canvas.tool_use_callback, id)
        self.toolcall_session = LLMToolPluginCallSession(self.tools, self.callback)
-        #self.chat_mdl.bind_tools(self.toolcall_session, self.tool_metas)
+        if self.tool_meta:
+            self.chat_mdl.bind_tools(self.toolcall_session, self.tool_meta)
+
+    def _fit_messages(self, prompt: str, msg: list[dict]) -> list[dict]:
+        _, fitted_messages = message_fit_in(
+            [{"role": "system", "content": prompt}, *msg],
+            int(self.chat_mdl.max_length * 0.97),
+        )
+        return fitted_messages
+
+    @staticmethod
+    def _append_system_prompt(msg: list[dict], extra_prompt: str) -> None:
+        if extra_prompt and msg and msg[0]["role"] == "system":
+            msg[0]["content"] += "\n" + extra_prompt
+
+    @staticmethod
+    def _clean_formatted_answer(ans: str) -> str:
+        ans = re.sub(r"^.*</think>", "", ans, flags=re.DOTALL)
+        ans = re.sub(r"^.*```json", "", ans, flags=re.DOTALL)
+        return re.sub(r"```\n*$", "", ans, flags=re.DOTALL)

    def _load_tool_obj(self, cpn: dict) -> object:
        from agent.component import component_class
+
        tool_name = cpn["component_name"]
        param = component_class(tool_name + "Param")()
        param.update(cpn["params"])
@@ -127,19 +142,17 @@ class Agent(LLM, ToolBase):
        return component_class(cpn["component_name"])(self._canvas, cpn_id, param)

    def get_meta(self) -> dict[str, Any]:
-        self._param.function_name= self._id.split("-->")[-1]
+        self._param.function_name = self._id.split("-->")[-1]
        m = super().get_meta()
        if hasattr(self._param, "user_prompt") and self._param.user_prompt:
-            m["function"]["parameters"]["properties"]["user_prompt"] = self._param.user_prompt
+            # Keep the JSON schema valid; user_prompt is a string field, not a schema node.
+            m["function"]["parameters"]["properties"]["user_prompt"]["default"] = self._param.user_prompt
        return m

    def get_input_form(self) -> dict[str, dict]:
        res = {}
        for k, v in self.get_input_elements().items():
-            res[k] = {
-                "type": "line",
-                "name": v["name"]
-            }
+            res[k] = {"type": "line", "name": v["name"]}
        for cpn in self._param.tools:
            if not isinstance(cpn, LLM):
                continue
@@ -172,7 +185,7 @@ class Agent(LLM, ToolBase):
    def _invoke(self, **kwargs):
        return asyncio.run(self._invoke_async(**kwargs))

-    @timeout(int(os.environ.get("COMPONENT_EXEC_TIMEOUT", 20*60)))
+    @timeout(int(os.environ.get("COMPONENT_EXEC_TIMEOUT", 20 * 60)))
    async def _invoke_async(self, **kwargs):
        if self.check_if_canceled("Agent processing"):
            return
@@ -201,19 +214,17 @@ class Agent(LLM, ToolBase):
            schema = json.dumps(output_schema, ensure_ascii=False, indent=2)
            schema_prompt = structured_output_prompt(schema)

-        downstreams = self._canvas.get_component(self._id)["downstream"] if self._canvas.get_component(self._id) else []
+        component = self._canvas.get_component(self._id)
+        downstreams = component["downstream"] if component else []
        ex = self.exception_handler()
-        if any([self._canvas.get_component_obj(cid).component_name.lower()=="message" for cid in downstreams]) and not (ex and ex["goto"]) and not output_schema:
+        has_message_downstream = any(self._canvas.get_component_obj(cid).component_name.lower() == "message" for cid in downstreams)
+        if has_message_downstream and not (ex and ex["goto"]) and not output_schema:
            self.set_output("content", partial(self.stream_output_with_tools_async, prompt, deepcopy(msg), user_defined_prompt))
            return

-        _, msg = message_fit_in([{"role": "system", "content": prompt}, *msg], int(self.chat_mdl.max_length * 0.97))
-        use_tools = []
-        ans = ""
-        async for delta_ans, _tk in self._react_with_tools_streamly_async_simple(prompt, msg, use_tools, user_defined_prompt,schema_prompt=schema_prompt):
-            if self.check_if_canceled("Agent processing"):
-                return
-            ans += delta_ans
+        msg = self._fit_messages(prompt, msg)
+        self._append_system_prompt(msg, schema_prompt)
+        ans = await self._generate_async(msg)

        if ans.find("**ERROR**") >= 0:
            logging.error(f"Agent._chat got error. response: {ans}")
@@ -227,14 +238,8 @@ class Agent(LLM, ToolBase):
            error = ""
            for _ in range(self._param.max_retries + 1):
                try:
-                    def clean_formated_answer(ans: str) -> str:
-                        ans = re.sub(r"^.*</think>", "", ans, flags=re.DOTALL)
-                        ans = re.sub(r"^.*```json", "", ans, flags=re.DOTALL)
-                        return re.sub(r"```\n*$", "", ans, flags=re.DOTALL)
-                    obj = json_repair.loads(clean_formated_answer(ans))
+                    obj = json_repair.loads(self._clean_formatted_answer(ans))
                    self.set_output("structured", obj)
-                    if use_tools:
-                        self.set_output("use_tools", use_tools)
                    return obj
                except Exception:
                    error = "The answer cannot be parsed as JSON"
@@ -245,330 +250,92 @@ class Agent(LLM, ToolBase):
            self.set_output("_ERROR", error)
            return

+        artifact_md = self._collect_tool_artifact_markdown(existing_text=ans)
+        if artifact_md:
+            ans += "\n\n" + artifact_md
        self.set_output("content", ans)
-        if use_tools:
-            self.set_output("use_tools", use_tools)
        return ans

    async def stream_output_with_tools_async(self, prompt, msg, user_defined_prompt={}):
-        _, msg = message_fit_in([{"role": "system", "content": prompt}, *msg], int(self.chat_mdl.max_length * 0.97))
-        answer_without_toolcall = ""
-        use_tools = []
-        async for delta_ans, _ in self._react_with_tools_streamly_async_simple(prompt, msg, use_tools, user_defined_prompt):
+        if len(msg) > 3:
+            st = timer()
+            user_request = await full_question(messages=msg, chat_mdl=self.chat_mdl)
+            self.callback("Multi-turn conversation optimization", {}, user_request, elapsed_time=timer() - st)
+            msg = [*msg[:-1], {"role": "user", "content": user_request}]
+
+        msg = self._fit_messages(prompt, msg)
+
+        need2cite = self._param.cite and self._canvas.get_reference()["chunks"] and self._id.find("-->") < 0
+        cited = False
+        if need2cite and len(msg) < 7:
+            self._append_system_prompt(msg, citation_prompt())
+            cited = True
+
+        answer = ""
+        async for delta in self._generate_streamly(msg):
            if self.check_if_canceled("Agent streaming"):
                return
-
-            if delta_ans.find("**ERROR**") >= 0:
+            if delta.find("**ERROR**") >= 0:
                if self.get_exception_default_value():
                    self.set_output("content", self.get_exception_default_value())
                    yield self.get_exception_default_value()
                else:
-                    self.set_output("_ERROR", delta_ans)
-                    return
-            answer_without_toolcall += delta_ans
-            yield delta_ans
-
-        self.set_output("content", answer_without_toolcall)
-        if use_tools:
-            self.set_output("use_tools", use_tools)
-
-    async def _react_with_tools_streamly_async_simple(self, prompt, history: list[dict], use_tools, user_defined_prompt={}, schema_prompt: str = ""):
-        token_count = 0
-        tool_metas = self.tool_meta
-        hist = deepcopy(history)
-        last_calling = ""
-        if len(hist) > 3:
-            st = timer()
-            user_request = await full_question(messages=history, chat_mdl=self.chat_mdl)
-            self.callback("Multi-turn conversation optimization", {}, user_request, elapsed_time=timer()-st)
-        else:
-            user_request = history[-1]["content"]
-
-        def build_task_desc(prompt: str, user_request: str, user_defined_prompt: dict | None = None) -> str:
-            """Build a minimal task_desc by concatenating prompt, query, and tool schemas."""
-            user_defined_prompt = user_defined_prompt or {}
-
-            task_desc = (
-                "### Agent Prompt\n"
-                f"{prompt}\n\n"
-                "### User Request\n"
-                f"{user_request}\n\n"
-            )
-
-            if user_defined_prompt:
-                udp_json = json.dumps(user_defined_prompt, ensure_ascii=False, indent=2)
-                task_desc += "\n### User Defined Prompts\n" + udp_json + "\n"
-
-            return task_desc
-
-
-        async def use_tool_async(name, args):
-            nonlocal hist, use_tools, last_calling
-            logging.info(f"{last_calling=} == {name=}")
-            last_calling = name
-            tool_response = await self.toolcall_session.tool_call_async(name, args)
-            use_tools.append({
-                "name": name,
-                "arguments": args,
-                "results": tool_response
-            })
-            return name, tool_response
-
-        async def complete():
-            nonlocal hist
-            need2cite = self._param.cite and self._canvas.get_reference()["chunks"] and self._id.find("-->") < 0
-            if schema_prompt:
-                need2cite = False
-            cited = False
-            if hist and hist[0]["role"] == "system":
-                if schema_prompt:
-                    hist[0]["content"] += "\n" + schema_prompt
-                if need2cite and len(hist) < 7:
-                    hist[0]["content"] += citation_prompt()
-                    cited = True
-            yield "", token_count
-
-            _hist = hist
-            if len(hist) > 12:
-                _hist = [hist[0], hist[1], *hist[-10:]]
-            entire_txt = ""
-            async for delta_ans in self._generate_streamly(_hist):
-                if not need2cite or cited:
-                    yield delta_ans, 0
-                entire_txt += delta_ans
-            if not need2cite or cited:
+                    self.set_output("_ERROR", delta)
                return
+            if not need2cite or cited:
+                yield delta
+            answer += delta

-            st = timer()
-            txt = ""
-            async for delta_ans in self._gen_citations_async(entire_txt):
-                if self.check_if_canceled("Agent streaming"):
-                    return
-                yield delta_ans, 0
-                txt += delta_ans
-
-            self.callback("gen_citations", {}, txt, elapsed_time=timer()-st)
-
-        def build_observation(tool_call_res: list[tuple]) -> str:
-            """
-            Build a Observation from tool call results.
-            No LLM involved.
-            """
-            if not tool_call_res:
-                return ""
-
-            lines = ["Observation:"]
-            for name, result in tool_call_res:
-                lines.append(f"[{name} result]")
-                lines.append(str(result))
-
-            return "\n".join(lines)
-
-        def append_user_content(hist, content):
-            if hist[-1]["role"] == "user":
-                hist[-1]["content"] += content
-            else:
-                hist.append({"role": "user", "content": content})
+        if not need2cite or cited:
+            artifact_md = self._collect_tool_artifact_markdown(existing_text=answer)
+            if artifact_md:
+                yield "\n\n" + artifact_md
+                answer += "\n\n" + artifact_md
+            self.set_output("content", answer)
+            return

        st = timer()
-        task_desc = build_task_desc(prompt, user_request, user_defined_prompt)
-        self.callback("analyze_task", {}, task_desc, elapsed_time=timer()-st)
-        for _ in range(self._param.max_rounds + 1):
+        cited_answer = ""
+        async for delta in self._gen_citations_async(answer):
            if self.check_if_canceled("Agent streaming"):
                return
-            response, tk = await next_step_async(self.chat_mdl, hist, tool_metas, task_desc, user_defined_prompt)
-            # self.callback("next_step", {}, str(response)[:256]+"...")
-            token_count += tk or 0
-            hist.append({"role": "assistant", "content": response})
-            try:
-                functions = json_repair.loads(re.sub(r"```.*", "", response))
-                if not isinstance(functions, list):
-                    raise TypeError(f"List should be returned, but `{functions}`")
-                for f in functions:
-                    if not isinstance(f, dict):
-                        raise TypeError(f"An object type should be returned, but `{f}`")
-
-                tool_tasks = []
-                for func in functions:
-                    name = func["name"]
-                    args = func["arguments"]
-                    if name == COMPLETE_TASK:
-                        append_user_content(hist, f"Respond with a formal answer. FORGET(DO NOT mention) about `{COMPLETE_TASK}`. The language for the response MUST be as the same as the first user request.\n")
-                        async for txt, tkcnt in complete():
-                            yield txt, tkcnt
-                        return
-
-                    tool_tasks.append(asyncio.create_task(use_tool_async(name, args)))
-
-                results = await asyncio.gather(*tool_tasks) if tool_tasks else []
-                st = timer()
-                reflection = build_observation(results)
-                append_user_content(hist, reflection)
-                self.callback("reflection", {}, str(reflection), elapsed_time=timer()-st)
-
-            except Exception as e:
-                logging.exception(msg=f"Wrong JSON argument format in LLM ReAct response: {e}")
-                e = f"\nTool call error, please correct the input parameter of response format and call it again.\n *** Exception ***\n{e}"
-                append_user_content(hist, str(e))
-
-        logging.warning( f"Exceed max rounds: {self._param.max_rounds}")
-        final_instruction = f"""
-{user_request}
-IMPORTANT: You have reached the conversation limit. Based on ALL the information and research you have gathered so far, please provide a DIRECT and COMPREHENSIVE final answer to the original request.
-Instructions:
-1. SYNTHESIZE all information collected during this conversation
-2. Provide a COMPLETE response using existing data - do not suggest additional research
-3. Structure your response as a FINAL DELIVERABLE, not a plan
-4. If information is incomplete, state what you found and provide the best analysis possible with available data
-5. DO NOT mention conversation limits or suggest further steps
-6. Focus on delivering VALUE with the information already gathered
-Respond immediately with your final comprehensive answer.
-        """
-        if self.check_if_canceled("Agent final instruction"):
-            return
-        append_user_content(hist, final_instruction)
-
-        async for txt, tkcnt in complete():
-            yield txt, tkcnt
-
-#     async def _react_with_tools_streamly_async(self, prompt, history: list[dict], use_tools, user_defined_prompt={}, schema_prompt: str = ""):
-#         token_count = 0
-#         tool_metas = self.tool_meta
-#         hist = deepcopy(history)
-#         last_calling = ""
-#         if len(hist) > 3:
-#             st = timer()
-#             user_request = await full_question(messages=history, chat_mdl=self.chat_mdl)
-#             self.callback("Multi-turn conversation optimization", {}, user_request, elapsed_time=timer()-st)
-#         else:
-#             user_request = history[-1]["content"]
-
-#         async def use_tool_async(name, args):
-#             nonlocal hist, use_tools, last_calling
-#             logging.info(f"{last_calling=} == {name=}")
-#             last_calling = name
-#             tool_response = await self.toolcall_session.tool_call_async(name, args)
-#             use_tools.append({
-#                 "name": name,
-#                 "arguments": args,
-#                 "results": tool_response
-#             })
-#             # self.callback("add_memory", {}, "...")
-#             #self.add_memory(hist[-2]["content"], hist[-1]["content"], name, args, str(tool_response), user_defined_prompt)
-
-#             return name, tool_response
-
-#         async def complete():
-#             nonlocal hist
-#             need2cite = self._param.cite and self._canvas.get_reference()["chunks"] and self._id.find("-->") < 0
-#             if schema_prompt:
-#                 need2cite = False
-#             cited = False
-#             if hist and hist[0]["role"] == "system":
-#                 if schema_prompt:
-#                     hist[0]["content"] += "\n" + schema_prompt
-#                 if need2cite and len(hist) < 7:
-#                     hist[0]["content"] += citation_prompt()
-#                     cited = True
-#             yield "", token_count
-
-#             _hist = hist
-#             if len(hist) > 12:
-#                 _hist = [hist[0], hist[1], *hist[-10:]]
-#             entire_txt = ""
-#             async for delta_ans in self._generate_streamly(_hist):
-#                 if not need2cite or cited:
-#                     yield delta_ans, 0
-#                 entire_txt += delta_ans
-#             if not need2cite or cited:
-#                 return
-
-#             st = timer()
-#             txt = ""
-#             async for delta_ans in self._gen_citations_async(entire_txt):
-#                 if self.check_if_canceled("Agent streaming"):
-#                     return
-#                 yield delta_ans, 0
-#                 txt += delta_ans
-
-#             self.callback("gen_citations", {}, txt, elapsed_time=timer()-st)
-
-#         def append_user_content(hist, content):
-#             if hist[-1]["role"] == "user":
-#                 hist[-1]["content"] += content
-#             else:
-#                 hist.append({"role": "user", "content": content})
-
-#         st = timer()
-#         task_desc = await analyze_task_async(self.chat_mdl, prompt, user_request, tool_metas, user_defined_prompt)
-#         self.callback("analyze_task", {}, task_desc, elapsed_time=timer()-st)
-#         for _ in range(self._param.max_rounds + 1):
-#             if self.check_if_canceled("Agent streaming"):
-#                 return
-#             response, tk = await next_step_async(self.chat_mdl, hist, tool_metas, task_desc, user_defined_prompt)
-#             # self.callback("next_step", {}, str(response)[:256]+"...")
-#             token_count += tk or 0
-#             hist.append({"role": "assistant", "content": response})
-#             try:
-#                 functions = json_repair.loads(re.sub(r"```.*", "", response))
-#                 if not isinstance(functions, list):
-#                     raise TypeError(f"List should be returned, but `{functions}`")
-#                 for f in functions:
-#                     if not isinstance(f, dict):
-#                         raise TypeError(f"An object type should be returned, but `{f}`")
-
-#                 tool_tasks = []
-#                 for func in functions:
-#                     name = func["name"]
-#                     args = func["arguments"]
-#                     if name == COMPLETE_TASK:
-#                         append_user_content(hist, f"Respond with a formal answer. FORGET(DO NOT mention) about `{COMPLETE_TASK}`. The language for the response MUST be as the same as the first user request.\n")
-#                         async for txt, tkcnt in complete():
-#                             yield txt, tkcnt
-#                         return
-
-#                     tool_tasks.append(asyncio.create_task(use_tool_async(name, args)))
-
-#                 results = await asyncio.gather(*tool_tasks) if tool_tasks else []
-#                 st = timer()
-#                 reflection = await reflect_async(self.chat_mdl, hist, results, user_defined_prompt)
-#                 append_user_content(hist, reflection)
-#                 self.callback("reflection", {}, str(reflection), elapsed_time=timer()-st)
-
-#             except Exception as e:
-#                 logging.exception(msg=f"Wrong JSON argument format in LLM ReAct response: {e}")
-#                 e = f"\nTool call error, please correct the input parameter of response format and call it again.\n *** Exception ***\n{e}"
-#                 append_user_content(hist, str(e))
-
-#         logging.warning( f"Exceed max rounds: {self._param.max_rounds}")
-#         final_instruction = f"""
-# {user_request}
-# IMPORTANT: You have reached the conversation limit. Based on ALL the information and research you have gathered so far, please provide a DIRECT and COMPREHENSIVE final answer to the original request.
-# Instructions:
-# 1. SYNTHESIZE all information collected during this conversation
-# 2. Provide a COMPLETE response using existing data - do not suggest additional research
-# 3. Structure your response as a FINAL DELIVERABLE, not a plan
-# 4. If information is incomplete, state what you found and provide the best analysis possible with available data
-# 5. DO NOT mention conversation limits or suggest further steps
-# 6. Focus on delivering VALUE with the information already gathered
-# Respond immediately with your final comprehensive answer.
-#         """
-#         if self.check_if_canceled("Agent final instruction"):
-#             return
-#         append_user_content(hist, final_instruction)
-
-#         async for txt, tkcnt in complete():
-#             yield txt, tkcnt
+            yield delta
+            cited_answer += delta
+        artifact_md = self._collect_tool_artifact_markdown(existing_text=cited_answer)
+        if artifact_md:
+            yield "\n\n" + artifact_md
+            cited_answer += "\n\n" + artifact_md
+        self.callback("gen_citations", {}, cited_answer, elapsed_time=timer() - st)
+        self.set_output("content", cited_answer)

    async def _gen_citations_async(self, text):
        retrievals = self._canvas.get_reference()
        retrievals = {"chunks": list(retrievals["chunks"].values()), "doc_aggs": list(retrievals["doc_aggs"].values())}
        formated_refer = kb_prompt(retrievals, self.chat_mdl.max_length, True)
-        async for delta_ans in self._generate_streamly([{"role": "system", "content": citation_plus("\n\n".join(formated_refer))},
-                                                  {"role": "user", "content": text}
-                                                  ]):
+        async for delta_ans in self._generate_streamly([{"role": "system", "content": citation_plus("\n\n".join(formated_refer))}, {"role": "user", "content": text}]):
            yield delta_ans

+    def _collect_tool_artifact_markdown(self, existing_text: str = "") -> str:
+        md_parts = []
+        for tool_obj in self.tools.values():
+            if not hasattr(tool_obj, "_param") or not hasattr(tool_obj._param, "outputs"):
+                continue
+            artifacts_meta = tool_obj._param.outputs.get("_ARTIFACTS", {})
+            artifacts = artifacts_meta.get("value") if isinstance(artifacts_meta, dict) else None
+            if not artifacts:
+                continue
+            for art in artifacts:
+                if not isinstance(art, dict):
+                    continue
+                url = art.get("url", "")
+                if url and (f"![]({url})" in existing_text or f"![{art.get('name', '')}]({url})" in existing_text):
+                    continue
+                if art.get("mime_type", "").startswith("image/"):
+                    md_parts.append(f"![{art['name']}]({url})")
+                else:
+                    md_parts.append(f"[Download {art['name']}]({url})")
+        return "\n\n".join(md_parts)
+
    def reset(self, only_output=False):
        """
        Reset all tools if they have a reset method. This avoids errors for tools like MCPToolCallSession.
--- a/agent/component/base.py
+++ b/agent/component/base.py
@@ -27,6 +27,10 @@ import pandas as pd
 from agent import settings
 from common.connection_utils import timeout

+
+
+from common.misc_utils import thread_pool_exec
+
 _FEEDED_DEPRECATED_PARAMS = "_feeded_deprecated_params"
 _DEPRECATED_PARAMS = "_deprecated_params"
 _USER_FEEDED_PARAMS = "_user_feeded_params"
@@ -379,6 +383,7 @@ class ComponentBase(ABC):

    def __init__(self, canvas, id, param: ComponentParamBase):
        from agent.canvas import Graph  # Local import to avoid cyclic dependency
+
        assert isinstance(canvas, Graph), "canvas must be an instance of Canvas"
        self._canvas = canvas
        self._id = id
@@ -430,7 +435,7 @@ class ComponentBase(ABC):
            elif asyncio.iscoroutinefunction(self._invoke):
                await self._invoke(**kwargs)
            else:
-                await asyncio.to_thread(self._invoke, **kwargs)
+                await thread_pool_exec(self._invoke, **kwargs)
        except Exception as e:
            if self.get_exception_default_value():
                self.set_exception_default_value()
--- a/agent/component/begin.py
+++ b/agent/component/begin.py
@@ -41,15 +41,19 @@ class Begin(UserFillUp):
        if self.check_if_canceled("Begin processing"):
            return

+        layout_recognize = self._param.layout_recognize or None
        for k, v in kwargs.get("inputs", {}).items():
            if self.check_if_canceled("Begin processing"):
                return

-            if isinstance(v, dict) and v.get("type", "").lower().find("file") >=0:
+            if isinstance(v, dict) and v.get("type", "").lower().find("file") >= 0:
                if v.get("optional") and v.get("value", None) is None:
                    v = None
                else:
-                    v = FileService.get_files([v["value"]])
+                    file_value = v["value"]
+                    # Support both single file (backward compatibility) and multiple files
+                    files = file_value if isinstance(file_value, list) else [file_value]
+                    v = FileService.get_files(files, layout_recognize=layout_recognize)
            else:
                v = v.get("value")
            self.set_output(k, v)
--- a/agent/component/categorize.py
+++ b/agent/component/categorize.py
@@ -21,6 +21,7 @@ from abc import ABC

 from common.constants import LLMType
 from api.db.services.llm_service import LLMBundle
+from api.db.joint_services.tenant_model_service import get_model_config_by_type_and_name
 from agent.component.llm import LLMParam, LLM
 from common.connection_utils import timeout
 from rag.llm.chat_model import ERROR_PREFIX
@@ -97,6 +98,13 @@ Here's description of each category:
 class Categorize(LLM, ABC):
    component_name = "Categorize"

+    def get_input_elements(self) -> dict[str, dict]:
+        query_key = self._param.query or "sys.query"
+        elements = self.get_input_elements_from_text(f"{{{query_key}}}")
+        if not elements:
+            logging.warning(f"[Categorize] input element not detected for query key: {query_key}")
+        return elements
+
    @timeout(int(os.environ.get("COMPONENT_EXEC_TIMEOUT", 10*60)))
    async def _invoke_async(self, **kwargs):
        if self.check_if_canceled("Categorize processing"):
@@ -105,14 +113,18 @@ class Categorize(LLM, ABC):
        msg = self._canvas.get_history(self._param.message_history_window_size)
        if not msg:
            msg = [{"role": "user", "content": ""}]
-        if kwargs.get("sys.query"):
-            msg[-1]["content"] = kwargs["sys.query"]
-            self.set_input_value("sys.query", kwargs["sys.query"])
+        query_key = self._param.query or "sys.query"
+        if query_key in kwargs:
+            query_value = kwargs[query_key]
        else:
-            msg[-1]["content"] = self._canvas.get_variable_value(self._param.query)
-            self.set_input_value(self._param.query, msg[-1]["content"])
+            query_value = self._canvas.get_variable_value(query_key)
+        if query_value is None:
+            query_value = ""
+        msg[-1]["content"] = query_value
+        self.set_input_value(query_key, msg[-1]["content"])
        self._param.update_prompt()
-        chat_mdl = LLMBundle(self._canvas.get_tenant_id(), LLMType.CHAT, self._param.llm_id)
+        chat_model_config = get_model_config_by_type_and_name(self._canvas.get_tenant_id(), LLMType.CHAT, self._param.llm_id)
+        chat_mdl = LLMBundle(self._canvas.get_tenant_id(), chat_model_config)

        user_prompt = """
 ---- Real Data ----
@@ -137,7 +149,7 @@ class Categorize(LLM, ABC):
            category_counts[c] = count

        cpn_ids = list(self._param.category_description.items())[-1][1]["to"]
-        max_category = list(self._param.category_description.keys())[0]
+        max_category = list(self._param.category_description.keys())[-1]
        if any(category_counts.values()):
            max_category = max(category_counts.items(), key=lambda x: x[1])[0]
            cpn_ids = self._param.category_description[max_category]["to"]
--- a/agent/component/data_operations.py
+++ b/agent/component/data_operations.py
@@ -94,9 +94,9 @@ class DataOperations(ComponentBase,ABC):

    def _recursive_eval(self, data):
        if isinstance(data, dict):
-            return {k: self.recursive_eval(v) for k, v in data.items()}
+            return {k: self._recursive_eval(v) for k, v in data.items()}
        if isinstance(data, list):
-            return [self.recursive_eval(item) for item in data]
+            return [self._recursive_eval(item) for item in data]
        if isinstance(data, str):
            try:
                if (
--- a/agent/component/docs_generator.py
+++ b/agent/component/docs_generator.py
--- a/agent/component/fillup.py
+++ b/agent/component/fillup.py
@@ -27,6 +27,7 @@ class UserFillUpParam(ComponentParamBase):
        super().__init__()
        self.enable_tips = True
        self.tips = "Please fill up the form"
+        self.layout_recognize = ""

    def check(self) -> bool:
        return True
@@ -61,14 +62,18 @@ class UserFillUp(ComponentBase):
                content = re.sub(r"\{%s\}"%k, ans, content)

            self.set_output("tips", content)
+        layout_recognize = self._param.layout_recognize or None
        for k, v in kwargs.get("inputs", {}).items():
            if self.check_if_canceled("UserFillUp processing"):
                return
-            if isinstance(v, dict) and v.get("type", "").lower().find("file") >=0:
+            if isinstance(v, dict) and v.get("type", "").lower().find("file") >= 0:
                if v.get("optional") and v.get("value", None) is None:
                    v = None
                else:
-                    v = FileService.get_files([v["value"]])
+                    file_value = v["value"]
+                    # Support both single file (backward compatibility) and multiple files
+                    files = file_value if isinstance(file_value, list) else [file_value]
+                    v = FileService.get_files(files, layout_recognize=layout_recognize)
            else:
                v = v.get("value")
            self.set_output(k, v)
--- a/agent/component/invoke.py
+++ b/agent/component/invoke.py
@@ -19,6 +19,7 @@ import os
 import re
 import time
 from abc import ABC
+from functools import partial

 import requests

@@ -29,7 +30,7 @@ from deepdoc.parser import HtmlParser

 class InvokeParam(ComponentParamBase):
    """
-    Define the Crawler component parameters.
+    Define the Invoke component parameters.
    """

    def __init__(self):
@@ -41,7 +42,7 @@ class InvokeParam(ComponentParamBase):
        self.url = ""
        self.timeout = 60
        self.clean_html = False
-        self.datatype = "json"  # New parameter to determine data posting type
+        self.datatype = "json"

    def check(self):
        self.check_valid_value(self.method.lower(), "Type of content from the crawler", ["get", "post", "put"])
@@ -53,92 +54,196 @@ class InvokeParam(ComponentParamBase):

 class Invoke(ComponentBase, ABC):
    component_name = "Invoke"
+    header_variable_ref_patt = r"\{([a-zA-Z_][a-zA-Z0-9_.@-]*)\}"
+
+    @staticmethod
+    def _coerce_json_arg_if_possible(key, value):
+        raw_value = value
+        if isinstance(value, str):
+            try:
+                value = json.loads(value)
+                logging.debug(
+                    "Invoke JSON arg coercion succeeded. key=%s parsed_type=%s",
+                    key,
+                    type(value).__name__,
+                )
+            except json.JSONDecodeError as exc:
+                logging.info(
+                    "Invoke JSON arg coercion skipped; value is not valid JSON. key=%s raw=%r error=%s",
+                    key,
+                    raw_value,
+                    exc,
+                )
+                return raw_value
+
+        try:
+            json.dumps(value, allow_nan=False)
+        except (TypeError, ValueError) as exc:
+            logging.warning(
+                "Invoke JSON arg is not JSON-serializable. key=%s value_type=%s value=%r error=%s",
+                key,
+                type(value).__name__,
+                value,
+                exc,
+            )
+            raise ValueError(f"Invoke JSON argument '{key}' is not JSON-serializable.") from exc
+
+        return value
+
+    def get_input_form(self) -> dict[str, dict]:
+        res = {}
+        for item in self._param.variables or []:
+            if not isinstance(item, dict):
+                continue
+            ref = (item.get("ref") or "").strip()
+            if not ref or ref in res:
+                continue
+
+            elements = self.get_input_elements_from_text("{" + ref + "}")
+            element = elements.get(ref, {})
+            res[ref] = {
+                "type": "line",
+                "name": element.get("name") or item.get("key") or ref,
+            }
+        return res
+
+    def _resolve_variable_value(self, variable_name: str, kwargs: dict | None = None):
+        kwargs = kwargs or {}
+        value = kwargs.get(variable_name, self._canvas.get_variable_value(variable_name))
+        if isinstance(value, partial):
+            value = "".join(value())
+            self.set_input_value(variable_name, value)
+        return "" if value is None else value
+
+    def _render_template(self, content: str, pattern: str, kwargs: dict | None = None, *, flags: int = 0) -> str:
+        content = content or ""
+        if not content:
+            return content
+
+        def replace_variable(match_obj):
+            return str(self._resolve_variable_value(match_obj.group(1), kwargs))
+
+        return re.sub(pattern, replace_variable, content, flags=flags)
+
+    def _resolve_template_text(self, content: str, kwargs: dict | None = None) -> str:
+        return self._render_template(content, self.variable_ref_patt, kwargs, flags=re.DOTALL)
+
+    def _resolve_header_text(self, content: str, kwargs: dict | None = None) -> str:
+        # Headers support plain {token} placeholders, so they cannot reuse the canvas variable regex.
+        return self._render_template(content, self.header_variable_ref_patt, kwargs)
+
+    def _resolve_arg_value(self, para: dict, kwargs: dict) -> object:
+        ref = (para.get("ref") or "").strip()
+        if ref and (ref in kwargs or self._canvas.get_variable_value(ref) is not None):
+            return self._resolve_variable_value(ref, kwargs)
+
+        if para.get("value") is not None:
+            value = para["value"]
+            if isinstance(value, str):
+                return self._resolve_template_text(value, kwargs)
+            return value
+
+        if ref:
+            return self._resolve_variable_value(ref, kwargs)
+
+        return ""
+
+    def _is_json_mode(self) -> bool:
+        return self._param.datatype.lower() == "json"
+
+    def _build_request_args(self, kwargs: dict) -> dict:
+        args = {}
+        for para in self._param.variables:
+            key = para["key"]
+            value = self._resolve_arg_value(para, kwargs)
+            if self._is_json_mode():
+                # JSON mode accepts stringified JSON so complex payloads can be passed through variables.
+                value = self._coerce_json_arg_if_possible(key, value)
+            args[key] = value
+
+            if para.get("ref"):
+                self.set_input_value(para["ref"], value)
+        return args
+
+    def _build_url(self, kwargs: dict) -> str:
+        url = self._resolve_template_text(self._param.url.strip(), kwargs)
+        if not url.startswith(("http://", "https://")):
+            url = "http://" + url
+        return url
+
+    def _build_headers(self, kwargs: dict) -> dict:
+        if not self._param.headers:
+            return {}
+
+        headers = json.loads(self._param.headers)
+        if not isinstance(headers, dict):
+            raise ValueError("Invoke headers must be a JSON object.")
+
+        return {key: self._resolve_header_text(value, kwargs) if isinstance(value, str) else value for key, value in headers.items()}
+
+    def _build_proxies(self) -> dict | None:
+        if not re.sub(r"https?:?/?/?", "", self._param.proxy):
+            return None
+        return {"http": self._param.proxy, "https": self._param.proxy}
+
+    def _send_request(self, url: str, args: dict, headers: dict, proxies: dict | None):
+        method = self._param.method.lower()
+        request = getattr(requests, method)
+        request_kwargs = {
+            "url": url,
+            "headers": headers,
+            "proxies": proxies,
+            "timeout": self._param.timeout,
+        }
+
+        # GET sends query params; POST/PUT send either JSON or form data based on datatype.
+        if method == "get":
+            request_kwargs["params"] = args
+            return request(**request_kwargs)
+
+        body_key = "json" if self._is_json_mode() else "data"
+        request_kwargs[body_key] = args
+        return request(**request_kwargs)
+
+    def _format_response(self, response) -> str:
+        if not self._param.clean_html:
+            return response.text
+
+        # HtmlParser keeps the Invoke output text-focused when the endpoint returns HTML.
+        sections = HtmlParser()(None, response.content)
+        return "\n".join(sections)

    @timeout(int(os.environ.get("COMPONENT_EXEC_TIMEOUT", 3)))
    def _invoke(self, **kwargs):
        if self.check_if_canceled("Invoke processing"):
            return

-        args = {}
-        for para in self._param.variables:
-            if para.get("value"):
-                args[para["key"]] = para["value"]
-            else:
-                args[para["key"]] = self._canvas.get_variable_value(para["ref"])
+        args = self._build_request_args(kwargs)
+        url = self._build_url(kwargs)
+        headers = self._build_headers(kwargs)
+        proxies = self._build_proxies()

-        url = self._param.url.strip()
-
-        def replace_variable(match):
-            var_name = match.group(1)
-            try:
-                value = self._canvas.get_variable_value(var_name)
-                return str(value or "")
-            except Exception:
-                return ""
-
-        # {base_url} or {component_id@variable_name}
-        url = re.sub(r"\{([a-zA-Z_][a-zA-Z0-9_.@-]*)\}", replace_variable, url)
-
-        if url.find("http") != 0:
-            url = "http://" + url
-
-        method = self._param.method.lower()
-        headers = {}
-        if self._param.headers:
-            headers = json.loads(self._param.headers)
-        proxies = None
-        if re.sub(r"https?:?/?/?", "", self._param.proxy):
-            proxies = {"http": self._param.proxy, "https": self._param.proxy}
-
-        last_e = ""
+        last_error = None
        for _ in range(self._param.max_retries + 1):
            if self.check_if_canceled("Invoke processing"):
                return

            try:
-                if method == "get":
-                    response = requests.get(url=url, params=args, headers=headers, proxies=proxies, timeout=self._param.timeout)
-                    if self._param.clean_html:
-                        sections = HtmlParser()(None, response.content)
-                        self.set_output("result", "\n".join(sections))
-                    else:
-                        self.set_output("result", response.text)
-
-                if method == "put":
-                    if self._param.datatype.lower() == "json":
-                        response = requests.put(url=url, json=args, headers=headers, proxies=proxies, timeout=self._param.timeout)
-                    else:
-                        response = requests.put(url=url, data=args, headers=headers, proxies=proxies, timeout=self._param.timeout)
-                    if self._param.clean_html:
-                        sections = HtmlParser()(None, response.content)
-                        self.set_output("result", "\n".join(sections))
-                    else:
-                        self.set_output("result", response.text)
-
-                if method == "post":
-                    if self._param.datatype.lower() == "json":
-                        response = requests.post(url=url, json=args, headers=headers, proxies=proxies, timeout=self._param.timeout)
-                    else:
-                        response = requests.post(url=url, data=args, headers=headers, proxies=proxies, timeout=self._param.timeout)
-                    if self._param.clean_html:
-                        self.set_output("result", "\n".join(sections))
-                    else:
-                        self.set_output("result", response.text)
-
-                return self.output("result")
+                response = self._send_request(url, args, headers, proxies)
+                result = self._format_response(response)
+                self.set_output("result", result)
+                return result
            except Exception as e:
                if self.check_if_canceled("Invoke processing"):
                    return

-                last_e = e
+                last_error = e
                logging.exception(f"Http request error: {e}")
                time.sleep(self._param.delay_after_error)

-        if last_e:
-            self.set_output("_ERROR", str(last_e))
-            return f"Http request error: {last_e}"
-
-        assert False, self.output()
+        if last_error:
+            self.set_output("_ERROR", str(last_error))
+            return f"Http request error: {last_error}"

    def thoughts(self) -> str:
        return "Waiting for the server respond..."
--- a/agent/component/iterationitem.py
+++ b/agent/component/iterationitem.py
@@ -69,7 +69,7 @@ class IterationItem(ComponentBase, ABC):
            if p._id != pid:
                continue

-            if p.component_name.lower() in ["categorize", "message", "switch", "userfillup", "interationitem"]:
+            if p.component_name.lower() in ["categorize", "message", "switch", "userfillup", "iterationitem"]:
                continue

            for k, o in p._param.outputs.items():
--- a/agent/component/list_operations.py
+++ b/agent/component/list_operations.py
@@ -10,8 +10,9 @@ class ListOperationsParam(ComponentParamBase):
    def __init__(self):
        super().__init__()
        self.query = ""
-        self.operations = "topN"
-        self.n=0
+        self.operations = "nth"
+        self.n = 0
+        self.strict = False
        self.sort_method = "asc"
        self.filter = {
            "operator": "=",
@@ -34,7 +35,11 @@ class ListOperationsParam(ComponentParamBase):
    
    def check(self):
        self.check_empty(self.query, "query")
-        self.check_valid_value(self.operations, "Support operations", ["topN","head","tail","filter","sort","drop_duplicates"])
+        self.check_valid_value(
+            self.operations,
+            "Support operations",
+            ["nth", "head", "tail", "filter", "sort", "drop_duplicates"],
+        )

    def get_input_form(self) -> dict[str, dict]:
        return {}
@@ -51,8 +56,8 @@ class ListOperations(ComponentBase,ABC):
        if not isinstance(self.inputs, list):
            raise TypeError("The input of List Operations should be an array.")
        self.set_input_value(inputs, self.inputs)
-        if self._param.operations == "topN":
-            self._topN()
+        if self._param.operations == "nth":
+            self._nth()
        elif self._param.operations == "head":
            self._head()
        elif self._param.operations == "tail":
@@ -70,35 +75,74 @@ class ListOperations(ComponentBase,ABC):
            return int(getattr(self._param, "n", 0))
        except Exception:
            return 0
-        
+
+    def _is_strict(self):
+        strict = getattr(self._param, "strict", False)
+        if isinstance(strict, str):
+            return strict.strip().lower() in {"1", "true", "yes", "on"}
+        return bool(strict)
+
    def _set_outputs(self, outputs):
        self._param.outputs["result"]["value"] = outputs
        self._param.outputs["first"]["value"] = outputs[0] if outputs else None
        self._param.outputs["last"]["value"]  = outputs[-1] if outputs else None
-        
-    def _topN(self):
+
+    def _raise_strict_range_error(self, operation, n):
+        raise ValueError(
+            f"{operation} requires n to be within the valid range in strict mode, got {n}."
+        )
+
+    def _nth(self):
        n = self._coerce_n()
-        if n < 1:
+        strict = self._is_strict()
+        if n == 0:
+            if strict:
+                self._raise_strict_range_error("nth", n)
            outputs = []
+        elif n > 0:
+            if n <= len(self.inputs):
+                outputs = [self.inputs[n - 1]]
+            elif strict:
+                self._raise_strict_range_error("nth", n)
+            else:
+                outputs = []
        else:
-            n = min(n, len(self.inputs))
-            outputs = self.inputs[:n]
+            if abs(n) <= len(self.inputs):
+                outputs = [self.inputs[n]]
+            elif strict:
+                self._raise_strict_range_error("nth", n)
+            else:
+                outputs = []
        self._set_outputs(outputs)

    def _head(self):
        n = self._coerce_n()
-        if 1 <= n <= len(self.inputs):
-            outputs = [self.inputs[n - 1]]
+        strict = self._is_strict()
+        if strict:
+            if 1 <= n <= len(self.inputs):
+                outputs = self.inputs[:n]
+            else:
+                self._raise_strict_range_error("head", n)
        else:
-            outputs = []
+            if n < 1:
+                outputs = []
+            else:
+                outputs = self.inputs[:n]
        self._set_outputs(outputs)

    def _tail(self):
        n = self._coerce_n()
-        if 1 <= n <= len(self.inputs):
-            outputs = [self.inputs[-n]]
+        strict = self._is_strict()
+        if strict:
+            if 1 <= n <= len(self.inputs):
+                outputs = self.inputs[-n:]
+            else:
+                self._raise_strict_range_error("tail", n)
        else:
-            outputs = []
+            if n < 1:
+                outputs = []
+            else:
+                outputs = self.inputs[-n:]
        self._set_outputs(outputs)

    def _filter(self):
@@ -107,7 +151,7 @@ class ListOperations(ComponentBase,ABC):
    def _norm(self,v):
        s = "" if v is None else str(v)
        return s
-    
+
    def _eval(self, v, operator, value):
        if operator == "=":
            return v == value
@@ -163,6 +207,6 @@ class ListOperations(ComponentBase,ABC):
        if isinstance(x, set):
            return tuple(sorted(self._hashable(v) for v in x))
        return x
-    
+
    def thoughts(self) -> str:
        return "ListOperation in progress"
--- a/agent/component/llm.py
+++ b/agent/component/llm.py
@@ -25,6 +25,7 @@ from functools import partial
 from common.constants import LLMType
 from api.db.services.llm_service import LLMBundle
 from api.db.services.tenant_llm_service import TenantLLMService
+from api.db.joint_services.tenant_model_service import get_model_config_by_type_and_name
 from agent.component.base import ComponentBase, ComponentParamBase
 from common.connection_utils import timeout
 from rag.prompts.generator import tool_call_summary, message_fit_in, citation_prompt, structured_output_prompt
@@ -84,10 +85,10 @@ class LLM(ComponentBase):

    def __init__(self, canvas, component_id, param: ComponentParamBase):
        super().__init__(canvas, component_id, param)
-        self.chat_mdl = LLMBundle(self._canvas.get_tenant_id(), TenantLLMService.llm_id2llm_type(self._param.llm_id),
-                                  self._param.llm_id, max_retries=self._param.max_retries,
-                                  retry_interval=self._param.delay_after_error
-                                  )
+        chat_model_config = get_model_config_by_type_and_name(self._canvas.get_tenant_id(), TenantLLMService.llm_id2llm_type(self._param.llm_id), self._param.llm_id)
+        self.chat_mdl = LLMBundle(self._canvas.get_tenant_id(), chat_model_config,
+                                  max_retries=self._param.max_retries,
+                                  retry_interval=self._param.delay_after_error)
        self.imgs = []

    def get_input_form(self) -> dict[str, dict]:
@@ -125,23 +126,119 @@ class LLM(ComponentBase):
            msg.append(p)
        return msg, self.string_format(self._param.sys_prompt, args)

-    def _prepare_prompt_variables(self):
-        if self._param.visual_files_var:
-            self.imgs = self._canvas.get_variable_value(self._param.visual_files_var)
-            if not self.imgs:
-                self.imgs = []
-            self.imgs = [img for img in self.imgs if img[:len("data:image/")] == "data:image/"]
-            if self.imgs and TenantLLMService.llm_id2llm_type(self._param.llm_id) == LLMType.CHAT.value:
-                self.chat_mdl = LLMBundle(self._canvas.get_tenant_id(), LLMType.IMAGE2TEXT.value,
-                                          self._param.llm_id, max_retries=self._param.max_retries,
-                                          retry_interval=self._param.delay_after_error
-                                          )
+    @staticmethod
+    def _extract_data_images(value) -> list[str]:
+        imgs = []

+        def walk(v):
+            if v is None:
+                return
+            if isinstance(v, str):
+                v = v.strip()
+                if v.startswith("data:image/"):
+                    imgs.append(v)
+                return
+            if isinstance(v, (list, tuple, set)):
+                for item in v:
+                    walk(item)
+                return
+            if isinstance(v, dict):
+                if "content" in v:
+                    walk(v.get("content"))
+                else:
+                    for item in v.values():
+                        walk(item)
+
+        walk(value)
+        return imgs
+
+    @staticmethod
+    def _uniq_images(images: list[str]) -> list[str]:
+        seen = set()
+        uniq = []
+        for img in images:
+            if not isinstance(img, str):
+                continue
+            if not img.startswith("data:image/"):
+                continue
+            if img in seen:
+                continue
+            seen.add(img)
+            uniq.append(img)
+        return uniq
+
+    @classmethod
+    def _remove_data_images(cls, value):
+        if value is None:
+            return None
+
+        if isinstance(value, str):
+            return None if value.strip().startswith("data:image/") else value
+
+        if isinstance(value, list):
+            cleaned = []
+            for item in value:
+                v = cls._remove_data_images(item)
+                if v is None:
+                    continue
+                if isinstance(v, (list, tuple, set, dict)) and not v:
+                    continue
+                cleaned.append(v)
+            return cleaned
+
+        if isinstance(value, tuple):
+            cleaned = []
+            for item in value:
+                v = cls._remove_data_images(item)
+                if v is None:
+                    continue
+                if isinstance(v, (list, tuple, set, dict)) and not v:
+                    continue
+                cleaned.append(v)
+            return tuple(cleaned)
+
+        if isinstance(value, set):
+            cleaned = []
+            for item in value:
+                v = cls._remove_data_images(item)
+                if v is None:
+                    continue
+                if isinstance(v, (list, tuple, set, dict)) and not v:
+                    continue
+                cleaned.append(v)
+            return cleaned
+
+        if isinstance(value, dict):
+            if value.get("type") in {"image_url", "input_image", "image"} and cls._extract_data_images(value):
+                return None
+
+            cleaned = {}
+            for k, item in value.items():
+                v = cls._remove_data_images(item)
+                if v is None:
+                    continue
+                if isinstance(v, (list, tuple, set, dict)) and not v:
+                    continue
+                cleaned[k] = v
+            return cleaned
+
+        return value
+
+    def _prepare_prompt_variables(self):
+        self.imgs = []
+        if self._param.visual_files_var:
+            visual_val = self._canvas.get_variable_value(self._param.visual_files_var)
+            self.imgs.extend(self._extract_data_images(visual_val))

        args = {}
        vars = self.get_input_elements() if not self._param.debug_inputs else self._param.debug_inputs
+        extracted_imgs = []
        for k, o in vars.items():
-            args[k] = o["value"]
+            raw_value = o["value"]
+            extracted_imgs.extend(self._extract_data_images(raw_value))
+            args[k] = self._remove_data_images(raw_value)
+            if args[k] is None:
+                args[k] = ""
            if not isinstance(args[k], str):
                try:
                    args[k] = json.dumps(args[k], ensure_ascii=False)
@@ -149,6 +246,13 @@ class LLM(ComponentBase):
                    args[k] = str(args[k])
            self.set_input_value(k, args[k])

+        self.imgs = self._uniq_images(self.imgs + extracted_imgs)
+        if self.imgs and TenantLLMService.llm_id2llm_type(self._param.llm_id) == LLMType.CHAT.value:
+            self.chat_mdl = LLMBundle(self._canvas.get_tenant_id(), LLMType.IMAGE2TEXT.value,
+                                      self._param.llm_id, max_retries=self._param.max_retries,
+                                      retry_interval=self._param.delay_after_error
+                                      )
+
        msg, sys_prompt = self._sys_prompt_and_msg(self._canvas.get_history(self._param.message_history_window_size)[:-1], args)
        user_defined_prompt, sys_prompt = self._extract_prompts(sys_prompt)
        if self._param.cite and self._canvas.get_reference()["chunks"]:
--- a/agent/component/message.py
+++ b/agent/component/message.py
@@ -14,8 +14,11 @@
 #  limitations under the License.
 #
 import asyncio
-import nest_asyncio
-nest_asyncio.apply()
+try:
+    import nest_asyncio
+    nest_asyncio.apply()
+except Exception:
+    pass
 import inspect
 import json
 import os
@@ -27,7 +30,9 @@ from functools import partial
 from typing import Any

 from agent.component.base import ComponentBase, ComponentParamBase
-from jinja2 import Template as Jinja2Template
+from jinja2.sandbox import SandboxedEnvironment
+
+_jinja2_sandbox = SandboxedEnvironment()

 from common.connection_utils import timeout
 from common.misc_utils import get_uuid
@@ -49,6 +54,9 @@ class MessageParam(ComponentParamBase):
        self.outputs = {
            "content": {
                "type": "str"
+            },
+            "downloads": {
+                "type": "list"
            }
        }

@@ -61,10 +69,66 @@ class MessageParam(ComponentParamBase):
 class Message(ComponentBase):
    component_name = "Message"

+    @staticmethod
+    def _is_download_info(value: Any) -> bool:
+        return isinstance(value, dict) and all(
+            key in value for key in ("doc_id", "filename", "mime_type")
+        )
+
+    def _extract_downloads(self, value: Any) -> list[dict[str, Any]]:
+        if isinstance(value, str):
+            try:
+                value = json.loads(value)
+            except Exception:
+                return []
+
+        if self._is_download_info(value):
+            return [value]
+
+        if isinstance(value, list) and all(self._is_download_info(item) for item in value):
+            return value
+
+        return []
+
+    def _stringify_message_value(
+        self,
+        value: Any,
+        delimiter: str = None,
+        downloads: list[dict[str, Any]] | None = None,
+        fallback_to_str: bool = False,
+    ) -> str:
+        extracted_downloads = self._extract_downloads(value)
+        if extracted_downloads:
+            if downloads is not None:
+                downloads.extend(extracted_downloads)
+            return ""
+
+        if value is None:
+            return ""
+
+        if isinstance(value, list) and delimiter:
+            return delimiter.join([str(vv) for vv in value])
+
+        if isinstance(value, str):
+            return value
+
+        try:
+            return json.dumps(value, ensure_ascii=False)
+        except Exception:
+            if fallback_to_str:
+                return str(value)
+            return ""
+
    def get_input_elements(self) -> dict[str, Any]:
        return self.get_input_elements_from_text("".join(self._param.content))

-    def get_kwargs(self, script:str, kwargs:dict = {}, delimiter:str=None) -> tuple[str, dict[str, str | list | Any]]:
+    def get_kwargs(
+        self,
+        script: str,
+        kwargs: dict = {},
+        delimiter: str = None,
+        downloads: list[dict[str, Any]] | None = None,
+    ) -> tuple[str, dict[str, str | list | Any]]:
        for k,v in self.get_input_elements_from_text(script).items():
            if k in kwargs:
                continue
@@ -79,15 +143,8 @@ class Message(ComponentBase):
                else:
                    for t in iter_obj:
                        ans += t
-            elif isinstance(v, list) and delimiter:
-                ans = delimiter.join([str(vv) for vv in v])
-            elif not isinstance(v, str):
-                try:
-                    ans = json.dumps(v, ensure_ascii=False)
-                except Exception:
-                    pass
            else:
-                ans = v
+                ans = self._stringify_message_value(v, delimiter, downloads)
            if not ans:
                ans = ""
            kwargs[k] = ans
@@ -110,6 +167,7 @@ class Message(ComponentBase):
        s = 0
        all_content = ""
        cache = {}
+        downloads = []
        for r in re.finditer(self.variable_ref_patt, rand_cnt, flags=re.DOTALL):
            if self.check_if_canceled("Message streaming"):
                return
@@ -149,11 +207,9 @@ class Message(ComponentBase):
                continue
            elif inspect.isawaitable(v):
                v = await v
-            elif not isinstance(v, str):
-                try:
-                    v = json.dumps(v, ensure_ascii=False)
-                except Exception:
-                    v = str(v)
+            v = self._stringify_message_value(
+                v, downloads=downloads, fallback_to_str=True
+            )
            yield v
            self.set_input_value(exp, v)
            all_content += v
@@ -166,6 +222,7 @@ class Message(ComponentBase):
            all_content += rand_cnt[s: ]
            yield rand_cnt[s: ]

+        self.set_output("downloads", downloads)
        self.set_output("content", all_content)
        self._convert_content(all_content)
        await self._save_to_memory(all_content)
@@ -186,12 +243,14 @@ class Message(ComponentBase):
            self.set_output("content", partial(self._stream, rand_cnt))
            return

-        rand_cnt, kwargs = self.get_kwargs(rand_cnt, kwargs)
-        template = Jinja2Template(rand_cnt)
+        downloads = []
+        rand_cnt, kwargs = self.get_kwargs(rand_cnt, kwargs, downloads=downloads)
+        template = _jinja2_sandbox.from_string(rand_cnt)
        try:
            content = template.render(kwargs)
-        except Exception:
-            pass
+        except Exception as e:
+            logging.warning(f"Jinja2 template rendering failed: {e}")
+            content = rand_cnt  # fallback to unrendered content

        if self.check_if_canceled("Message processing"):
            return
@@ -199,6 +258,7 @@ class Message(ComponentBase):
        for n, v in kwargs.items():
            content = re.sub(n, v, content)

+        self.set_output("downloads", downloads)
        self.set_output("content", content)
        self._convert_content(content)
        self._save_to_memory(content)
@@ -224,6 +284,38 @@ class Message(ComponentBase):
        
        rows = []
        headers = None
+
+        def _coerce_excel_cell_type(cell: str):
+            # Convert markdown cell text to native numeric types when safe,so Excel writes numeric cells instead of text.
+            if not isinstance(cell, str):
+                return cell
+
+            value = cell.strip()
+            if value == "":
+                return ""
+
+            # Keep values like "00123" as text to avoid losing leading zeros.
+            if re.match(r"^[+-]?0\d+$", value):
+                return cell
+
+            # Support thousand separators like 1,234 or 1,234.56
+            numeric_candidate = value
+            if re.match(r"^[+-]?\d{1,3}(,\d{3})+(\.\d+)?$", value):
+                numeric_candidate = value.replace(",", "")
+
+            if re.match(r"^[+-]?\d+$", numeric_candidate):
+                try:
+                    return int(numeric_candidate)
+                except ValueError:
+                    return cell
+
+            if re.match(r"^[+-]?(\d+\.\d+|\d+\.|\.\d+)([eE][+-]?\d+)?$", numeric_candidate) or re.match(r"^[+-]?\d+[eE][+-]?\d+$", numeric_candidate):
+                try:
+                    return float(numeric_candidate)
+                except ValueError:
+                    return cell
+
+            return cell
        
        for line in table_lines:
            # Split by | and clean up
@@ -234,6 +326,7 @@ class Message(ComponentBase):
            if headers is None:
                headers = cells
            else:
+                cells = [_coerce_excel_cell_type(c) for c in cells]
                rows.append(cells)
        
        if headers and rows:
@@ -430,8 +523,15 @@ class Message(ComponentBase):
        if not hasattr(self._param, "memory_ids") or not self._param.memory_ids:
            return True, "No memory selected."

+        user_id = self._param.user_id if hasattr(self._param, "user_id") else ""
+        if user_id:
+            import re
+            # is variable
+            if re.match(r"^{.*}$", user_id):
+                user_id = self._canvas.get_variable_value(user_id)
+
        message_dict = {
-            "user_id": self._canvas._tenant_id,
+            "user_id": user_id,
            "agent_id": self._canvas._id,
            "session_id": self._canvas.task_id,
            "user_input": self._canvas.get_sys_query(),
--- a/agent/component/string_transform.py
+++ b/agent/component/string_transform.py
@@ -18,7 +18,9 @@ import re
 from abc import ABC
 from typing import Any

-from jinja2 import Template as Jinja2Template
+from jinja2.sandbox import SandboxedEnvironment
+
+_jinja2_sandbox = SandboxedEnvironment()
 from agent.component.base import ComponentParamBase
 from common.connection_utils import timeout
 from .message import Message
@@ -96,7 +98,7 @@ class StringTransform(Message, ABC):
        script, kwargs = self.get_kwargs(script, kwargs, self._param.delimiters[0])

        if self._is_jinjia2(script):
-            template = Jinja2Template(script)
+            template = _jinja2_sandbox.from_string(script)
            try:
                script = template.render(kwargs)
            except Exception:
--- a/agent/component/switch.py
+++ b/agent/component/switch.py
@@ -134,7 +134,7 @@ class Switch(ComponentBase, ABC):
            except Exception:
                return True if input <= value else False

-        raise ValueError('Not supported operator' + operator)
+        raise ValueError(f'Not supported operator: {operator}')

    def thoughts(self) -> str:
        return "I’m weighing a few options and will pick the next step shortly."
--- a/agent/component/varaiable_aggregator.py
+++ b/agent/component/varaiable_aggregator.py
--- a/agent/component/variable_assigner.py
+++ b/agent/component/variable_assigner.py
@@ -141,20 +141,18 @@ class VariableAssigner(ComponentBase,ABC):
            return variable + parameter

    def _remove_first(self,variable):
-        if len(variable)==0:
-            return variable
        if not isinstance(variable,list):
            return "ERROR:VARIABLE_NOT_LIST"
-        else:
-            return variable[1:]
+        if len(variable)==0:
+            return variable
+        return variable[1:]

    def _remove_last(self,variable):
-        if len(variable)==0:
-            return variable
        if not isinstance(variable,list):
            return "ERROR:VARIABLE_NOT_LIST"
-        else:
-            return variable[:-1]
+        if len(variable)==0:
+            return variable
+        return variable[:-1]

    def is_number(self, value):
        if isinstance(value, bool):
--- a/agent/dsl_migration.py
+++ b/agent/dsl_migration.py
@@ -0,0 +1,178 @@
+#
+#  Copyright 2026 The InfiniFlow Authors. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+
+import copy
+import re
+
+
+# Keep all legacy chunker renames in one place so the migration rule stays readable.
+COMPONENT_RENAMES = {
+    "Splitter": "TokenChunker",
+    "HierarchicalMerger": "TitleChunker",
+    "PDFGenerator": "DocGenerator",
+}
+
+NODE_TYPE_RENAMES = {
+    "splitterNode": "chunkerNode",
+}
+
+VARIABLE_REF_PATTERN = re.compile(r"(\{+\s*)([A-Za-z0-9:_-]+)(@[A-Za-z0-9_.-]+)(\s*\}+)")
+
+
+def normalize_chunker_dsl(dsl: dict) -> dict:
+    """
+    Rewrite legacy chunker component names and ids into the current DSL schema.
+
+    This is intentionally a pure migration step:
+    - it does not change business params
+    - it only rewrites structural identifiers used by the canvas/runtime
+    - custom human-authored names are preserved unless they are still the exact
+      built-in legacy operator name
+    """
+    if not isinstance(dsl, dict):
+        return dsl
+
+    normalized = copy.deepcopy(dsl)
+    components = normalized.get("components")
+    if not isinstance(components, dict):
+        return normalized
+
+    component_id_map: dict[str, str] = {}
+    for component_id in components.keys():
+        new_component_id = component_id
+        for old_name, new_name in COMPONENT_RENAMES.items():
+            prefix = f"{old_name}:"
+            if component_id.startswith(prefix):
+                new_component_id = f"{new_name}:{component_id[len(prefix):]}"
+                break
+        component_id_map[component_id] = new_component_id
+
+    def rewrite_variable_refs(text: str) -> str:
+        if text in component_id_map:
+            return component_id_map[text]
+
+        def repl(match: re.Match[str]) -> str:
+            component_id = match.group(2)
+            return (
+                match.group(1)
+                + component_id_map.get(component_id, component_id)
+                + match.group(3)
+                + match.group(4)
+            )
+
+        return VARIABLE_REF_PATTERN.sub(repl, text)
+
+    def rewrite_value(value):
+        if isinstance(value, str):
+            return rewrite_variable_refs(value)
+        if isinstance(value, list):
+            return [rewrite_value(item) for item in value]
+        if isinstance(value, dict):
+            return {key: rewrite_value(item) for key, item in value.items()}
+        return value
+
+    rewritten_components = {}
+    for old_component_id, component in components.items():
+        new_component_id = component_id_map[old_component_id]
+        new_component = rewrite_value(component)
+
+        if isinstance(new_component, dict):
+            obj = new_component.get("obj")
+            if isinstance(obj, dict):
+                component_name = obj.get("component_name")
+                obj["component_name"] = COMPONENT_RENAMES.get(component_name, component_name)
+
+            if isinstance(new_component.get("downstream"), list):
+                new_component["downstream"] = [
+                    component_id_map.get(component_id, component_id)
+                    for component_id in new_component["downstream"]
+                ]
+            if isinstance(new_component.get("upstream"), list):
+                new_component["upstream"] = [
+                    component_id_map.get(component_id, component_id)
+                    for component_id in new_component["upstream"]
+                ]
+
+            parent_id = new_component.get("parent_id")
+            if isinstance(parent_id, str):
+                new_component["parent_id"] = component_id_map.get(parent_id, parent_id)
+
+        rewritten_components[new_component_id] = new_component
+
+    normalized["components"] = rewritten_components
+
+    if isinstance(normalized.get("path"), list):
+        normalized["path"] = [
+            component_id_map.get(component_id, component_id)
+            for component_id in normalized["path"]
+        ]
+
+    graph = normalized.get("graph")
+    if isinstance(graph, dict):
+        nodes = graph.get("nodes")
+        if isinstance(nodes, list):
+            for node in nodes:
+                if not isinstance(node, dict):
+                    continue
+                node_id = node.get("id")
+                if isinstance(node_id, str):
+                    node["id"] = component_id_map.get(node_id, node_id)
+
+                parent_id = node.get("parentId")
+                if isinstance(parent_id, str):
+                    node["parentId"] = component_id_map.get(parent_id, parent_id)
+
+                node_type = node.get("type")
+                if isinstance(node_type, str):
+                    node["type"] = NODE_TYPE_RENAMES.get(node_type, node_type)
+
+                data = node.get("data")
+                if not isinstance(data, dict):
+                    continue
+
+                label = data.get("label")
+                if isinstance(label, str):
+                    data["label"] = COMPONENT_RENAMES.get(label, label)
+
+                name = data.get("name")
+                if isinstance(name, str) and name in COMPONENT_RENAMES:
+                    data["name"] = COMPONENT_RENAMES[name]
+
+                if "form" in data:
+                    data["form"] = rewrite_value(data["form"])
+
+        edges = graph.get("edges")
+        if isinstance(edges, list):
+            replacements = sorted(component_id_map.items(), key=lambda item: len(item[0]), reverse=True)
+            for edge in edges:
+                if not isinstance(edge, dict):
+                    continue
+                for key in ("source", "target"):
+                    value = edge.get(key)
+                    if isinstance(value, str):
+                        edge[key] = component_id_map.get(value, value)
+
+                edge_id = edge.get("id")
+                if isinstance(edge_id, str):
+                    for old_component_id, new_component_id in replacements:
+                        edge_id = edge_id.replace(old_component_id, new_component_id)
+                    edge["id"] = edge_id
+
+    for key in ("history", "messages", "reference"):
+        if key in normalized:
+            normalized[key] = rewrite_value(normalized[key])
+
+    return normalized
--- a/agent/plugin/README.md
+++ b/agent/plugin/README.md
@@ -0,0 +1,97 @@
+# Plugins
+
+This directory contains the plugin mechanism for RAGFlow.
+
+RAGFlow will load plugins from `embedded_plugins` subdirectory recursively.
+
+## Supported plugin types
+
+Currently, the only supported plugin type is `llm_tools`.
+
+- `llm_tools`: A tool for LLM to call.
+
+## How to add a plugin
+
+Add a LLM tool plugin is simple: create a plugin file, put a class inherits the `LLMToolPlugin` class in it, then implement the `get_metadata` and the `invoke` methods.
+
+- `get_metadata` method: This method returns a `LLMToolMetadata` object, which contains the description of this tool.
+The description will be provided to LLM, and the RAGFlow web frontend for displaying.
+
+- `invoke` method: This method accepts parameters generated by LLM, and return a `str` containing the tool execution result.
+All the execution logic of this tool should go into this method.
+
+When you start RAGFlow, you can see your plugin was loaded in the log:
+
+```
+2025-05-15 19:29:08,959 INFO     34670 Recursively importing plugins from path `/some-path/ragflow/agent/plugin/embedded_plugins`
+2025-05-15 19:29:08,960 INFO     34670 Loaded llm_tools plugin BadCalculatorPlugin version 1.0.0
+```
+
+Or it may contain some errors for you to fix your plugin.
+
+### Demo
+
+We will demonstrate how to add a plugin with a calculator tool which will give wrong answers.
+
+First, create a plugin file `bad_calculator.py` under the `embedded_plugins/llm_tools` directory.
+
+Then, we create a `BadCalculatorPlugin` class, extending the `LLMToolPlugin` base class:
+
+```python
+class BadCalculatorPlugin(LLMToolPlugin):
+    _version_ = "1.0.0"
+```
+
+The `_version_` field is required, which specifies the version of the plugin.
+
+Our calculator has two numbers `a` and `b` as inputs, so we add a `invoke` method to our `BadCalculatorPlugin` class:
+
+```python
+def invoke(self, a: int, b: int) -> str:
+    return str(a + b + 100)
+```
+
+The `invoke` method will be called by LLM. It can have many parameters, but the return type must be a `str`.
+
+Finally, we have to add a `get_metadata` method, to tell LLM how to use our `bad_calculator`:
+
+```python
+@classmethod
+def get_metadata(cls) -> LLMToolMetadata:
+    return {
+        # Name of this tool, providing to LLM
+        "name": "bad_calculator",
+        # Display name of this tool, providing to RAGFlow frontend
+        "displayName": "$t:bad_calculator.name",
+        # Description of the usage of this tool, providing to LLM
+        "description": "A tool to calculate the sum of two numbers (will give wrong answer)",
+        # Description of this tool, providing to RAGFlow frontend
+        "displayDescription": "$t:bad_calculator.description",
+        # Parameters of this tool
+        "parameters": {
+            # The first parameter - a
+            "a": {
+                # Parameter type, options are: number, string, or whatever the LLM can recognise
+                "type": "number",
+                # Description of this parameter, providing to LLM
+                "description": "The first number",
+                # Description of this parameter, provding to RAGFlow frontend
+                "displayDescription": "$t:bad_calculator.params.a",
+                # Whether this parameter is required
+                "required": True
+            },
+            # The second parameter - b
+            "b": {
+                "type": "number",
+                "description": "The second number",
+                "displayDescription": "$t:bad_calculator.params.b",
+                "required": True
+            }
+        }
+```
+
+The `get_metadata` method is a `classmethod`. It will provide the description of this tool to LLM.
+
+The fields start with `display` can use a special notation: `$t:xxx`, which will use the i18n mechanism in the RAGFlow frontend, getting text from the `llmTools` category. The frontend will display what you put here if you don't use this notation.
+
+Now our tool is ready. You can select it in the `Generate` component and try it out.
--- a/agent/plugin/README_tr.md
+++ b/agent/plugin/README_tr.md
@@ -0,0 +1,99 @@
+[English](./README.md) | [简体中文](./README_zh.md) | Türkçe
+
+# Eklentiler
+
+Bu klasör, RAGFlow'un eklenti mekanizmasını içerir.
+
+RAGFlow, `embedded_plugins` alt klasöründen eklentileri özyinelemeli olarak yükleyecektir.
+
+## Desteklenen eklenti türleri
+
+Şu anda desteklenen tek eklenti türü `llm_tools`'dur.
+
+- `llm_tools`: LLM'nin çağırması için bir araç.
+
+## Eklenti nasıl eklenir
+
+Bir LLM araç eklentisi eklemek basittir: bir eklenti dosyası oluşturun, içine `LLMToolPlugin` sınıfından türetilmiş bir sınıf koyun, ardından `get_metadata` ve `invoke` metodlarını uygulayın.
+
+- `get_metadata` metodu: Bu metod, aracın açıklamasını içeren bir `LLMToolMetadata` nesnesi döndürür.
+Açıklama, LLM'ye çağrı için ve RAGFlow web ön yüzüne görüntüleme amacıyla sağlanacaktır.
+
+- `invoke` metodu: Bu metod, LLM tarafından üretilen parametreleri kabul eder ve aracın yürütme sonucunu içeren bir `str` döndürür.
+Bu aracın tüm yürütme mantığı bu metoda konulmalıdır.
+
+RAGFlow'u başlattığınızda, günlükte eklentinizin yüklendiğini göreceksiniz:
+
+```
+2025-05-15 19:29:08,959 INFO     34670 Recursively importing plugins from path `/some-path/ragflow/agent/plugin/embedded_plugins`
+2025-05-15 19:29:08,960 INFO     34670 Loaded llm_tools plugin BadCalculatorPlugin version 1.0.0
+```
+
+Veya eklentinizi düzeltmeniz gereken hatalar da içerebilir.
+
+### Örnek
+
+Yanlış cevaplar veren bir hesap makinesi aracı ekleyerek eklenti ekleme sürecini göstereceğiz.
+
+Önce, `embedded_plugins/llm_tools` klasörü altında `bad_calculator.py` adında bir eklenti dosyası oluşturun.
+
+Ardından, `LLMToolPlugin` temel sınıfından türetilmiş bir `BadCalculatorPlugin` sınıfı oluşturuyoruz:
+
+```python
+class BadCalculatorPlugin(LLMToolPlugin):
+    _version_ = "1.0.0"
+```
+
+`_version_` alanı zorunludur ve eklentinin sürüm numarasını belirtir.
+
+Hesap makinemizin girdileri olarak `a` ve `b` olmak üzere iki sayısı vardır, bu yüzden `BadCalculatorPlugin` sınıfımıza aşağıdaki `invoke` metodunu ekliyoruz:
+
+```python
+def invoke(self, a: int, b: int) -> str:
+    return str(a + b + 100)
+```
+
+`invoke` metodu LLM tarafından çağrılacaktır. Birçok parametreye sahip olabilir, ancak dönüş tipi `str` olmalıdır.
+
+Son olarak, LLM'ye `bad_calculator` aracımızı nasıl kullanacağını anlatmak için bir `get_metadata` metodu eklememiz gerekiyor:
+
+```python
+@classmethod
+def get_metadata(cls) -> LLMToolMetadata:
+    return {
+        # Bu aracın adı, LLM'ye sağlanır
+        "name": "bad_calculator",
+        # Bu aracın görüntüleme adı, RAGFlow ön yüzüne sağlanır
+        "displayName": "$t:bad_calculator.name",
+        # Bu aracın kullanım açıklaması, LLM'ye sağlanır
+        "description": "A tool to calculate the sum of two numbers (will give wrong answer)",
+        # Bu aracın açıklaması, RAGFlow ön yüzüne sağlanır
+        "displayDescription": "$t:bad_calculator.description",
+        # Bu aracın parametreleri
+        "parameters": {
+            # Birinci parametre - a
+            "a": {
+                # Parametre tipi, seçenekler: number, string veya LLM'nin tanıyabileceği herhangi bir tip
+                "type": "number",
+                # Bu parametrenin açıklaması, LLM'ye sağlanır
+                "description": "The first number",
+                # Bu parametrenin açıklaması, RAGFlow ön yüzüne sağlanır
+                "displayDescription": "$t:bad_calculator.params.a",
+                # Bu parametrenin zorunlu olup olmadığı
+                "required": True
+            },
+            # İkinci parametre - b
+            "b": {
+                "type": "number",
+                "description": "The second number",
+                "displayDescription": "$t:bad_calculator.params.b",
+                "required": True
+            }
+        }
+```
+
+`get_metadata` metodu bir `classmethod`'dur. Bu aracın açıklamasını LLM'ye sağlayacaktır.
+
+`display` ile başlayan alanlar özel bir gösterim kullanabilir: `$t:xxx`, bu gösterim RAGFlow ön yüzündeki uluslararasılaştırma (i18n) mekanizmasını kullanarak `llmTools` kategorisinden metin alır. Bu gösterimi kullanmazsanız, ön yüz buraya yazdığınız metni doğrudan gösterecektir.
+
+Artık aracımız hazırdır. `Yanıt Üret` bileşeninde seçip deneyebilirsiniz.
--- a/agent/plugin/README_zh.md
+++ b/agent/plugin/README_zh.md
@@ -0,0 +1,98 @@
+# 插件
+
+这个文件夹包含了RAGFlow的插件机制。
+
+RAGFlow将会从`embedded_plugins`子文件夹中递归加载所有的插件。
+
+## 支持的插件类型
+
+目前，唯一支持的插件类型是`llm_tools`。
+
+- `llm_tools`：用于供LLM进行调用的工具。
+
+## 如何添加一个插件
+
+添加一个LLM工具插件是很简单的：创建一个插件文件，向其中放一个继承自`LLMToolPlugin`的类，再实现它的`get_metadata`和`invoke`方法即可。
+
+- `get_metadata`方法：这个方法返回一个`LLMToolMetadata`对象，其中包含了对这个工具的描述。
+这些描述信息将被提供给LLM进行调用，和RAGFlow的Web前端用作展示。
+
+- `invoke`方法：这个方法接受LLM生成的参数，并且返回一个`str`对象，其中包含了这个工具的执行结果。
+这个工具的所有执行逻辑都应当放到这个方法里。
+
+当你启动RAGFlow时，你会在日志中看见你的插件被加载了：
+
+```
+2025-05-15 19:29:08,959 INFO     34670 Recursively importing plugins from path `/some-path/ragflow/agent/plugin/embedded_plugins`
+2025-05-15 19:29:08,960 INFO     34670 Loaded llm_tools plugin BadCalculatorPlugin version 1.0.0
+```
+
+也可能会报错，这时就需要根据报错对你的插件进行修复。
+
+### 示例
+
+我们将会添加一个会给出错误答案的计算器工具，来演示添加插件的过程。
+
+首先，在`embedded_plugins/llm_tools`文件夹下创建一个插件文件`bad_calculator.py`。
+
+接下来，我们创建一个`BadCalculatorPlugin`类，继承基类`LLMToolPlugin`：
+
+```python
+class BadCalculatorPlugin(LLMToolPlugin):
+    _version_ = "1.0.0"
+```
+
+`_version_`字段是必填的，用于指定这个插件的版本号。
+
+我们的计算器拥有两个输入字段`a`和`b`，所以我们添加如下的`invoke`方法到`BadCalculatorPlugin`类中：
+
+```python
+def invoke(self, a: int, b: int) -> str:
+    return str(a + b + 100)
+```
+
+`invoke`方法将会被LLM所调用。这个方法可以有许多参数，但它必须返回一个`str`。
+
+最后，我们需要添加一个`get_metadata`方法，来告诉LLM怎样使用我们的`bad_calculator`工具：
+
+```python
+@classmethod
+def get_metadata(cls) -> LLMToolMetadata:
+    return {
+        # 这个工具的名称，会提供给LLM
+        "name": "bad_calculator",
+        # 这个工具的展示名称，会提供给RAGFlow的Web前端
+        "displayName": "$t:bad_calculator.name",
+        # 这个工具的用法描述，会提供给LLM
+        "description": "A tool to calculate the sum of two numbers (will give wrong answer)",
+        # 这个工具的描述，会提供给RAGFlow的Web前端
+        "displayDescription": "$t:bad_calculator.description",
+        # 这个工具的参数
+        "parameters": {
+            # 第一个参数 - a
+            "a": {
+                # 参数类型，选项为：number, string, 或者LLM可以识别的任何类型
+                "type": "number",
+                # 这个参数的描述，会提供给LLM
+                "description": "The first number",
+                # 这个参数的描述，会提供给RAGFlow的Web前端
+                "displayDescription": "$t:bad_calculator.params.a",
+                # 这个参数是否是必填的
+                "required": True
+            },
+            # 第二个参数 - b
+            "b": {
+                "type": "number",
+                "description": "The second number",
+                "displayDescription": "$t:bad_calculator.params.b",
+                "required": True
+            }
+        }
+```
+
+`get_metadata`方法是一个`classmethod`。它会把这个工具的描述提供给LLM。
+
+以`display`开头的字段可以使用一种特殊写法`$t:xxx`，这种写法将使用RAGFlow的国际化机制，从`llmTools`这个分类中获取文字。如果你不使用这种写法，那么前端将会显示此处的原始内容。
+
+现在，我们的工具已经做好了，你可以在`生成回答`组件中选择这个工具来尝试一下。
+
--- a/agent/plugin/init.py
+++ b/agent/plugin/init.py
--- a/agent/plugin/common.py
+++ b/agent/plugin/common.py
--- a/agent/plugin/embedded_plugins/llm_tools/bad_calculator.py
+++ b/agent/plugin/embedded_plugins/llm_tools/bad_calculator.py
@@ -0,0 +1,37 @@
+import logging
+from agent.plugin.llm_tool_plugin import LLMToolMetadata, LLMToolPlugin
+
+
+class BadCalculatorPlugin(LLMToolPlugin):
+    """
+    A sample LLM tool plugin, will add two numbers with 100.
+    It only presents for demo purpose. Do not use it in production.
+    """
+    _version_ = "1.0.0"
+
+    @classmethod
+    def get_metadata(cls) -> LLMToolMetadata:
+        return {
+            "name": "bad_calculator",
+            "displayName": "$t:bad_calculator.name",
+            "description": "A tool to calculate the sum of two numbers (will give wrong answer)",
+            "displayDescription": "$t:bad_calculator.description",
+            "parameters": {
+                "a": {
+                    "type": "number",
+                    "description": "The first number",
+                    "displayDescription": "$t:bad_calculator.params.a",
+                    "required": True
+                },
+                "b": {
+                    "type": "number",
+                    "description": "The second number",
+                    "displayDescription": "$t:bad_calculator.params.b",
+                    "required": True
+                }
+            }
+        }
+
+    def invoke(self, a: int, b: int) -> str:
+        logging.info(f"Bad calculator tool was called with arguments {a} and {b}")
+        return str(a + b + 100)
--- a/agent/plugin/llm_tool_plugin.py
+++ b/agent/plugin/llm_tool_plugin.py
--- a/agent/plugin/plugin_manager.py
+++ b/agent/plugin/plugin_manager.py
--- a/agent/sandbox/.env.example
+++ b/agent/sandbox/.env.example
--- a/agent/sandbox/Makefile
+++ b/agent/sandbox/Makefile
--- a/agent/sandbox/README.md
+++ b/agent/sandbox/README.md
@@ -0,0 +1,361 @@
+# RAGFlow Sandbox
+
+A secure, pluggable code execution backend for RAGFlow and beyond.
+
+## 🔧 Features
+
+- ✅ **Seamless RAGFlow Integration** — Out-of-the-box compatibility with the `code` component.
+- 🔐 **High Security** — Leverages [gVisor](https://gvisor.dev/) for syscall-level sandboxing.
+- 🔧 **Customizable Sandboxing** — Easily modify `seccomp` settings as needed.
+- 🧩 **Pluggable Runtime Support** — Easily extend to support any programming language.
+- ⚙️ **Developer Friendly** — Get started with a single command using `Makefile`.
+
+## 🏗 Architecture
+
+<p align="center">
+  <img src="asserts/code_executor_manager.svg" width="520" alt="Architecture Diagram">
+</p>
+
+## 🚀 Quick Start
+
+### 📋 Prerequisites
+
+#### Required
+
+- Linux distro compatible with gVisor
+- [gVisor](https://gvisor.dev/docs/user_guide/install/)
+- Docker >= `25.0` (API 1.44+) — executor manager now bundles Docker CLI `29.1.0` to match newer daemons.
+- Docker Compose >= `v2.26.1` like [RAGFlow](https://github.com/infiniflow/ragflow)
+- [uv](https://docs.astral.sh/uv/) as package and project manager
+
+#### Optional (Recommended)
+
+- [GNU Make](https://www.gnu.org/software/make/) for simplified CLI management
+
+---
+
+> ⚠️ **New Docker CLI requirement**
+>
+> If you see `client version 1.43 is too old. Minimum supported API version is 1.44`, pull the latest `infiniflow/sandbox-executor-manager:latest` (rebuilt with Docker CLI `29.1.0`) or rebuild it in `./sandbox/executor_manager`. Older images shipped Docker 24.x, which cannot talk to newer Docker daemons.
+
+### 🐳 Build Docker Base Images
+
+We use isolated base images for secure containerized execution:
+
+```bash
+# Build base images manually
+docker build -t sandbox-base-python:latest ./sandbox_base_image/python
+docker build -t sandbox-base-nodejs:latest ./sandbox_base_image/nodejs
+
+# OR use Makefile
+make build
+```
+
+Then, build the executor manager image:
+
+```bash
+docker build -t sandbox-executor-manager:latest ./executor_manager
+```
+
+---
+
+### 📦 Running with RAGFlow
+
+1. Ensure gVisor is correctly installed.
+2. Configure your `.env` in `docker/.env`:
+
+   - Uncomment sandbox-related variables.
+   - Enable sandbox profile at the bottom.
+3. Add the following line to `/etc/hosts` as recommended:
+
+   ```text
+   127.0.0.1 sandbox-executor-manager
+   ```
+
+4. Start RAGFlow service.
+
+---
+
+### 🧭 Running Standalone
+
+#### Manual Setup
+
+1. Initialize environment:
+
+   ```bash
+   cp .env.example .env
+   ```
+
+2. Launch:
+
+   ```bash
+   docker compose -f docker-compose.yml up
+   ```
+
+3. Test:
+
+   ```bash
+   source .venv/bin/activate
+   export PYTHONPATH=$(pwd)
+   uv pip install -r executor_manager/requirements.txt
+   uv run tests/sandbox_security_tests_full.py
+   ```
+
+#### With Make
+
+```bash
+make          # setup + build + launch + test
+```
+
+---
+
+### 📈 Monitoring
+
+```bash
+docker logs -f sandbox-executor-manager  # Manual
+make logs                                 # With Make
+```
+
+---
+
+### 🧰 Makefile Toolbox
+
+| Command           | Description                                      |
+|-------------------|--------------------------------------------------|
+| `make`            | Setup, build, launch and test all at once        |
+| `make setup`      | Initialize environment and install uv            |
+| `make ensure_env` | Auto-create `.env` if missing                    |
+| `make ensure_uv`  | Install `uv` package manager if missing          |
+| `make build`      | Build all Docker base images                     |
+| `make start`      | Start services with safe env loading and testing |
+| `make stop`       | Gracefully stop all services                     |
+| `make restart`    | Shortcut for `stop` + `start`                    |
+| `make test`       | Run full test suite                              |
+| `make logs`       | Stream container logs                            |
+| `make clean`      | Stop and remove orphan containers and volumes    |
+
+---
+
+## 🔐 Security
+
+The RAGFlow sandbox is designed to balance security and usability, offering solid protection without compromising developer experience.
+
+### ✅ gVisor Isolation
+
+At its core, we use [gVisor](https://gvisor.dev/docs/architecture_guide/security/), a user-space kernel, to isolate code execution from the host system. gVisor intercepts and restricts syscalls, offering robust protection against container escapes and privilege escalations.
+
+### 🔒 Optional seccomp Support (Advanced)
+
+For users who need **zero-trust-level syscall control**, we support an additional `seccomp` profile. This feature restricts containers to only a predefined set of system calls, as specified in `executor_manager/seccomp-profile-default.json`.
+
+> ⚠️ This feature is **disabled by default** to maintain compatibility and usability. Enabling it may cause compatibility issues with some dependencies.
+
+#### To enable seccomp
+
+1. Edit your `.env` file:
+
+   ```dotenv
+   SANDBOX_ENABLE_SECCOMP=true
+   ```
+
+2. Customize allowed syscalls in:
+
+   ```
+   executor_manager/seccomp-profile-default.json
+   ```
+
+   This profile is passed to the container with:
+
+   ```bash
+   --security-opt seccomp=/app/seccomp-profile-default.json
+   ```
+
+### 🧠 Python Code AST Inspection
+
+In addition to sandboxing, Python code is **statically analyzed via AST (Abstract Syntax Tree)** before execution. Potentially malicious code (e.g. file operations, subprocess calls, etc.) is rejected early, providing an extra layer of protection.
+
+---
+
+This security model strikes a balance between **robust isolation** and **developer usability**. While `seccomp` can be highly restrictive, our default setup aims to keep things usable for most developers — no obscure crashes or cryptic setup required.
+
+## 📦 Add Extra Dependencies for Supported Languages
+
+Currently, the following languages are officially supported:
+
+| Language | Priority |
+|----------|----------|
+| Python   | High     |
+| Node.js  | Medium   |
+
+### 🐍 Python
+
+Pre-installed packages: `requests`, `numpy`, `pandas`, `matplotlib`.
+
+> `matplotlib` uses the `Agg` (non-interactive) backend by default in the sandbox (`MPLBACKEND=Agg`). No display server is available, so always save figures to files (e.g. `fig.savefig("artifacts/chart.png")`) rather than calling `plt.show()`.
+>
+> Tip: if Chinese text renders as missing boxes/squares in `matplotlib`, install Debian package `fonts-noto-cjk` in your custom image. We do not preinstall it by default to keep the base image smaller. The sandbox base image ships a `matplotlibrc` that already lists common CJK fonts in the `font.sans-serif` fallback chain, so no code-level font configuration is needed — just install the font package and rebuild the image.
+>
+> Example:
+>
+> ```dockerfile
+> RUN apt-get update && apt-get install -y --no-install-recommends fonts-noto-cjk && rm -rf /var/lib/apt/lists/*
+> ```
+
+To add more dependencies, edit:
+
+```bash
+sandbox_base_image/python/requirements.txt
+```
+
+Add any additional packages you need, one per line (just like a normal pip requirements file).
+
+### 🟨 Node.js
+
+Pre-installed packages: `axios`.
+
+To add Node.js dependencies:
+
+1. Navigate to the Node.js base image directory:
+
+   ```bash
+   cd sandbox_base_image/nodejs
+   ```
+
+2. Use `npm` to install the desired packages. For example:
+
+   ```bash
+   npm install lodash
+   ```
+
+3. The dependencies will be saved to `package.json` and `package-lock.json`, and included in the Docker image when rebuilt.
+
+---
+
+
+## Usage
+
+### 🐍 A Python example
+
+```python
+def main(arg1: str, arg2: str) -> str:
+    return f"result: {arg1 + arg2}"
+```
+
+### 🟨 JavaScript examples
+
+A simple sync function
+
+```javascript
+function main({arg1, arg2}) {
+  return arg1+arg2
+}
+```
+
+Async funcion with aioxs
+
+```javascript
+const axios = require('axios');
+async function main() {
+  try {
+    const response = await axios.get('https://github.com/infiniflow/ragflow');
+    return 'Body:' + response.data;
+  } catch (error) {
+    return 'Error:' + error.message;
+  }
+}
+```
+
+---
+
+## 📋 FAQ
+
+### ❓Sandbox Not Working?
+
+Follow this checklist to troubleshoot:
+
+- [ ] **Is your machine compatible with gVisor?**
+
+  Ensure that your system supports gVisor. Refer to the [gVisor installation guide](https://gvisor.dev/docs/user_guide/install/).
+
+- [ ] **Is gVisor properly installed?**
+
+  **Common error:**
+
+  `HTTPConnectionPool(host='sandbox-executor-manager', port=9385): Read timed out.`
+
+  Cause: `runsc` is an unknown or invalid Docker runtime.
+  **Fix:**
+
+  - Install gVisor
+
+  - Restart Docker
+
+  - Test with:
+
+    ```bash
+    docker run --rm --runtime=runsc hello-world
+    ```
+
+- [ ] **Is `sandbox-executor-manager` mapped in `/etc/hosts`?**
+
+  **Common error:**
+
+  `HTTPConnectionPool(host='none', port=9385): Max retries exceeded.`
+
+  **Fix:**
+
+  Add the following entry to `/etc/hosts`:
+
+  ```text
+  127.0.0.1 es01 infinity mysql minio redis sandbox-executor-manager
+  ```
+
+- [ ] **Are you running the latest executor manager image?**
+
+  **Common error:**
+
+  `docker: Error response from daemon: client version 1.43 is too old. Minimum supported API version is 1.44`
+
+  **Fix:**
+
+  Pull the refreshed image that bundles Docker CLI `29.1.0`, or rebuild it in `./sandbox/executor_manager`:
+
+  ```bash
+  docker pull infiniflow/sandbox-executor-manager:latest
+  # or
+  docker build -t sandbox-executor-manager:latest ./sandbox/executor_manager
+  ```
+
+- [ ] **Have you enabled sandbox-related configurations in RAGFlow?**
+
+  Double-check that all sandbox settings are correctly enabled in your RAGFlow configuration.
+
+- [ ] **Have you pulled the required base images for the runners?**
+
+  **Common error:**
+
+  `HTTPConnectionPool(host='sandbox-executor-manager', port=9385): Read timed out.`
+
+  Cause: no runner was started.
+
+  **Fix:**
+
+  Pull the necessary base images:
+
+  ```bash
+  docker pull infiniflow/sandbox-base-nodejs:latest
+  docker pull infiniflow/sandbox-base-python:latest
+  ```
+
+- [ ] **Did you restart the service after making changes?**
+
+  Any changes to configuration or environment require a full service restart to take effect.
+
+
+### ❓Container pool is busy?
+
+All available runners are currently in use, executing tasks/running code. Please try again shortly, or consider increasing the pool size in the configuration to improve availability and reduce wait times.
+
+## 🤝 Contribution
+
+Contributions are welcome!
--- a/agent/sandbox/asserts/code_executor_manager.svg
+++ b/agent/sandbox/asserts/code_executor_manager.svg
--- a/agent/sandbox/client.py
+++ b/agent/sandbox/client.py
@@ -0,0 +1,239 @@
+#
+#  Copyright 2025 The InfiniFlow Authors. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+
+"""
+Sandbox client for agent components.
+
+This module provides a unified interface for agent components to interact
+with the configured sandbox provider.
+"""
+
+import json
+import logging
+from typing import Dict, Any, Optional
+
+from api.db.services.system_settings_service import SystemSettingsService
+from agent.sandbox.providers import ProviderManager
+from agent.sandbox.providers.base import ExecutionResult
+
+logger = logging.getLogger(__name__)
+
+
+# Global provider manager instance
+_provider_manager: Optional[ProviderManager] = None
+
+
+def get_provider_manager() -> ProviderManager:
+    """
+    Get the global provider manager instance.
+
+    Returns:
+        ProviderManager instance with active provider loaded
+    """
+    global _provider_manager
+
+    if _provider_manager is not None:
+        return _provider_manager
+
+    # Initialize provider manager with system settings
+    _provider_manager = ProviderManager()
+    _load_provider_from_settings()
+
+    return _provider_manager
+
+
+def _load_provider_from_settings() -> None:
+    """
+    Load sandbox provider from system settings and configure the provider manager.
+
+    This function reads the system settings to determine which provider is active
+    and initializes it with the appropriate configuration.
+    """
+    global _provider_manager
+
+    if _provider_manager is None:
+        return
+
+    try:
+        # Get active provider type
+        provider_type_settings = SystemSettingsService.get_by_name("sandbox.provider_type")
+        if not provider_type_settings:
+            raise RuntimeError(
+                "Sandbox provider type not configured. Please set 'sandbox.provider_type' in system settings."
+            )
+        provider_type = provider_type_settings[0].value
+
+        # Get provider configuration
+        provider_config_settings = SystemSettingsService.get_by_name(f"sandbox.{provider_type}")
+
+        if not provider_config_settings:
+            logger.warning(f"No configuration found for provider: {provider_type}")
+            config = {}
+        else:
+            try:
+                config = json.loads(provider_config_settings[0].value)
+            except json.JSONDecodeError as e:
+                logger.error(f"Failed to parse sandbox config for {provider_type}: {e}")
+                config = {}
+
+        # Import and instantiate the provider
+        from agent.sandbox.providers import (
+            SelfManagedProvider,
+            AliyunCodeInterpreterProvider,
+            E2BProvider,
+        )
+
+        provider_classes = {
+            "self_managed": SelfManagedProvider,
+            "aliyun_codeinterpreter": AliyunCodeInterpreterProvider,
+            "e2b": E2BProvider,
+        }
+
+        if provider_type not in provider_classes:
+            logger.error(f"Unknown provider type: {provider_type}")
+            return
+
+        provider_class = provider_classes[provider_type]
+        provider = provider_class()
+
+        # Initialize the provider
+        if not provider.initialize(config):
+            logger.error(f"Failed to initialize sandbox provider: {provider_type}. Config keys: {list(config.keys())}")
+            return
+
+        # Set the active provider
+        _provider_manager.set_provider(provider_type, provider)
+        logger.info(f"Sandbox provider '{provider_type}' initialized successfully")
+
+    except Exception as e:
+        logger.error(f"Failed to load sandbox provider from settings: {e}")
+        import traceback
+        traceback.print_exc()
+
+
+def reload_provider() -> None:
+    """
+    Reload the sandbox provider from system settings.
+
+    Use this function when sandbox settings have been updated.
+    """
+    global _provider_manager
+    _provider_manager = None
+    _load_provider_from_settings()
+
+
+def execute_code(
+    code: str,
+    language: str = "python",
+    timeout: int = 30,
+    arguments: Optional[Dict[str, Any]] = None
+) -> ExecutionResult:
+    """
+    Execute code in the configured sandbox.
+
+    This is the main entry point for agent components to execute code.
+
+    Args:
+        code: Source code to execute
+        language: Programming language (python, nodejs, javascript)
+        timeout: Maximum execution time in seconds
+        arguments: Optional arguments dict to pass to main() function
+
+    Returns:
+        ExecutionResult containing stdout, stderr, exit_code, and metadata
+
+    Raises:
+        RuntimeError: If no provider is configured or execution fails
+    """
+    provider_manager = get_provider_manager()
+
+    if not provider_manager.is_configured():
+        raise RuntimeError(
+            "No sandbox provider configured. Please configure sandbox settings in the admin panel."
+        )
+
+    provider = provider_manager.get_provider()
+
+    # Create a sandbox instance
+    instance = provider.create_instance(template=language)
+
+    try:
+        # Execute the code
+        result = provider.execute_code(
+            instance_id=instance.instance_id,
+            code=code,
+            language=language,
+            timeout=timeout,
+            arguments=arguments
+        )
+
+        return result
+
+    finally:
+        # Clean up the instance
+        try:
+            provider.destroy_instance(instance.instance_id)
+        except Exception as e:
+            logger.warning(f"Failed to destroy sandbox instance {instance.instance_id}: {e}")
+
+
+def health_check() -> bool:
+    """
+    Check if the sandbox provider is healthy.
+
+    Returns:
+        True if provider is configured and healthy, False otherwise
+    """
+    try:
+        provider_manager = get_provider_manager()
+
+        if not provider_manager.is_configured():
+            return False
+
+        provider = provider_manager.get_provider()
+        return provider.health_check()
+
+    except Exception as e:
+        logger.error(f"Sandbox health check failed: {e}")
+        return False
+
+
+def get_provider_info() -> Dict[str, Any]:
+    """
+    Get information about the current sandbox provider.
+
+    Returns:
+        Dictionary with provider information:
+        - provider_type: Type of the active provider
+        - configured: Whether provider is configured
+        - healthy: Whether provider is healthy
+    """
+    try:
+        provider_manager = get_provider_manager()
+
+        return {
+            "provider_type": provider_manager.get_provider_name(),
+            "configured": provider_manager.is_configured(),
+            "healthy": health_check(),
+        }
+
+    except Exception as e:
+        logger.error(f"Failed to get provider info: {e}")
+        return {
+            "provider_type": None,
+            "configured": False,
+            "healthy": False,
+        }
--- a/agent/sandbox/docker-compose.yml
+++ b/agent/sandbox/docker-compose.yml
@@ -0,0 +1,32 @@
+services:
+  sandbox-executor-manager:
+    build:
+      context: ./executor_manager
+      dockerfile: Dockerfile
+    image: sandbox-executor-manager:latest
+    runtime: runc
+    privileged: true
+    ports:
+      - "${SANDBOX_EXECUTOR_MANAGER_PORT:-9385}:9385"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+      - sandbox-network
+    restart: always
+    security_opt:
+      - no-new-privileges:true
+    environment:
+      - SANDBOX_EXECUTOR_MANAGER_POOL_SIZE=${SANDBOX_EXECUTOR_MANAGER_POOL_SIZE:-5}
+      - SANDBOX_BASE_PYTHON_IMAGE=${SANDBOX_BASE_PYTHON_IMAGE-sandbox-base-python:latest}
+      - SANDBOX_BASE_NODEJS_IMAGE=${SANDBOX_BASE_NODEJS_IMAGE-sandbox-base-nodejs:latest}
+      - SANDBOX_ENABLE_SECCOMP=${SANDBOX_ENABLE_SECCOMP:-false}
+      - SANDBOX_MAX_MEMORY=${SANDBOX_MAX_MEMORY:-256m} # b, k, m, g
+      - SANDBOX_TIMEOUT=${SANDBOX_TIMEOUT:-10s} # s, m, 1m30s
+    healthcheck:
+      test: ["CMD-SHELL", "curl --fail http://localhost:9385/healthz || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+networks:
+  sandbox-network:
+    driver: bridge
--- a/agent/sandbox/executor_manager/Dockerfile
+++ b/agent/sandbox/executor_manager/Dockerfile
@@ -0,0 +1,37 @@
+FROM python:3.11-slim-bookworm
+
+RUN grep -rl 'deb.debian.org' /etc/apt/ | xargs sed -i 's|http[s]*://deb.debian.org|https://mirrors.tuna.tsinghua.edu.cn|g' && \
+    apt-get update && \
+    apt-get install -y curl gcc && \
+    rm -rf /var/lib/apt/lists/*
+
+ARG TARGETARCH
+ARG TARGETVARIANT
+
+RUN set -eux; \
+    case "${TARGETARCH}${TARGETVARIANT}" in \
+        amd64) DOCKER_ARCH=x86_64 ;; \
+        arm64) DOCKER_ARCH=aarch64 ;; \
+        armv7) DOCKER_ARCH=armhf ;; \
+        armv6) DOCKER_ARCH=armel ;; \
+        arm64v8) DOCKER_ARCH=aarch64 ;; \
+        arm64v7) DOCKER_ARCH=armhf ;; \
+        arm*) DOCKER_ARCH=armhf ;; \
+        ppc64le) DOCKER_ARCH=ppc64le ;; \
+        s390x) DOCKER_ARCH=s390x ;; \
+        *) echo "Unsupported architecture: ${TARGETARCH}${TARGETVARIANT}" && exit 1 ;; \
+    esac; \
+    echo "Downloading Docker for architecture: ${DOCKER_ARCH}"; \
+    curl -fsSL "https://download.docker.com/linux/static/stable/${DOCKER_ARCH}/docker-29.1.0.tgz" | \
+    tar xz -C /usr/local/bin --strip-components=1 docker/docker; \
+    ln -sf /usr/local/bin/docker /usr/bin/docker
+
+COPY --from=ghcr.io/astral-sh/uv:0.7.5 /uv /uvx /bin/
+ENV UV_INDEX_URL=https://pypi.tuna.tsinghua.edu.cn/simple
+
+WORKDIR /app
+COPY . .
+
+RUN uv pip install --system -r requirements.txt
+
+CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "9385"]
--- a/agent/sandbox/executor_manager/api/init.py
+++ b/agent/sandbox/executor_manager/api/init.py
--- a/agent/sandbox/executor_manager/api/handlers.py
+++ b/agent/sandbox/executor_manager/api/handlers.py
--- a/agent/sandbox/executor_manager/api/routes.py
+++ b/agent/sandbox/executor_manager/api/routes.py
@@ -0,0 +1,25 @@
+#
+#  Copyright 2025 The InfiniFlow Authors. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+from fastapi import APIRouter
+
+from api.handlers import healthz_handler, run_code_handler
+
+router = APIRouter()
+
+router.get("/")(healthz_handler)
+router.get("/healthz")(healthz_handler)
+router.post("/run")(run_code_handler)
+
--- a/agent/sandbox/executor_manager/core/init.py
+++ b/agent/sandbox/executor_manager/core/init.py
--- a/agent/sandbox/executor_manager/core/config.py
+++ b/agent/sandbox/executor_manager/core/config.py
--- a/agent/sandbox/executor_manager/core/container.py
+++ b/agent/sandbox/executor_manager/core/container.py
--- a/agent/sandbox/executor_manager/core/logger.py
+++ b/agent/sandbox/executor_manager/core/logger.py
--- a/agent/sandbox/executor_manager/main.py
+++ b/agent/sandbox/executor_manager/main.py
--- a/agent/sandbox/executor_manager/models/init.py
+++ b/agent/sandbox/executor_manager/models/init.py
--- a/agent/sandbox/executor_manager/models/enums.py
+++ b/agent/sandbox/executor_manager/models/enums.py
--- a/agent/sandbox/executor_manager/models/schemas.py
+++ b/agent/sandbox/executor_manager/models/schemas.py
@@ -0,0 +1,72 @@
+#
+#  Copyright 2025 The InfiniFlow Authors. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+import base64
+from typing import Any, Optional
+
+from pydantic import BaseModel, Field, field_validator
+
+from models.enums import ResourceLimitType, ResultStatus, RuntimeErrorType, SupportLanguage, UnauthorizedAccessType
+
+
+class ArtifactItem(BaseModel):
+    name: str
+    mime_type: str
+    size: int
+    content_b64: str
+
+
+class ExecutionStructuredResult(BaseModel):
+    present: bool
+    value: Any = None
+    type: str = "json"
+
+
+class CodeExecutionResult(BaseModel):
+    status: ResultStatus
+    stdout: str
+    stderr: str
+    exit_code: int
+    detail: Optional[str] = None
+
+    # Resource usage
+    time_used_ms: Optional[float] = None
+    memory_used_kb: Optional[float] = None
+
+    # Error details
+    resource_limit_type: Optional[ResourceLimitType] = None
+    unauthorized_access_type: Optional[UnauthorizedAccessType] = None
+    runtime_error_type: Optional[RuntimeErrorType] = None
+
+    # File artifacts produced by code execution (images, PDFs, CSVs, etc.)
+    artifacts: list[ArtifactItem] = []
+
+    # Structured return value produced by main()
+    result: Optional[ExecutionStructuredResult] = None
+
+
+class CodeExecutionRequest(BaseModel):
+    code_b64: str = Field(..., description="Base64 encoded code string")
+    language: SupportLanguage = Field(default=SupportLanguage.PYTHON, description="Programming language")
+    arguments: Optional[dict] = Field(default={}, description="Arguments")
+
+    @field_validator("code_b64")
+    @classmethod
+    def validate_base64(cls, v: str) -> str:
+        try:
+            base64.b64decode(v, validate=True)
+            return v
+        except Exception as e:
+            raise ValueError(f"Invalid base64 encoding: {str(e)}")
--- a/agent/sandbox/executor_manager/requirements.txt
+++ b/agent/sandbox/executor_manager/requirements.txt
--- a/agent/sandbox/executor_manager/seccomp-profile-default.json
+++ b/agent/sandbox/executor_manager/seccomp-profile-default.json
--- a/agent/sandbox/executor_manager/services/init.py
+++ b/agent/sandbox/executor_manager/services/init.py
--- a/agent/sandbox/executor_manager/services/execution.py
+++ b/agent/sandbox/executor_manager/services/execution.py
@@ -0,0 +1,429 @@
+#
+#  Copyright 2025 The InfiniFlow Authors. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+import asyncio
+import base64
+import json
+import os
+import time
+import uuid
+from core.config import TIMEOUT
+from core.container import allocate_container_blocking, release_container
+from core.logger import logger
+from models.enums import ResourceLimitType, ResultStatus, RuntimeErrorType, SupportLanguage, UnauthorizedAccessType
+from models.schemas import ArtifactItem, CodeExecutionRequest, CodeExecutionResult, ExecutionStructuredResult
+from utils.common import async_run_command
+
+RESULT_MARKER_PREFIX = "__RAGFLOW_RESULT__:"
+
+
+def _extract_result_envelope(stdout: str) -> tuple[str, ExecutionStructuredResult | None]:
+    if not stdout:
+        return "", None
+
+    cleaned_lines: list[str] = []
+    envelope: ExecutionStructuredResult | None = None
+
+    for line in str(stdout).splitlines():
+        if line.startswith(RESULT_MARKER_PREFIX):
+            payload_b64 = line[len(RESULT_MARKER_PREFIX) :].strip()
+            if not payload_b64:
+                continue
+            try:
+                payload = base64.b64decode(payload_b64).decode("utf-8")
+                envelope = ExecutionStructuredResult.model_validate_json(payload)
+            except Exception as exc:
+                logger.warning(f"Failed to decode structured result marker: {exc}")
+                cleaned_lines.append(line)
+            continue
+        cleaned_lines.append(line)
+
+    cleaned_stdout = "\n".join(cleaned_lines)
+    if stdout.endswith("\n") and cleaned_stdout and not cleaned_stdout.endswith("\n"):
+        cleaned_stdout += "\n"
+    return cleaned_stdout, envelope
+
+
+def _build_execution_bundle(req: CodeExecutionRequest, workdir: str) -> dict[str, str | bytes]:
+    arguments = req.arguments or {}
+    args_source = json.dumps(arguments, ensure_ascii=False)
+    args_name = "args.json"
+    code_bytes = base64.b64decode(req.code_b64)
+
+    if req.language == SupportLanguage.PYTHON:
+        code_name = "main.py"
+        runner_name = "runner.py"
+        runner_source = f"""import base64
+import json
+import os
+import sys
+
+os.makedirs(os.path.join(os.getcwd(), "artifacts"), exist_ok=True)
+
+sys.path.insert(0, os.path.dirname(__file__))
+from main import main
+
+RESULT_MARKER_PREFIX = {RESULT_MARKER_PREFIX!r}
+
+
+def emit_result(value):
+    payload = json.dumps(
+        {{
+            "present": True,
+            "value": value,
+            "type": "json",
+        }},
+        ensure_ascii=False,
+        separators=(",", ":"),
+    )
+    print(RESULT_MARKER_PREFIX + base64.b64encode(payload.encode("utf-8")).decode("ascii"))
+
+
+if __name__ == "__main__":
+    with open(os.path.join(os.path.dirname(__file__), "args.json"), encoding="utf-8") as f:
+        args = json.load(f)
+    result = main(**args)
+    emit_result(result)
+"""
+    elif req.language == SupportLanguage.NODEJS:
+        code_name = "main.js"
+        runner_name = "runner.js"
+        runner_source = """
+const fs = require('fs');
+const path = require('path');
+
+const args = JSON.parse(fs.readFileSync(path.join(__dirname, 'args.json'), 'utf8'));
+const mainPath = path.join(__dirname, 'main.js');
+const RESULT_MARKER_PREFIX = '__RESULT_MARKER_PREFIX__';
+
+function isPromise(value) {
+    return Boolean(value && typeof value.then === 'function');
+}
+
+function emitResult(value) {
+    if (typeof value === 'undefined') {
+        console.error('Error: main() must return a value. Use null for an empty result.');
+        process.exit(1);
+    }
+
+    const payload = JSON.stringify({ present: true, value, type: 'json' });
+    if (typeof payload === 'undefined') {
+        console.error('Error: main() returned a non-JSON-serializable value.');
+        process.exit(1);
+    }
+
+    console.log(RESULT_MARKER_PREFIX + Buffer.from(payload, 'utf8').toString('base64'));
+}
+
+if (fs.existsSync(mainPath)) {
+    const mod = require(mainPath);
+    const main = typeof mod === 'function' ? mod : mod.main;
+
+    if (typeof main !== 'function') {
+        console.error('Error: main is not a function');
+        process.exit(1);
+    }
+
+    if (typeof args === 'object' && args !== null) {
+        try {
+            const result = Promise.resolve(main(args));
+            if (isPromise(result)) {
+                result.then(output => {
+                    emitResult(output);
+                }).catch(err => {
+                    console.error('Error in async main function:', err);
+                    process.exit(1);
+                });
+            } else {
+                emitResult(result);
+            }
+        } catch (err) {
+            console.error('Error when executing main:', err);
+            process.exit(1);
+        }
+    } else {
+        console.error('Error: args is not a valid object:', args);
+        process.exit(1);
+    }
+} else {
+    console.error('main.js not found in the current directory');
+    process.exit(1);
+}
+"""
+        runner_source = runner_source.replace("__RESULT_MARKER_PREFIX__", RESULT_MARKER_PREFIX)
+    else:
+        assert False, "Will never reach here"
+
+    return {
+        "code_name": code_name,
+        "code_bytes": code_bytes,
+        "runner_name": runner_name,
+        "runner_source": runner_source,
+        "args_name": args_name,
+        "args_source": args_source,
+    }
+
+
+def _build_container_run_args(language: SupportLanguage, task_id: str, container: str, runner_name: str) -> list[str]:
+    run_args = [
+        "docker",
+        "exec",
+        "--workdir",
+        f"/workspace/{task_id}",
+        container,
+        "timeout",
+        str(TIMEOUT),
+        language,
+    ]
+    if language == SupportLanguage.PYTHON:
+        run_args.extend(["-I", "-B"])
+    run_args.append(runner_name)
+    return run_args
+
+
+async def execute_code(req: CodeExecutionRequest):
+    language = req.language
+    container = await allocate_container_blocking(language)
+    if not container:
+        return CodeExecutionResult(
+            status=ResultStatus.PROGRAM_RUNNER_ERROR,
+            stdout="",
+            stderr="Container pool is busy",
+            exit_code=-10,
+            detail="no_available_container",
+        )
+
+    task_id = str(uuid.uuid4())
+    workdir = f"/tmp/sandbox_{task_id}"
+    os.makedirs(workdir, mode=0o700, exist_ok=True)
+
+    try:
+        bundle = _build_execution_bundle(req, workdir)
+        code_name = str(bundle["code_name"])
+        runner_name = str(bundle["runner_name"])
+
+        code_path = os.path.join(workdir, code_name)
+        with open(code_path, "wb") as f:
+            f.write(bundle["code_bytes"])
+
+        runner_path = os.path.join(workdir, runner_name)
+        with open(runner_path, "w", encoding="utf-8") as f:
+            f.write(str(bundle["runner_source"]))
+
+        args_path = os.path.join(workdir, str(bundle["args_name"]))
+        with open(args_path, "w", encoding="utf-8") as f:
+            f.write(str(bundle["args_source"]))
+
+        returncode, _, stderr = await async_run_command("docker", "exec", container, "mkdir", "-p", f"/workspace/{task_id}", timeout=5)
+        if returncode != 0:
+            raise RuntimeError(f"Directory creation failed: {stderr}")
+
+        tar_proc = await asyncio.create_subprocess_exec(
+            "tar", "czf", "-", "-C", workdir, code_name, runner_name, str(bundle["args_name"]), stdout=asyncio.subprocess.PIPE
+        )
+        tar_stdout, _ = await tar_proc.communicate()
+
+        docker_proc = await asyncio.create_subprocess_exec(
+            "docker", "exec", "-i", container, "tar", "xzf", "-", "-C", f"/workspace/{task_id}", stdin=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE
+        )
+        stdout, stderr = await docker_proc.communicate(input=tar_stdout)
+
+        if docker_proc.returncode != 0:
+            raise RuntimeError(stderr.decode())
+
+        start_time = time.time()
+        try:
+            arguments = req.arguments or {}
+            logger.info("Passed in args keys=%s size_bytes=%s", list(arguments.keys()), len(json.dumps(arguments, ensure_ascii=False).encode("utf-8")))
+            run_args = _build_container_run_args(language=language, task_id=task_id, container=container, runner_name=runner_name)
+
+            returncode, stdout, stderr = await async_run_command(
+                *run_args,
+                timeout=TIMEOUT + 5,
+            )
+
+            time_used_ms = (time.time() - start_time) * 1000
+
+            logger.info("----------------------------------------------")
+            logger.info(f"Code: {str(base64.b64decode(req.code_b64))}")
+            logger.info(f"{returncode=}")
+            logger.info(f"{stdout=}")
+            logger.info(f"{stderr=}")
+
+            if returncode == 0:
+                clean_stdout, structured_result = _extract_result_envelope(stdout)
+                artifacts = await _collect_artifacts(container, task_id, workdir)
+                return CodeExecutionResult(
+                    status=ResultStatus.SUCCESS,
+                    stdout=clean_stdout,
+                    stderr=stderr,
+                    exit_code=0,
+                    time_used_ms=time_used_ms,
+                    artifacts=artifacts,
+                    result=structured_result,
+                )
+            elif returncode == 124:
+                return CodeExecutionResult(
+                    status=ResultStatus.RESOURCE_LIMIT_EXCEEDED,
+                    stdout="",
+                    stderr="Execution timeout",
+                    exit_code=-124,
+                    resource_limit_type=ResourceLimitType.TIME,
+                    time_used_ms=time_used_ms,
+                )
+            elif returncode == 137:
+                return CodeExecutionResult(
+                    status=ResultStatus.RESOURCE_LIMIT_EXCEEDED,
+                    stdout="",
+                    stderr="Memory limit exceeded (killed by OOM)",
+                    exit_code=-137,
+                    resource_limit_type=ResourceLimitType.MEMORY,
+                    time_used_ms=time_used_ms,
+                )
+            return analyze_error_result(stderr, returncode)
+
+        except asyncio.TimeoutError:
+            await async_run_command("docker", "exec", container, "pkill", "-9", language)
+            return CodeExecutionResult(
+                status=ResultStatus.RESOURCE_LIMIT_EXCEEDED,
+                stdout="",
+                stderr="Execution timeout",
+                exit_code=-1,
+                resource_limit_type=ResourceLimitType.TIME,
+                time_used_ms=(time.time() - start_time) * 1000,
+            )
+
+    except Exception as e:
+        logger.error(f"Execution exception: {str(e)}")
+        return CodeExecutionResult(status=ResultStatus.PROGRAM_RUNNER_ERROR, stdout="", stderr=str(e), exit_code=-3, detail="internal_error")
+
+    finally:
+        cleanup_tasks = [async_run_command("docker", "exec", container, "rm", "-rf", f"/workspace/{task_id}"), async_run_command("rm", "-rf", workdir)]
+        await asyncio.gather(*cleanup_tasks, return_exceptions=True)
+        await release_container(container, language)
+
+
+ALLOWED_ARTIFACT_EXTENSIONS = {
+    ".png": "image/png",
+    ".jpg": "image/jpeg",
+    ".jpeg": "image/jpeg",
+    ".svg": "image/svg+xml",
+    ".pdf": "application/pdf",
+    ".csv": "text/csv",
+    ".json": "application/json",
+    ".html": "text/html",
+}
+MAX_ARTIFACT_COUNT = 10
+MAX_ARTIFACT_SIZE = 10 * 1024 * 1024  # 10MB per file
+
+
+async def _collect_artifacts(container: str, task_id: str, host_workdir: str) -> list[ArtifactItem]:
+    artifacts_path = f"/workspace/{task_id}/artifacts"
+
+    # List files in the artifacts directory inside the container
+    returncode, stdout, _ = await async_run_command(
+        "docker", "exec", container, "find", artifacts_path,
+        "-maxdepth", "1", "-type", "f", timeout=5,
+    )
+    if returncode != 0 or not stdout.strip():
+        return []
+
+    raw_names = [line.split("/")[-1] for line in stdout.strip().splitlines() if line.strip()]
+    # Sanitize: reject names with path traversal or control characters
+    filenames = [n for n in raw_names if n and "/" not in n and "\\" not in n and ".." not in n and not n.startswith(".")]
+    if not filenames:
+        return []
+
+    items: list[ArtifactItem] = []
+
+    for fname in filenames[:MAX_ARTIFACT_COUNT]:
+        ext = os.path.splitext(fname)[1].lower()
+        mime_type = ALLOWED_ARTIFACT_EXTENSIONS.get(ext)
+        if not mime_type:
+            logger.warning(f"Skipping artifact with disallowed extension: {fname}")
+            continue
+
+        file_path = f"{artifacts_path}/{fname}"
+
+        # Check file size inside the container
+        returncode, size_str, _ = await async_run_command(
+            "docker", "exec", container, "stat", "-c", "%s", file_path, timeout=5,
+        )
+        if returncode != 0:
+            logger.warning(f"Failed to stat artifact {fname}")
+            continue
+
+        file_size = int(size_str.strip())
+        if file_size > MAX_ARTIFACT_SIZE:
+            logger.warning(f"Artifact {fname} too large ({file_size} bytes), skipping")
+            continue
+        if file_size == 0:
+            continue
+
+        # Read file content via docker exec (docker cp doesn't work with gVisor tmpfs)
+        returncode, content_b64, stderr = await async_run_command(
+            "docker", "exec", container, "base64", file_path, timeout=30,
+        )
+        if returncode != 0:
+            logger.warning(f"Failed to read artifact {fname}: {stderr}")
+            continue
+
+        content_b64 = content_b64.replace("\n", "").strip()
+
+        items.append(ArtifactItem(
+            name=fname,
+            mime_type=mime_type,
+            size=file_size,
+            content_b64=content_b64,
+        ))
+        logger.info(f"Collected artifact: {fname} ({file_size} bytes, {mime_type})")
+
+    return items
+
+
+def analyze_error_result(stderr: str, exit_code: int) -> CodeExecutionResult:
+    """Analyze the error result and classify it"""
+    if "Permission denied" in stderr:
+        return CodeExecutionResult(
+            status=ResultStatus.UNAUTHORIZED_ACCESS,
+            stdout="",
+            stderr=stderr,
+            exit_code=exit_code,
+            unauthorized_access_type=UnauthorizedAccessType.FILE_ACCESS,
+        )
+    elif "Operation not permitted" in stderr:
+        return CodeExecutionResult(
+            status=ResultStatus.UNAUTHORIZED_ACCESS,
+            stdout="",
+            stderr=stderr,
+            exit_code=exit_code,
+            unauthorized_access_type=UnauthorizedAccessType.DISALLOWED_SYSCALL,
+        )
+    elif "MemoryError" in stderr:
+        return CodeExecutionResult(
+            status=ResultStatus.RESOURCE_LIMIT_EXCEEDED,
+            stdout="",
+            stderr=stderr,
+            exit_code=exit_code,
+            resource_limit_type=ResourceLimitType.MEMORY,
+        )
+    else:
+        return CodeExecutionResult(
+            status=ResultStatus.PROGRAM_ERROR,
+            stdout="",
+            stderr=stderr,
+            exit_code=exit_code,
+            runtime_error_type=RuntimeErrorType.NONZERO_EXIT,
+        )
--- a/agent/sandbox/executor_manager/services/limiter.py
+++ b/agent/sandbox/executor_manager/services/limiter.py
--- a/agent/sandbox/executor_manager/services/security.py
+++ b/agent/sandbox/executor_manager/services/security.py
@@ -0,0 +1,197 @@
+#
+#  Copyright 2025 The InfiniFlow Authors. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+import ast
+import re
+from typing import List, Tuple
+
+from core.logger import logger
+from models.enums import SupportLanguage
+
+
+class SecurePythonAnalyzer(ast.NodeVisitor):
+    """
+    An AST-based analyzer for detecting unsafe Python code patterns.
+    """
+
+    DANGEROUS_IMPORTS = {"os", "subprocess", "sys", "shutil", "socket", "ctypes", "pickle", "threading", "multiprocessing", "asyncio", "http.client", "ftplib", "telnetlib"}
+
+    DANGEROUS_CALLS = {
+        "eval",
+        "exec",
+        "open",
+        "__import__",
+        "compile",
+        "input",
+        "system",
+        "popen",
+        "remove",
+        "rename",
+        "rmdir",
+        "chdir",
+        "chmod",
+        "chown",
+        "getattr",
+        "setattr",
+        "globals",
+        "locals",
+        "shutil.rmtree",
+        "subprocess.call",
+        "subprocess.Popen",
+        "ctypes",
+        "pickle.load",
+        "pickle.loads",
+        "pickle.dump",
+        "pickle.dumps",
+    }
+
+    def __init__(self):
+        self.unsafe_items: List[Tuple[str, int]] = []
+
+    def visit_Import(self, node: ast.Import):
+        """Check for dangerous imports."""
+        for alias in node.names:
+            if alias.name.split(".")[0] in self.DANGEROUS_IMPORTS:
+                self.unsafe_items.append((f"Import: {alias.name}", node.lineno))
+        self.generic_visit(node)
+
+    def visit_ImportFrom(self, node: ast.ImportFrom):
+        """Check for dangerous imports from specific modules."""
+        if node.module and node.module.split(".")[0] in self.DANGEROUS_IMPORTS:
+            self.unsafe_items.append((f"From Import: {node.module}", node.lineno))
+        self.generic_visit(node)
+
+    def visit_Call(self, node: ast.Call):
+        """Check for dangerous function calls."""
+        if isinstance(node.func, ast.Name) and node.func.id in self.DANGEROUS_CALLS:
+            self.unsafe_items.append((f"Call: {node.func.id}", node.lineno))
+        self.generic_visit(node)
+
+    def visit_Attribute(self, node: ast.Attribute):
+        """Check for dangerous attribute access."""
+        if isinstance(node.value, ast.Name) and node.value.id in self.DANGEROUS_IMPORTS:
+            self.unsafe_items.append((f"Attribute Access: {node.value.id}.{node.attr}", node.lineno))
+        self.generic_visit(node)
+
+    def visit_BinOp(self, node: ast.BinOp):
+        """Check for possible unsafe operations like concatenating strings with commands."""
+        # This could be useful to detect `eval("os." + "system")`
+        if isinstance(node.left, ast.Constant) and isinstance(node.right, ast.Constant):
+            self.unsafe_items.append(("Possible unsafe string concatenation", node.lineno))
+        self.generic_visit(node)
+
+    def visit_FunctionDef(self, node: ast.FunctionDef):
+        """Check for dangerous function definitions (e.g., user-defined eval)."""
+        if node.name in self.DANGEROUS_CALLS:
+            self.unsafe_items.append((f"Function Definition: {node.name}", node.lineno))
+        self.generic_visit(node)
+
+    def visit_Assign(self, node: ast.Assign):
+        """Check for assignments to variables that might lead to dangerous operations."""
+        for target in node.targets:
+            if isinstance(target, ast.Name) and target.id in self.DANGEROUS_CALLS:
+                self.unsafe_items.append((f"Assignment to dangerous variable: {target.id}", node.lineno))
+        self.generic_visit(node)
+
+    def visit_Lambda(self, node: ast.Lambda):
+        """Check for lambda functions with dangerous operations."""
+        if isinstance(node.body, ast.Call) and isinstance(node.body.func, ast.Name) and node.body.func.id in self.DANGEROUS_CALLS:
+            self.unsafe_items.append(("Lambda with dangerous function call", node.lineno))
+        self.generic_visit(node)
+
+    def visit_ListComp(self, node: ast.ListComp):
+        """Check for list comprehensions with dangerous operations."""
+        # First, visit the generators to check for any issues there
+        for elem in node.generators:
+            if isinstance(elem, ast.comprehension):
+                self.generic_visit(elem)
+
+        if isinstance(node.elt, ast.Call) and isinstance(node.elt.func, ast.Name) and node.elt.func.id in self.DANGEROUS_CALLS:
+            self.unsafe_items.append(("List comprehension with dangerous function call", node.lineno))
+        self.generic_visit(node)
+
+    def visit_DictComp(self, node: ast.DictComp):
+        """Check for dictionary comprehensions with dangerous operations."""
+        # Check for dangerous calls in both the key and value expressions of the dictionary comprehension
+        if isinstance(node.key, ast.Call) and isinstance(node.key.func, ast.Name) and node.key.func.id in self.DANGEROUS_CALLS:
+            self.unsafe_items.append(("Dict comprehension with dangerous function call in key", node.lineno))
+
+        if isinstance(node.value, ast.Call) and isinstance(node.value.func, ast.Name) and node.value.func.id in self.DANGEROUS_CALLS:
+            self.unsafe_items.append(("Dict comprehension with dangerous function call in value", node.lineno))
+
+        # Visit other sub-nodes (e.g., the generators in the comprehension)
+        self.generic_visit(node)
+
+    def visit_SetComp(self, node: ast.SetComp):
+        """Check for set comprehensions with dangerous operations."""
+        for elt in node.generators:
+            if isinstance(elt, ast.comprehension):
+                self.generic_visit(elt)
+
+        if isinstance(node.elt, ast.Call) and isinstance(node.elt.func, ast.Name) and node.elt.func.id in self.DANGEROUS_CALLS:
+            self.unsafe_items.append(("Set comprehension with dangerous function call", node.lineno))
+
+        self.generic_visit(node)
+
+    def visit_Yield(self, node: ast.Yield):
+        """Check for yield statements that could be used to produce unsafe values."""
+        if isinstance(node.value, ast.Call) and isinstance(node.value.func, ast.Name) and node.value.func.id in self.DANGEROUS_CALLS:
+            self.unsafe_items.append(("Yield with dangerous function call", node.lineno))
+        self.generic_visit(node)
+
+
+class SecureJavaScriptAnalyzer:
+    DANGEROUS_PATTERNS = [
+        (re.compile(r"""require\s*\(\s*['"]child_process['"]\s*\)"""), "Require: child_process"),
+        (re.compile(r"""require\s*\(\s*['"]fs['"]\s*\)"""), "Require: fs"),
+        (re.compile(r"""require\s*\(\s*['"]worker_threads['"]\s*\)"""), "Require: worker_threads"),
+        (re.compile(r"""\beval\s*\("""), "Call: eval"),
+        (re.compile(r"""\bFunction\s*\("""), "Call: Function"),
+        (re.compile(r"""\bprocess\s*\.\s*binding\s*\("""), "Call: process.binding"),
+    ]
+
+    @classmethod
+    def analyze(cls, code: str) -> List[Tuple[str, int]]:
+        issues: List[Tuple[str, int]] = []
+        for pattern, description in cls.DANGEROUS_PATTERNS:
+            for match in pattern.finditer(code):
+                lineno = code.count("\n", 0, match.start()) + 1
+                issues.append((description, lineno))
+        return issues
+
+
+def analyze_code_security(code: str, language: SupportLanguage) -> Tuple[bool, List[Tuple[str, int]]]:
+    """
+    Analyze the provided code string and return whether it's safe and why.
+
+    :param code: The source code to analyze.
+    :param language: The programming language of the code.
+    :return: (is_safe: bool, issues: List of (description, line number))
+    """
+    if language == SupportLanguage.PYTHON:
+        try:
+            tree = ast.parse(code)
+            analyzer = SecurePythonAnalyzer()
+            analyzer.visit(tree)
+            return len(analyzer.unsafe_items) == 0, analyzer.unsafe_items
+        except Exception as e:
+            logger.error(f"[SafeCheck] Python parsing failed: {str(e)}")
+            return False, [(f"Parsing Error: {str(e)}", -1)]
+    if language == SupportLanguage.NODEJS:
+        issues = SecureJavaScriptAnalyzer.analyze(code)
+        return len(issues) == 0, issues
+
+    logger.warning(f"[SafeCheck] Unsupported language for security analysis: {language}")
+    return False, [(f"Unsupported language for security analysis: {language}", -1)]
--- a/agent/sandbox/executor_manager/util.py
+++ b/agent/sandbox/executor_manager/util.py
--- a/agent/sandbox/executor_manager/utils/init.py
+++ b/agent/sandbox/executor_manager/utils/init.py
--- a/agent/sandbox/executor_manager/utils/common.py
+++ b/agent/sandbox/executor_manager/utils/common.py
--- a/agent/sandbox/providers/init.py
+++ b/agent/sandbox/providers/init.py
@@ -0,0 +1,43 @@
+#
+#  Copyright 2025 The InfiniFlow Authors. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+
+"""
+Sandbox providers package.
+
+This package contains:
+- base.py: Base interface for all sandbox providers
+- manager.py: Provider manager for managing active provider
+- self_managed.py: Self-managed provider implementation (wraps existing executor_manager)
+- aliyun_codeinterpreter.py: Aliyun Code Interpreter provider implementation
+  Official Documentation: https://help.aliyun.com/zh/functioncompute/fc/sandbox-sandbox-code-interepreter
+- e2b.py: E2B provider implementation
+"""
+
+from .base import SandboxProvider, SandboxInstance, ExecutionResult
+from .manager import ProviderManager
+from .self_managed import SelfManagedProvider
+from .aliyun_codeinterpreter import AliyunCodeInterpreterProvider
+from .e2b import E2BProvider
+
+__all__ = [
+    "SandboxProvider",
+    "SandboxInstance",
+    "ExecutionResult",
+    "ProviderManager",
+    "SelfManagedProvider",
+    "AliyunCodeInterpreterProvider",
+    "E2BProvider",
+]
--- a/agent/sandbox/providers/aliyun_codeinterpreter.py
+++ b/agent/sandbox/providers/aliyun_codeinterpreter.py
@@ -0,0 +1,551 @@
+#
+#  Copyright 2025 The InfiniFlow Authors. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+
+"""
+Aliyun Code Interpreter provider implementation.
+
+This provider integrates with Aliyun Function Compute Code Interpreter service
+for secure code execution in serverless microVMs using the official agentrun-sdk.
+
+Official Documentation: https://help.aliyun.com/zh/functioncompute/fc/sandbox-sandbox-code-interepreter
+Official SDK: https://github.com/Serverless-Devs/agentrun-sdk-python
+
+https://api.aliyun.com/api/AgentRun/2025-09-10/CreateTemplate?lang=PYTHON
+https://api.aliyun.com/api/AgentRun/2025-09-10/CreateSandbox?lang=PYTHON
+"""
+
+import logging
+import os
+import time
+import base64
+import json
+from typing import Dict, Any, List, Optional
+from datetime import datetime, timezone
+
+from agentrun.sandbox import TemplateType, CodeLanguage, Template, TemplateInput, Sandbox
+from agentrun.utils.config import Config
+from agentrun.utils.exception import ServerError
+
+from .base import SandboxProvider, SandboxInstance, ExecutionResult
+
+logger = logging.getLogger(__name__)
+RESULT_MARKER_PREFIX = "__RAGFLOW_RESULT__:"
+
+
+class AliyunCodeInterpreterProvider(SandboxProvider):
+    """
+    Aliyun Code Interpreter provider implementation.
+
+    This provider uses the official agentrun-sdk to interact with
+    Aliyun Function Compute's Code Interpreter service.
+    """
+
+    def __init__(self):
+        self.access_key_id: Optional[str] = ""
+        self.access_key_secret: Optional[str] = ""
+        self.account_id: Optional[str] = ""
+        self.region: str = "cn-hangzhou"
+        self.template_name: str = ""
+        self.timeout: int = 30
+        self._initialized: bool = False
+        self._config: Optional[Config] = None
+
+    def initialize(self, config: Dict[str, Any]) -> bool:
+        """
+        Initialize the provider with Aliyun credentials.
+
+        Args:
+            config: Configuration dictionary with keys:
+                - access_key_id: Aliyun AccessKey ID
+                - access_key_secret: Aliyun AccessKey Secret
+                - account_id: Aliyun primary account ID
+                - region: Region (default: "cn-hangzhou")
+                - template_name: Optional sandbox template name
+                - timeout: Request timeout in seconds (default: 30, max 30)
+
+        Returns:
+            True if initialization successful, False otherwise
+        """
+        # Get values from config or environment variables
+        access_key_id = config.get("access_key_id") or os.getenv("AGENTRUN_ACCESS_KEY_ID")
+        access_key_secret = config.get("access_key_secret") or os.getenv("AGENTRUN_ACCESS_KEY_SECRET")
+        account_id = config.get("account_id") or os.getenv("AGENTRUN_ACCOUNT_ID")
+        region = config.get("region") or os.getenv("AGENTRUN_REGION", "cn-hangzhou")
+
+        self.access_key_id = access_key_id
+        self.access_key_secret = access_key_secret
+        self.account_id = account_id
+        self.region = region
+        self.template_name = config.get("template_name", "")
+        self.timeout = min(config.get("timeout", 30), 30)  # Max 30 seconds
+
+        logger.info(f"Aliyun Code Interpreter: Initializing with account_id={self.account_id}, region={self.region}")
+
+        # Validate required fields
+        if not self.access_key_id or not self.access_key_secret:
+            logger.error("Aliyun Code Interpreter: Missing access_key_id or access_key_secret")
+            return False
+
+        if not self.account_id:
+            logger.error("Aliyun Code Interpreter: Missing account_id (primary account ID)")
+            return False
+
+        # Create SDK configuration
+        try:
+            logger.info(f"Aliyun Code Interpreter: Creating Config object with account_id={self.account_id}")
+            self._config = Config(
+                access_key_id=self.access_key_id,
+                access_key_secret=self.access_key_secret,
+                account_id=self.account_id,
+                region_id=self.region,
+                timeout=self.timeout,
+            )
+            logger.info("Aliyun Code Interpreter: Config object created successfully")
+
+            # Verify connection with health check
+            if not self.health_check():
+                logger.error(f"Aliyun Code Interpreter: Health check failed for region {self.region}")
+                return False
+
+            self._initialized = True
+            logger.info(f"Aliyun Code Interpreter: Initialized successfully for region {self.region}")
+            return True
+
+        except Exception as e:
+            logger.error(f"Aliyun Code Interpreter: Initialization failed - {str(e)}")
+            return False
+
+    def create_instance(self, template: str = "python") -> SandboxInstance:
+        """
+        Create a new sandbox instance in Aliyun Code Interpreter.
+
+        Args:
+            template: Programming language (python, javascript)
+
+        Returns:
+            SandboxInstance object
+
+        Raises:
+            RuntimeError: If instance creation fails
+        """
+        if not self._initialized or not self._config:
+            raise RuntimeError("Provider not initialized. Call initialize() first.")
+
+        # Normalize language
+        language = self._normalize_language(template)
+
+        try:
+            # Get or create template
+            if self.template_name:
+                # Use existing template
+                template_name = self.template_name
+            else:
+                # Try to get default template, or create one if it doesn't exist
+                default_template_name = f"ragflow-{language}-default"
+                try:
+                    # Check if template exists
+                    Template.get_by_name(default_template_name, config=self._config)
+                    template_name = default_template_name
+                except Exception:
+                    # Create default template if it doesn't exist
+                    template_input = TemplateInput(
+                        template_name=default_template_name,
+                        template_type=TemplateType.CODE_INTERPRETER,
+                    )
+                    Template.create(template_input, config=self._config)
+                    template_name = default_template_name
+
+            # Create sandbox directly
+            sandbox = Sandbox.create(
+                template_type=TemplateType.CODE_INTERPRETER,
+                template_name=template_name,
+                sandbox_idle_timeout_seconds=self.timeout,
+                config=self._config,
+            )
+
+            instance_id = sandbox.sandbox_id
+
+            return SandboxInstance(
+                instance_id=instance_id,
+                provider="aliyun_codeinterpreter",
+                status="READY",
+                metadata={
+                    "language": language,
+                    "region": self.region,
+                    "account_id": self.account_id,
+                    "template_name": template_name,
+                    "created_at": datetime.now(timezone.utc).isoformat(),
+                },
+            )
+
+        except ServerError as e:
+            raise RuntimeError(f"Failed to create sandbox instance: {str(e)}")
+        except Exception as e:
+            raise RuntimeError(f"Unexpected error creating instance: {str(e)}")
+
+    def execute_code(self, instance_id: str, code: str, language: str, timeout: int = 10, arguments: Optional[Dict[str, Any]] = None) -> ExecutionResult:
+        """
+        Execute code in the Aliyun Code Interpreter instance.
+
+        Args:
+            instance_id: ID of the sandbox instance
+            code: Source code to execute
+            language: Programming language (python, javascript)
+            timeout: Maximum execution time in seconds (max 30)
+            arguments: Optional arguments dict to pass to main() function
+
+        Returns:
+            ExecutionResult containing stdout, stderr, exit_code, and metadata
+
+        Raises:
+            RuntimeError: If execution fails
+            TimeoutError: If execution exceeds timeout
+        """
+        if not self._initialized or not self._config:
+            raise RuntimeError("Provider not initialized. Call initialize() first.")
+
+        # Normalize language
+        normalized_lang = self._normalize_language(language)
+
+        # Enforce 30-second hard limit
+        timeout = min(timeout or self.timeout, 30)
+
+        try:
+            # Connect to existing sandbox instance
+            sandbox = Sandbox.connect(sandbox_id=instance_id, config=self._config)
+
+            # agentrun-sdk 0.0.26 only exposes CodeLanguage.PYTHON; keep JS as string fallback.
+            code_language = CodeLanguage.PYTHON if normalized_lang == "python" else "javascript"
+
+            # Wrap code to call main() function
+            # Matches self_managed provider behavior: call main(**arguments)
+            args_json = json.dumps(arguments or {})
+            wrapped_code = (
+                self._build_python_wrapper(code, args_json)
+                if normalized_lang == "python"
+                else self._build_javascript_wrapper(code, args_json)
+            )
+            logger.debug(f"Aliyun Code Interpreter: Wrapped code (first 200 chars): {wrapped_code[:200]}")
+
+            start_time = time.time()
+
+            # Execute code using SDK's simplified execute endpoint
+            logger.info(f"Aliyun Code Interpreter: Executing code (language={normalized_lang}, timeout={timeout})")
+            logger.debug(f"Aliyun Code Interpreter: Original code (first 200 chars): {code[:200]}")
+            result = sandbox.context.execute(
+                code=wrapped_code,
+                language=code_language,
+                timeout=timeout,
+            )
+
+            execution_time = time.time() - start_time
+            logger.info(f"Aliyun Code Interpreter: Execution completed in {execution_time:.2f}s")
+            logger.debug(f"Aliyun Code Interpreter: Raw SDK result: {result}")
+
+            # Parse execution result
+            results = result.get("results", []) if isinstance(result, dict) else []
+            logger.info(f"Aliyun Code Interpreter: Parsed {len(results)} result items")
+
+            # Extract stdout and stderr from results
+            stdout_parts = []
+            stderr_parts = []
+            exit_code = 0
+            execution_status = "ok"
+
+            for item in results:
+                result_type = item.get("type", "")
+                text = item.get("text", "")
+
+                if result_type == "stdout":
+                    stdout_parts.append(text)
+                elif result_type == "stderr":
+                    stderr_parts.append(text)
+                    exit_code = 1  # Error occurred
+                elif result_type == "endOfExecution":
+                    execution_status = item.get("status", "ok")
+                    if execution_status != "ok":
+                        exit_code = 1
+                elif result_type == "error":
+                    stderr_parts.append(text)
+                    exit_code = 1
+
+            stdout = "\n".join(stdout_parts)
+            stderr = "\n".join(stderr_parts)
+            stdout, structured_result = self._extract_structured_result(stdout)
+
+            logger.info(f"Aliyun Code Interpreter: stdout length={len(stdout)}, stderr length={len(stderr)}, exit_code={exit_code}")
+            if stdout:
+                logger.debug(f"Aliyun Code Interpreter: stdout (first 200 chars): {stdout[:200]}")
+            if stderr:
+                logger.debug(f"Aliyun Code Interpreter: stderr (first 200 chars): {stderr[:200]}")
+
+            return ExecutionResult(
+                stdout=stdout,
+                stderr=stderr,
+                exit_code=exit_code,
+                execution_time=execution_time,
+                metadata={
+                    "instance_id": instance_id,
+                    "language": normalized_lang,
+                    "context_id": result.get("contextId") if isinstance(result, dict) else None,
+                    "timeout": timeout,
+                    "result_present": structured_result.get("present", False),
+                    "result_value": structured_result.get("value"),
+                    "result_type": structured_result.get("type"),
+                },
+            )
+
+        except ServerError as e:
+            if "timeout" in str(e).lower():
+                raise TimeoutError(f"Execution timed out after {timeout} seconds")
+            raise RuntimeError(f"Failed to execute code: {str(e)}")
+        except Exception as e:
+            raise RuntimeError(f"Unexpected error during execution: {str(e)}")
+
+    def destroy_instance(self, instance_id: str) -> bool:
+        """
+        Destroy an Aliyun Code Interpreter instance.
+
+        Args:
+            instance_id: ID of the instance to destroy
+
+        Returns:
+            True if destruction successful, False otherwise
+        """
+        if not self._initialized or not self._config:
+            raise RuntimeError("Provider not initialized. Call initialize() first.")
+
+        try:
+            # Delete sandbox by ID directly
+            Sandbox.delete_by_id(sandbox_id=instance_id)
+
+            logger.info(f"Successfully destroyed sandbox instance {instance_id}")
+            return True
+
+        except ServerError as e:
+            logger.error(f"Failed to destroy instance {instance_id}: {str(e)}")
+            return False
+        except Exception as e:
+            logger.error(f"Unexpected error destroying instance {instance_id}: {str(e)}")
+            return False
+
+    def health_check(self) -> bool:
+        """
+        Check if the Aliyun Code Interpreter service is accessible.
+
+        Returns:
+            True if provider is healthy, False otherwise
+        """
+        if not self._initialized and not (self.access_key_id and self.account_id):
+            return False
+
+        try:
+            # Try to list templates to verify connection
+            from agentrun.sandbox import Template
+
+            templates = Template.list(config=self._config)
+            return templates is not None
+
+        except Exception as e:
+            logger.warning(f"Aliyun Code Interpreter health check failed: {str(e)}")
+            # If we get any response (even an error), the service is reachable
+            return "connection" not in str(e).lower()
+
+    @staticmethod
+    def _build_python_wrapper(code: str, args_json: str) -> str:
+        marker = RESULT_MARKER_PREFIX
+        return f'''{code}
+
+if __name__ == "__main__":
+    import base64
+    import json
+
+    result = main(**{args_json})
+    payload = json.dumps({{"present": True, "value": result, "type": "json"}}, ensure_ascii=False, separators=(",", ":"))
+    print("{marker}" + base64.b64encode(payload.encode("utf-8")).decode("ascii"))
+'''
+
+    @staticmethod
+    def _build_javascript_wrapper(code: str, args_json: str) -> str:
+        marker = RESULT_MARKER_PREFIX
+        return f'''{code}
+
+const __ragflowArgs = {args_json};
+
+(async () => {{
+  try {{
+    const output = await Promise.resolve(main(__ragflowArgs));
+    if (typeof output === 'undefined') {{
+      throw new Error('main() must return a value. Use null for an empty result.');
+    }}
+    const payload = JSON.stringify({{ present: true, value: output, type: 'json' }});
+    if (typeof payload === 'undefined') {{
+      throw new Error('main() returned a non-JSON-serializable value.');
+    }}
+    console.log('{marker}' + Buffer.from(payload, 'utf8').toString('base64'));
+  }} catch (err) {{
+    console.error(err instanceof Error ? err.stack || err.message : String(err));
+  }}
+}})();
+'''
+
+    @staticmethod
+    def _extract_structured_result(stdout: str) -> tuple[str, Dict[str, Any]]:
+        if not stdout:
+            return "", {}
+
+        cleaned_lines: list[str] = []
+        structured_result: Dict[str, Any] = {}
+
+        for line in str(stdout).splitlines():
+            if line.startswith(RESULT_MARKER_PREFIX):
+                payload_b64 = line[len(RESULT_MARKER_PREFIX) :].strip()
+                if not payload_b64:
+                    continue
+                try:
+                    payload = base64.b64decode(payload_b64).decode("utf-8")
+                    structured_result = json.loads(payload)
+                except Exception as exc:
+                    logger.warning(f"Aliyun Code Interpreter: failed to decode structured result marker: {exc}")
+                    cleaned_lines.append(line)
+                continue
+            cleaned_lines.append(line)
+
+        cleaned_stdout = "\n".join(cleaned_lines)
+        if stdout.endswith("\n") and cleaned_stdout and not cleaned_stdout.endswith("\n"):
+            cleaned_stdout += "\n"
+        return cleaned_stdout, structured_result
+
+    def get_supported_languages(self) -> List[str]:
+        """
+        Get list of supported programming languages.
+
+        Returns:
+            List of language identifiers
+        """
+        return ["python", "javascript"]
+
+    @staticmethod
+    def get_config_schema() -> Dict[str, Dict]:
+        """
+        Return configuration schema for Aliyun Code Interpreter provider.
+
+        Returns:
+            Dictionary mapping field names to their schema definitions
+        """
+        return {
+            "access_key_id": {
+                "type": "string",
+                "required": True,
+                "label": "Access Key ID",
+                "placeholder": "LTAI5t...",
+                "description": "Aliyun AccessKey ID for authentication",
+                "secret": False,
+            },
+            "access_key_secret": {
+                "type": "string",
+                "required": True,
+                "label": "Access Key Secret",
+                "placeholder": "••••••••••••••••",
+                "description": "Aliyun AccessKey Secret for authentication",
+                "secret": True,
+            },
+            "account_id": {
+                "type": "string",
+                "required": True,
+                "label": "Account ID",
+                "placeholder": "1234567890...",
+                "description": "Aliyun primary account ID, required for API calls",
+            },
+            "region": {
+                "type": "string",
+                "required": False,
+                "label": "Region",
+                "default": "cn-hangzhou",
+                "description": "Aliyun region for Code Interpreter service",
+                "options": ["cn-hangzhou", "cn-beijing", "cn-shanghai", "cn-shenzhen", "cn-guangzhou"],
+            },
+            "template_name": {
+                "type": "string",
+                "required": False,
+                "label": "Template Name",
+                "placeholder": "my-interpreter",
+                "description": "Optional sandbox template name for pre-configured environments",
+            },
+            "timeout": {
+                "type": "integer",
+                "required": False,
+                "label": "Execution Timeout (seconds)",
+                "default": 30,
+                "min": 1,
+                "max": 30,
+                "description": "Code execution timeout (max 30 seconds - hard limit)",
+            },
+        }
+
+    def validate_config(self, config: Dict[str, Any]) -> tuple[bool, Optional[str]]:
+        """
+        Validate Aliyun-specific configuration.
+
+        Args:
+            config: Configuration dictionary to validate
+
+        Returns:
+            Tuple of (is_valid, error_message)
+        """
+        # Validate access key format
+        access_key_id = config.get("access_key_id", "")
+        if access_key_id and not access_key_id.startswith("LTAI"):
+            return False, "Invalid AccessKey ID format (should start with 'LTAI')"
+
+        # Validate account ID
+        account_id = config.get("account_id", "")
+        if not account_id:
+            return False, "Account ID is required"
+
+        # Validate region
+        valid_regions = ["cn-hangzhou", "cn-beijing", "cn-shanghai", "cn-shenzhen", "cn-guangzhou"]
+        region = config.get("region", "cn-hangzhou")
+        if region and region not in valid_regions:
+            return False, f"Invalid region. Must be one of: {', '.join(valid_regions)}"
+
+        # Validate timeout range (max 30 seconds)
+        timeout = config.get("timeout", 30)
+        if isinstance(timeout, int) and (timeout < 1 or timeout > 30):
+            return False, "Timeout must be between 1 and 30 seconds"
+
+        return True, None
+
+    def _normalize_language(self, language: str) -> str:
+        """
+        Normalize language identifier to Aliyun format.
+
+        Args:
+            language: Language identifier (python, python3, javascript, nodejs)
+
+        Returns:
+            Normalized language identifier
+        """
+        if not language:
+            return "python"
+
+        lang_lower = language.lower()
+        if lang_lower in ("python", "python3"):
+            return "python"
+        elif lang_lower in ("javascript", "nodejs"):
+            return "javascript"
+        else:
+            return language
--- a/agent/sandbox/providers/base.py
+++ b/agent/sandbox/providers/base.py
@@ -0,0 +1,212 @@
+#
+#  Copyright 2025 The InfiniFlow Authors. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+
+"""
+Base interface for sandbox providers.
+
+Each sandbox provider (self-managed, SaaS) implements this interface
+to provide code execution capabilities.
+"""
+
+from abc import ABC, abstractmethod
+from dataclasses import dataclass
+from typing import Dict, Any, Optional, List
+
+
+@dataclass
+class SandboxInstance:
+    """Represents a sandbox execution instance"""
+    instance_id: str
+    provider: str
+    status: str  # running, stopped, error
+    metadata: Dict[str, Any]
+
+    def __post_init__(self):
+        if self.metadata is None:
+            self.metadata = {}
+
+
+@dataclass
+class ExecutionResult:
+    """Result of code execution in a sandbox"""
+    stdout: str
+    stderr: str
+    exit_code: int
+    execution_time: float  # in seconds
+    metadata: Dict[str, Any]
+
+    def __post_init__(self):
+        if self.metadata is None:
+            self.metadata = {}
+
+
+class SandboxProvider(ABC):
+    """
+    Base interface for all sandbox providers.
+
+    Each provider implementation (self-managed, Aliyun OpenSandbox, E2B, etc.)
+    must implement these methods to provide code execution capabilities.
+    """
+
+    @abstractmethod
+    def initialize(self, config: Dict[str, Any]) -> bool:
+        """
+        Initialize the provider with configuration.
+
+        Args:
+            config: Provider-specific configuration dictionary
+
+        Returns:
+            True if initialization successful, False otherwise
+        """
+        pass
+
+    @abstractmethod
+    def create_instance(self, template: str = "python") -> SandboxInstance:
+        """
+        Create a new sandbox instance.
+
+        Args:
+            template: Programming language/template for the instance
+                     (e.g., "python", "nodejs", "bash")
+
+        Returns:
+            SandboxInstance object representing the created instance
+
+        Raises:
+            RuntimeError: If instance creation fails
+        """
+        pass
+
+    @abstractmethod
+    def execute_code(
+        self,
+        instance_id: str,
+        code: str,
+        language: str,
+        timeout: int = 10,
+        arguments: Optional[Dict[str, Any]] = None
+    ) -> ExecutionResult:
+        """
+        Execute code in a sandbox instance.
+
+        Args:
+            instance_id: ID of the sandbox instance
+            code: Source code to execute
+            language: Programming language (python, javascript, etc.)
+            timeout: Maximum execution time in seconds
+            arguments: Optional arguments dict to pass to main() function
+
+        Returns:
+            ExecutionResult containing stdout, stderr, exit_code, and metadata
+
+        Raises:
+            RuntimeError: If execution fails
+            TimeoutError: If execution exceeds timeout
+        """
+        pass
+
+    @abstractmethod
+    def destroy_instance(self, instance_id: str) -> bool:
+        """
+        Destroy a sandbox instance.
+
+        Args:
+            instance_id: ID of the instance to destroy
+
+        Returns:
+            True if destruction successful, False otherwise
+
+        Raises:
+            RuntimeError: If destruction fails
+        """
+        pass
+
+    @abstractmethod
+    def health_check(self) -> bool:
+        """
+        Check if the provider is healthy and accessible.
+
+        Returns:
+            True if provider is healthy, False otherwise
+        """
+        pass
+
+    @abstractmethod
+    def get_supported_languages(self) -> List[str]:
+        """
+        Get list of supported programming languages.
+
+        Returns:
+            List of language identifiers (e.g., ["python", "javascript", "go"])
+        """
+        pass
+
+    @staticmethod
+    def get_config_schema() -> Dict[str, Dict]:
+        """
+        Return configuration schema for this provider.
+
+        The schema defines what configuration fields are required/optional,
+        their types, validation rules, and UI labels.
+
+        Returns:
+            Dictionary mapping field names to their schema definitions.
+
+        Example:
+            {
+                "endpoint": {
+                    "type": "string",
+                    "required": True,
+                    "label": "API Endpoint",
+                    "placeholder": "http://localhost:9385"
+                },
+                "timeout": {
+                    "type": "integer",
+                    "default": 30,
+                    "label": "Timeout (seconds)",
+                    "min": 5,
+                    "max": 300
+                }
+            }
+        """
+        return {}
+
+    def validate_config(self, config: Dict[str, Any]) -> tuple[bool, Optional[str]]:
+        """
+        Validate provider-specific configuration.
+
+        This method allows providers to implement custom validation logic beyond
+        the basic schema validation. Override this method to add provider-specific
+        checks like URL format validation, API key format validation, etc.
+
+        Args:
+            config: Configuration dictionary to validate
+
+        Returns:
+            Tuple of (is_valid, error_message):
+                - is_valid: True if configuration is valid, False otherwise
+                - error_message: Error message if invalid, None if valid
+
+        Example:
+            >>> def validate_config(self, config):
+            >>>     endpoint = config.get("endpoint", "")
+            >>>     if not endpoint.startswith(("http://", "https://")):
+            >>>         return False, "Endpoint must start with http:// or https://"
+            >>>     return True, None
+        """
+        # Default implementation: no custom validation
+        return True, None
--- a/agent/sandbox/providers/e2b.py
+++ b/agent/sandbox/providers/e2b.py
@@ -0,0 +1,233 @@
+#
+#  Copyright 2025 The InfiniFlow Authors. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+
+"""
+E2B provider implementation.
+
+This provider integrates with E2B Cloud for cloud-based code execution
+using Firecracker microVMs.
+"""
+
+import uuid
+from typing import Dict, Any, List
+
+from .base import SandboxProvider, SandboxInstance, ExecutionResult
+
+
+class E2BProvider(SandboxProvider):
+    """
+    E2B provider implementation.
+
+    This provider uses E2B Cloud service for secure code execution
+    in Firecracker microVMs.
+    """
+
+    def __init__(self):
+        self.api_key: str = ""
+        self.region: str = "us"
+        self.timeout: int = 30
+        self._initialized: bool = False
+
+    def initialize(self, config: Dict[str, Any]) -> bool:
+        """
+        Initialize the provider with E2B credentials.
+
+        Args:
+            config: Configuration dictionary with keys:
+                - api_key: E2B API key
+                - region: Region (us, eu) (default: "us")
+                - timeout: Request timeout in seconds (default: 30)
+
+        Returns:
+            True if initialization successful, False otherwise
+        """
+        self.api_key = config.get("api_key", "")
+        self.region = config.get("region", "us")
+        self.timeout = config.get("timeout", 30)
+
+        # Validate required fields
+        if not self.api_key:
+            return False
+
+        # TODO: Implement actual E2B API client initialization
+        # For now, we'll mark as initialized but actual API calls will fail
+        self._initialized = True
+        return True
+
+    def create_instance(self, template: str = "python") -> SandboxInstance:
+        """
+        Create a new sandbox instance in E2B.
+
+        Args:
+            template: Programming language template (python, nodejs, go, bash)
+
+        Returns:
+            SandboxInstance object
+
+        Raises:
+            RuntimeError: If instance creation fails
+        """
+        if not self._initialized:
+            raise RuntimeError("Provider not initialized. Call initialize() first.")
+
+        # Normalize language
+        language = self._normalize_language(template)
+
+        # TODO: Implement actual E2B API call
+        # POST /sandbox with template
+        instance_id = str(uuid.uuid4())
+
+        return SandboxInstance(
+            instance_id=instance_id,
+            provider="e2b",
+            status="running",
+            metadata={
+                "language": language,
+                "region": self.region,
+            }
+        )
+
+    def execute_code(
+        self,
+        instance_id: str,
+        code: str,
+        language: str,
+        timeout: int = 10
+    ) -> ExecutionResult:
+        """
+        Execute code in the E2B instance.
+
+        Args:
+            instance_id: ID of the sandbox instance
+            code: Source code to execute
+            language: Programming language (python, nodejs, go, bash)
+            timeout: Maximum execution time in seconds
+
+        Returns:
+            ExecutionResult containing stdout, stderr, exit_code, and metadata
+
+        Raises:
+            RuntimeError: If execution fails
+            TimeoutError: If execution exceeds timeout
+        """
+        if not self._initialized:
+            raise RuntimeError("Provider not initialized. Call initialize() first.")
+
+        # TODO: Implement actual E2B API call
+        # POST /sandbox/{sandboxID}/execute
+
+        raise RuntimeError(
+            "E2B provider is not yet fully implemented. "
+            "Please use the self-managed provider or implement the E2B API integration. "
+            "See https://github.com/e2b-dev/e2b for API documentation."
+        )
+
+    def destroy_instance(self, instance_id: str) -> bool:
+        """
+        Destroy an E2B instance.
+
+        Args:
+            instance_id: ID of the instance to destroy
+
+        Returns:
+            True if destruction successful, False otherwise
+        """
+        if not self._initialized:
+            raise RuntimeError("Provider not initialized. Call initialize() first.")
+
+        # TODO: Implement actual E2B API call
+        # DELETE /sandbox/{sandboxID}
+        return True
+
+    def health_check(self) -> bool:
+        """
+        Check if the E2B service is accessible.
+
+        Returns:
+            True if provider is healthy, False otherwise
+        """
+        if not self._initialized:
+            return False
+
+        # TODO: Implement actual E2B health check API call
+        # GET /healthz or similar
+        # For now, return True if initialized with API key
+        return bool(self.api_key)
+
+    def get_supported_languages(self) -> List[str]:
+        """
+        Get list of supported programming languages.
+
+        Returns:
+            List of language identifiers
+        """
+        return ["python", "nodejs", "javascript", "go", "bash"]
+
+    @staticmethod
+    def get_config_schema() -> Dict[str, Dict]:
+        """
+        Return configuration schema for E2B provider.
+
+        Returns:
+            Dictionary mapping field names to their schema definitions
+        """
+        return {
+            "api_key": {
+                "type": "string",
+                "required": True,
+                "label": "API Key",
+                "placeholder": "e2b_sk_...",
+                "description": "E2B API key for authentication",
+                "secret": True,
+            },
+            "region": {
+                "type": "string",
+                "required": False,
+                "label": "Region",
+                "default": "us",
+                "description": "E2B service region (us or eu)",
+            },
+            "timeout": {
+                "type": "integer",
+                "required": False,
+                "label": "Request Timeout (seconds)",
+                "default": 30,
+                "min": 5,
+                "max": 300,
+                "description": "API request timeout for code execution",
+            }
+        }
+
+    def _normalize_language(self, language: str) -> str:
+        """
+        Normalize language identifier to E2B template format.
+
+        Args:
+            language: Language identifier
+
+        Returns:
+            Normalized language identifier
+        """
+        if not language:
+            return "python"
+
+        lang_lower = language.lower()
+        if lang_lower in ("python", "python3"):
+            return "python"
+        elif lang_lower in ("javascript", "nodejs"):
+            return "nodejs"
+        else:
+            return language
--- a/agent/sandbox/providers/manager.py
+++ b/agent/sandbox/providers/manager.py
@@ -0,0 +1,78 @@
+#
+#  Copyright 2025 The InfiniFlow Authors. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+
+"""
+Provider manager for sandbox providers.
+
+Since sandbox configuration is global (system-level), we only use one
+active provider at a time. This manager is a thin wrapper that holds a reference
+to the currently active provider.
+"""
+
+from typing import Optional
+from .base import SandboxProvider
+
+
+class ProviderManager:
+    """
+    Manages the currently active sandbox provider.
+
+    With global configuration, there's only one active provider at a time.
+    This manager simply holds a reference to that provider.
+    """
+
+    def __init__(self):
+        """Initialize an empty provider manager."""
+        self.current_provider: Optional[SandboxProvider] = None
+        self.current_provider_name: Optional[str] = None
+
+    def set_provider(self, name: str, provider: SandboxProvider):
+        """
+        Set the active provider.
+
+        Args:
+            name: Provider identifier (e.g., "self_managed", "e2b")
+            provider: Provider instance
+        """
+        self.current_provider = provider
+        self.current_provider_name = name
+
+    def get_provider(self) -> Optional[SandboxProvider]:
+        """
+        Get the active provider.
+
+        Returns:
+            Currently active SandboxProvider instance, or None if not set
+        """
+        return self.current_provider
+
+    def get_provider_name(self) -> Optional[str]:
+        """
+        Get the active provider name.
+
+        Returns:
+            Provider name (e.g., "self_managed"), or None if not set
+        """
+        return self.current_provider_name
+
+    def is_configured(self) -> bool:
+        """
+        Check if a provider is configured.
+
+        Returns:
+            True if a provider is set, False otherwise
+        """
+        return self.current_provider is not None
--- a/agent/sandbox/providers/self_managed.py
+++ b/agent/sandbox/providers/self_managed.py
@@ -0,0 +1,364 @@
+#
+#  Copyright 2025 The InfiniFlow Authors. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+
+"""
+Self-managed sandbox provider implementation.
+
+This provider wraps the existing executor_manager HTTP API which manages
+a pool of Docker containers with gVisor for secure code execution.
+"""
+
+import base64
+import time
+import uuid
+from typing import Dict, Any, List, Optional
+
+import requests
+
+from .base import SandboxProvider, SandboxInstance, ExecutionResult
+
+
+class SelfManagedProvider(SandboxProvider):
+    """
+    Self-managed sandbox provider using Daytona/Docker.
+
+    This provider communicates with the executor_manager HTTP API
+    which manages a pool of containers for code execution.
+    """
+
+    def __init__(self):
+        self.endpoint: str = "http://localhost:9385"
+        self.timeout: int = 30
+        self.max_retries: int = 3
+        self.pool_size: int = 10
+        self._initialized: bool = False
+
+    def initialize(self, config: Dict[str, Any]) -> bool:
+        """
+        Initialize the provider with configuration.
+
+        Args:
+            config: Configuration dictionary with keys:
+                - endpoint: HTTP endpoint (default: "http://localhost:9385")
+                - timeout: Request timeout in seconds (default: 30)
+                - max_retries: Maximum retry attempts (default: 3)
+                - pool_size: Container pool size for info (default: 10)
+
+        Returns:
+            True if initialization successful, False otherwise
+        """
+        self.endpoint = config.get("endpoint", "http://localhost:9385")
+        self.timeout = config.get("timeout", 30)
+        self.max_retries = config.get("max_retries", 3)
+        self.pool_size = config.get("pool_size", 10)
+
+        # Validate endpoint is accessible
+        if not self.health_check():
+            # Try to fall back to SANDBOX_HOST from settings if we are using localhost
+            if "localhost" in self.endpoint or "127.0.0.1" in self.endpoint:
+                try:
+                    from common import settings
+                    if settings.SANDBOX_HOST and settings.SANDBOX_HOST not in self.endpoint:
+                        original_endpoint = self.endpoint
+                        self.endpoint = f"http://{settings.SANDBOX_HOST}:9385"
+                        if self.health_check():
+                            import logging
+                            logging.warning(f"Sandbox self_managed: Connected using settings.SANDBOX_HOST fallback: {self.endpoint} (original: {original_endpoint})")
+                            self._initialized = True
+                            return True
+                        else:
+                            self.endpoint = original_endpoint # Restore if fallback also fails
+                except ImportError:
+                    pass
+
+            return False
+
+        self._initialized = True
+        return True
+
+    def create_instance(self, template: str = "python") -> SandboxInstance:
+        """
+        Create a new sandbox instance.
+
+        Note: For self-managed provider, instances are managed internally
+        by the executor_manager's container pool. This method returns
+        a logical instance handle.
+
+        Args:
+            template: Programming language (python, nodejs)
+
+        Returns:
+            SandboxInstance object
+
+        Raises:
+            RuntimeError: If instance creation fails
+        """
+        if not self._initialized:
+            raise RuntimeError("Provider not initialized. Call initialize() first.")
+
+        # Normalize language
+        language = self._normalize_language(template)
+
+        # The executor_manager manages instances internally via container pool
+        # We create a logical instance ID for tracking
+        instance_id = str(uuid.uuid4())
+
+        return SandboxInstance(
+            instance_id=instance_id,
+            provider="self_managed",
+            status="running",
+            metadata={
+                "language": language,
+                "endpoint": self.endpoint,
+                "pool_size": self.pool_size,
+            }
+        )
+
+    def execute_code(
+        self,
+        instance_id: str,
+        code: str,
+        language: str,
+        timeout: int = 10,
+        arguments: Optional[Dict[str, Any]] = None
+    ) -> ExecutionResult:
+        """
+        Execute code in the sandbox.
+
+        Args:
+            instance_id: ID of the sandbox instance (not used for self-managed)
+            code: Source code to execute
+            language: Programming language (python, nodejs, javascript)
+            timeout: Maximum execution time in seconds
+            arguments: Optional arguments dict to pass to main() function
+
+        Returns:
+            ExecutionResult containing stdout, stderr, exit_code, and metadata
+
+        Raises:
+            RuntimeError: If execution fails
+            TimeoutError: If execution exceeds timeout
+        """
+        if not self._initialized:
+            raise RuntimeError("Provider not initialized. Call initialize() first.")
+
+        # Normalize language
+        normalized_lang = self._normalize_language(language)
+
+        # Prepare request
+        code_b64 = base64.b64encode(code.encode("utf-8")).decode("utf-8")
+        payload = {
+            "code_b64": code_b64,
+            "language": normalized_lang,
+            "arguments": arguments or {}
+        }
+
+        url = f"{self.endpoint}/run"
+        exec_timeout = timeout or self.timeout
+
+        start_time = time.time()
+
+        try:
+            response = requests.post(
+                url,
+                json=payload,
+                timeout=exec_timeout,
+                headers={"Content-Type": "application/json"}
+            )
+
+            execution_time = time.time() - start_time
+
+            if response.status_code != 200:
+                raise RuntimeError(
+                    f"HTTP {response.status_code}: {response.text}"
+                )
+
+            result = response.json()
+            structured_result = result.get("result") or {}
+
+            return ExecutionResult(
+                stdout=result.get("stdout", ""),
+                stderr=result.get("stderr", ""),
+                exit_code=result.get("exit_code", 0),
+                execution_time=execution_time,
+                metadata={
+                    "status": result.get("status"),
+                    "time_used_ms": result.get("time_used_ms"),
+                    "memory_used_kb": result.get("memory_used_kb"),
+                    "detail": result.get("detail"),
+                    "instance_id": instance_id,
+                    "artifacts": result.get("artifacts", []),
+                    "result_present": structured_result.get("present", False),
+                    "result_value": structured_result.get("value"),
+                    "result_type": structured_result.get("type"),
+                }
+            )
+
+        except requests.Timeout:
+            execution_time = time.time() - start_time
+            raise TimeoutError(
+                f"Execution timed out after {exec_timeout} seconds"
+            )
+
+        except requests.RequestException as e:
+            raise RuntimeError(f"HTTP request failed: {str(e)}")
+
+    def destroy_instance(self, instance_id: str) -> bool:
+        """
+        Destroy a sandbox instance.
+
+        Note: For self-managed provider, instances are returned to the
+        internal pool automatically by executor_manager after execution.
+        This is a no-op for tracking purposes.
+
+        Args:
+            instance_id: ID of the instance to destroy
+
+        Returns:
+            True (always succeeds for self-managed)
+        """
+        # The executor_manager manages container lifecycle internally
+        # Container is returned to pool after execution
+        return True
+
+    def health_check(self) -> bool:
+        """
+        Check if the provider is healthy and accessible.
+
+        Returns:
+            True if provider is healthy, False otherwise
+        """
+        try:
+            url = f"{self.endpoint}/healthz"
+            response = requests.get(url, timeout=5)
+            return response.status_code == 200
+        except Exception:
+            return False
+
+    def get_supported_languages(self) -> List[str]:
+        """
+        Get list of supported programming languages.
+
+        Returns:
+            List of language identifiers
+        """
+        return ["python", "nodejs", "javascript"]
+
+    @staticmethod
+    def get_config_schema() -> Dict[str, Dict]:
+        """
+        Return configuration schema for self-managed provider.
+
+        Returns:
+            Dictionary mapping field names to their schema definitions
+        """
+        return {
+            "endpoint": {
+                "type": "string",
+                "required": True,
+                "label": "Executor Manager Endpoint",
+                "placeholder": "http://localhost:9385",
+                "default": "http://localhost:9385",
+                "description": "HTTP endpoint of the executor_manager service"
+            },
+            "timeout": {
+                "type": "integer",
+                "required": False,
+                "label": "Request Timeout (seconds)",
+                "default": 30,
+                "min": 5,
+                "max": 300,
+                "description": "HTTP request timeout for code execution"
+            },
+            "max_retries": {
+                "type": "integer",
+                "required": False,
+                "label": "Max Retries",
+                "default": 3,
+                "min": 0,
+                "max": 10,
+                "description": "Maximum number of retry attempts for failed requests"
+            },
+            "pool_size": {
+                "type": "integer",
+                "required": False,
+                "label": "Container Pool Size",
+                "default": 10,
+                "min": 1,
+                "max": 100,
+                "description": "Size of the container pool (configured in executor_manager)"
+            }
+        }
+
+    def _normalize_language(self, language: str) -> str:
+        """
+        Normalize language identifier to executor_manager format.
+
+        Args:
+            language: Language identifier (python, python3, nodejs, javascript)
+
+        Returns:
+            Normalized language identifier
+        """
+        if not language:
+            return "python"
+
+        lang_lower = language.lower()
+        if lang_lower in ("python", "python3"):
+            return "python"
+        elif lang_lower in ("javascript", "nodejs"):
+            return "nodejs"
+        else:
+            return language
+
+    def validate_config(self, config: dict) -> tuple[bool, Optional[str]]:
+        """
+        Validate self-managed provider configuration.
+
+        Performs custom validation beyond the basic schema validation,
+        such as checking URL format.
+
+        Args:
+            config: Configuration dictionary to validate
+
+        Returns:
+            Tuple of (is_valid, error_message)
+        """
+        # Validate endpoint URL format
+        endpoint = config.get("endpoint", "")
+        if endpoint:
+            # Check if it's a valid HTTP/HTTPS URL or localhost
+            import re
+            url_pattern = r'^(https?://|http://localhost|http://[\d\.]+:[a-z]+:[/]|http://[\w\.]+:)'
+            if not re.match(url_pattern, endpoint):
+                return False, f"Invalid endpoint format: {endpoint}. Must start with http:// or https://"
+
+        # Validate pool_size is positive
+        pool_size = config.get("pool_size", 10)
+        if isinstance(pool_size, int) and pool_size <= 0:
+            return False, "Pool size must be greater than 0"
+
+        # Validate timeout is reasonable
+        timeout = config.get("timeout", 30)
+        if isinstance(timeout, int) and (timeout < 1 or timeout > 600):
+            return False, "Timeout must be between 1 and 600 seconds"
+
+        # Validate max_retries
+        max_retries = config.get("max_retries", 3)
+        if isinstance(max_retries, int) and (max_retries < 0 or max_retries > 10):
+            return False, "Max retries must be between 0 and 10"
+
+        return True, None
--- a/agent/sandbox/pyproject.toml
+++ b/agent/sandbox/pyproject.toml
@@ -0,0 +1,28 @@
+[project]
+name = "gvisor-sandbox"
+version = "0.1.0"
+description = "Add your description here"
+readme = "README.md"
+requires-python = ">=3.12,<3.15"
+dependencies = [
+    "fastapi>=0.115.12",
+    "httpx>=0.28.1",
+    "pydantic>=2.11.4",
+    "requests>=2.32.4",
+    "slowapi>=0.1.9",
+    "uvicorn>=0.34.2",
+]
+
+[[tool.uv.index]]
+url = "https://pypi.tuna.tsinghua.edu.cn/simple"
+
+[dependency-groups]
+dev = [
+    "basedpyright>=1.29.1",
+]
+
+[tool.ruff]
+line-length = 200
+
+[tool.ruff.lint]
+extend-select = ["C4", "SIM", "TCH"]
--- a/agent/sandbox/sandbox_base_image/nodejs/Dockerfile
+++ b/agent/sandbox/sandbox_base_image/nodejs/Dockerfile
@@ -0,0 +1,17 @@
+FROM node:24.13-bookworm-slim
+
+RUN npm config set registry https://registry.npmmirror.com
+
+# RUN grep -rl 'deb.debian.org' /etc/apt/ | xargs sed -i 's|http[s]*://deb.debian.org|https://mirrors.ustc.edu.cn|g' && \
+#     apt-get update && \
+#     apt-get install -y curl gcc make
+
+
+WORKDIR /app
+
+COPY package.json package-lock.json .
+
+RUN npm install
+
+CMD ["sleep", "infinity"]
+
--- a/agent/sandbox/sandbox_base_image/nodejs/package-lock.json
+++ b/agent/sandbox/sandbox_base_image/nodejs/package-lock.json
@@ -0,0 +1,295 @@
+{
+  "name": "nodejs",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "nodejs",
+      "version": "1.0.0",
+      "license": "ISC",
+      "dependencies": {
+        "axios": "^1.9.0"
+      }
+    },
+    "node_modules/asynckit": {
+      "version": "0.4.0",
+      "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz",
+      "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==",
+      "license": "MIT"
+    },
+    "node_modules/axios": {
+      "version": "1.13.6",
+      "resolved": "https://registry.npmjs.org/axios/-/axios-1.13.6.tgz",
+      "integrity": "sha512-ChTCHMouEe2kn713WHbQGcuYrr6fXTBiu460OTwWrWob16g1bXn4vtz07Ope7ewMozJAnEquLk5lWQWtBig9DQ==",
+      "license": "MIT",
+      "dependencies": {
+        "follow-redirects": "^1.15.11",
+        "form-data": "^4.0.5",
+        "proxy-from-env": "^1.1.0"
+      }
+    },
+    "node_modules/call-bind-apply-helpers": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz",
+      "integrity": "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "function-bind": "^1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/combined-stream": {
+      "version": "1.0.8",
+      "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz",
+      "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==",
+      "license": "MIT",
+      "dependencies": {
+        "delayed-stream": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/delayed-stream": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz",
+      "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.4.0"
+      }
+    },
+    "node_modules/dunder-proto": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz",
+      "integrity": "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bind-apply-helpers": "^1.0.1",
+        "es-errors": "^1.3.0",
+        "gopd": "^1.2.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-define-property": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz",
+      "integrity": "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-errors": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz",
+      "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-object-atoms": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.1.1.tgz",
+      "integrity": "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-set-tostringtag": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/es-set-tostringtag/-/es-set-tostringtag-2.1.0.tgz",
+      "integrity": "sha512-j6vWzfrGVfyXxge+O0x5sh6cvxAog0a/4Rdd2K36zCMV5eJ+/+tOAngRO8cODMNWbVRdVlmGZQL2YS3yR8bIUA==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "get-intrinsic": "^1.2.6",
+        "has-tostringtag": "^1.0.2",
+        "hasown": "^2.0.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/follow-redirects": {
+      "version": "1.15.11",
+      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.11.tgz",
+      "integrity": "sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==",
+      "funding": [
+        {
+          "type": "individual",
+          "url": "https://github.com/sponsors/RubenVerborgh"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=4.0"
+      },
+      "peerDependenciesMeta": {
+        "debug": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/form-data": {
+      "version": "4.0.5",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz",
+      "integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==",
+      "license": "MIT",
+      "dependencies": {
+        "asynckit": "^0.4.0",
+        "combined-stream": "^1.0.8",
+        "es-set-tostringtag": "^2.1.0",
+        "hasown": "^2.0.2",
+        "mime-types": "^2.1.12"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/function-bind": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz",
+      "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/get-intrinsic": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.3.0.tgz",
+      "integrity": "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bind-apply-helpers": "^1.0.2",
+        "es-define-property": "^1.0.1",
+        "es-errors": "^1.3.0",
+        "es-object-atoms": "^1.1.1",
+        "function-bind": "^1.1.2",
+        "get-proto": "^1.0.1",
+        "gopd": "^1.2.0",
+        "has-symbols": "^1.1.0",
+        "hasown": "^2.0.2",
+        "math-intrinsics": "^1.1.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/get-proto": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/get-proto/-/get-proto-1.0.1.tgz",
+      "integrity": "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==",
+      "license": "MIT",
+      "dependencies": {
+        "dunder-proto": "^1.0.1",
+        "es-object-atoms": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/gopd": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz",
+      "integrity": "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/has-symbols": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.1.0.tgz",
+      "integrity": "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/has-tostringtag": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/has-tostringtag/-/has-tostringtag-1.0.2.tgz",
+      "integrity": "sha512-NqADB8VjPFLM2V0VvHUewwwsw0ZWBaIdgo+ieHtK3hasLz4qeCRjYcqfB6AQrBggRKppKF8L52/VqdVsO47Dlw==",
+      "license": "MIT",
+      "dependencies": {
+        "has-symbols": "^1.0.3"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/hasown": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz",
+      "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==",
+      "license": "MIT",
+      "dependencies": {
+        "function-bind": "^1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/math-intrinsics": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz",
+      "integrity": "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/mime-db": {
+      "version": "1.52.0",
+      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz",
+      "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/mime-types": {
+      "version": "2.1.35",
+      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz",
+      "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==",
+      "license": "MIT",
+      "dependencies": {
+        "mime-db": "1.52.0"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/proxy-from-env": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmmirror.com/proxy-from-env/-/proxy-from-env-1.1.0.tgz",
+      "integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==",
+      "license": "MIT"
+    }
+  }
+}
--- a/agent/sandbox/sandbox_base_image/nodejs/package.json
+++ b/agent/sandbox/sandbox_base_image/nodejs/package.json
--- a/agent/sandbox/sandbox_base_image/python/Dockerfile
+++ b/agent/sandbox/sandbox_base_image/python/Dockerfile
@@ -0,0 +1,20 @@
+FROM python:3.11-slim-bookworm
+
+COPY --from=ghcr.io/astral-sh/uv:0.7.5 /uv /uvx /bin/
+ENV UV_INDEX_URL=https://pypi.tuna.tsinghua.edu.cn/simple
+ENV MPLBACKEND=Agg
+ENV MPLCONFIGDIR=/tmp/matplotlib
+ENV MATPLOTLIBRC=/usr/local/etc/matplotlibrc
+
+COPY requirements.txt .
+COPY matplotlibrc /usr/local/etc/matplotlibrc
+
+RUN grep -rl 'deb.debian.org' /etc/apt/ | xargs sed -i 's|http[s]*://deb.debian.org|https://mirrors.tuna.tsinghua.edu.cn|g' && \
+    apt-get update && \
+    apt-get install -y curl gcc && \
+    mkdir -p /tmp/matplotlib && \
+    uv pip install --system -r requirements.txt
+
+WORKDIR /workspace
+
+CMD ["sleep", "infinity"]
--- a/Show More
+++ b/Show More