Use hardcoded labels instead of i18n translations for reverse proxy fields

Co-authored-by: mserico <140243407+mserico@users.noreply.github.com>
2026-02-15 17:57:27 +00:00 · 2026-02-15 17:42:41 +00:00 · 2026-02-15 17:42:03 +00:00 · 2026-02-15 17:29:44 +00:00 · 2026-02-15 17:26:37 +00:00 · 2026-02-15 17:25:37 +00:00
341 changed files with 4980 additions and 31003 deletions
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -1,31 +0,0 @@
-name: Build & Push Docker Image
-
-on:
-  push:
-    branches:
-      - custom
-  workflow_dispatch:
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Login to Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: gromlab.ru
-          username: ${{ secrets.CR_USER }}
-          password: ${{ secrets.CR_TOKEN }}
-
-      - name: Build and Push
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          target: STANDARD
-          push: true
-          tags: |
-            gromlab.ru/gromov/casdoor:latest
-            gromlab.ru/gromov/casdoor:${{ github.sha }}
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,8 +1,5 @@
 name: Build

-env:
-  GO_VERSION: "1.25.8"
-
 on:
  push:
    branches:
@@ -10,6 +7,7 @@ on:
  pull_request:

 jobs:
+
  go-tests:
    name: Running Go tests
    runs-on: ubuntu-latest
@@ -26,7 +24,7 @@ jobs:
      - uses: actions/checkout@v3
      - uses: actions/setup-go@v4
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version: '1.23'
          cache-dependency-path: ./go.mod
      - name: Tests
        run: |
@@ -36,13 +34,13 @@ jobs:
  frontend:
    name: Front-end
    runs-on: ubuntu-latest
-    needs: [go-tests]
+    needs: [ go-tests ]
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: 20
-          cache: "yarn"
+          cache: 'yarn'
          cache-dependency-path: ./web/yarn.lock
      - run: yarn install && CI=false yarn run build
        working-directory: ./web
@@ -56,12 +54,12 @@ jobs:
  backend:
    name: Back-end
    runs-on: ubuntu-latest
-    needs: [go-tests]
+    needs: [ go-tests ]
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-go@v4
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version: '1.23'
          cache-dependency-path: ./go.mod
      - run: go version
      - name: Build
@@ -72,28 +70,27 @@ jobs:
  linter:
    name: Go-Linter
    runs-on: ubuntu-latest
-    needs: [go-tests]
+    needs: [ go-tests ]
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-go@v4
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version: '1.23'
          cache: false

-      - name: Sync vendor tree
-        run: go mod vendor
+      # gen a dummy config file
+      - run: touch dummy.yml

-      # CI and local `make lint` both use the repo's gofumpt-only golangci-lint config.
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v9.2.0
+        uses: golangci/golangci-lint-action@v3
        with:
-          version: v2.11.4
-          args: --config .golangci.yml ./...
+          version: latest
+          args: --disable-all -c dummy.yml -E=gofumpt --max-same-issues=0 --timeout 5m --modules-download-mode=mod

  e2e:
    name: e2e-test
    runs-on: ubuntu-latest
-    needs: [go-tests]
+    needs: [ go-tests ]
    services:
      mysql:
        image: mysql:5.7
@@ -107,7 +104,7 @@ jobs:
      - uses: actions/checkout@v3
      - uses: actions/setup-go@v4
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version: '1.23'
          cache-dependency-path: ./go.mod
      - name: start backend
        run: nohup go run ./main.go > /tmp/backend.log 2>&1 &
@@ -132,7 +129,7 @@ jobs:
      - uses: actions/setup-node@v3
        with:
          node-version: 20
-          cache: "yarn"
+          cache: 'yarn'
          cache-dependency-path: ./web/yarn.lock
      - run: yarn install
        working-directory: ./web
@@ -140,7 +137,7 @@ jobs:
        with:
          browser: chrome
          start: yarn start
-          wait-on: "http://localhost:7001"
+          wait-on: 'http://localhost:7001'
          wait-on-timeout: 210
          working-directory: ./web

@@ -162,7 +159,7 @@ jobs:
      contents: write
      issues: write
    if: github.repository == 'casdoor/casdoor' && github.event_name == 'push'
-    needs: [frontend, backend, linter, e2e]
+    needs: [ frontend, backend, linter, e2e ]
    outputs:
      new-release-published: ${{ steps.semantic.outputs.new_release_published }}
      new-release-version: ${{ steps.semantic.outputs.new_release_version }}
@@ -183,18 +180,13 @@ jobs:
      contents: write
      issues: write
    if: github.repository == 'casdoor/casdoor' && github.event_name == 'push' && needs.tag-release.outputs.new-release-published == 'true'
-    needs: [tag-release]
+    needs: [ tag-release ]
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

-      - uses: actions/setup-go@v4
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache-dependency-path: ./go.mod
-
      - name: Free disk space
        uses: jlumbroso/free-disk-space@v1.3.1
        with:
@@ -221,7 +213,7 @@ jobs:
        uses: goreleaser/goreleaser-action@v6
        with:
          distribution: goreleaser
-          version: "~> v2"
+          version: '~> v2'
          args: release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -233,7 +225,7 @@ jobs:
      contents: write
      issues: write
    if: github.repository == 'casdoor/casdoor' && github.event_name == 'push' && needs.tag-release.outputs.new-release-published == 'true'
-    needs: [tag-release]
+    needs: [ tag-release ]
    steps:
      - name: Checkout
        uses: actions/checkout@v3
@@ -303,7 +295,7 @@ jobs:
        if: steps.should_push.outputs.push=='true'
        with:
          repository: casdoor/casdoor-helm
-          ref: "master"
+          ref: 'master'
          token: ${{ secrets.GH_BOT_TOKEN }}

      - name: Update Helm Chart
--- a/.gitignore
+++ b/.gitignore
@@ -20,7 +20,6 @@ bin/
 .idea/
 *.iml
 .vscode/settings.json
-.claude

 tmp/
 tmpFiles/
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,26 +1,42 @@
-version: "2"
-run:
-  relative-path-mode: gomod
-  modules-download-mode: vendor
 linters:
-  default: none
-  exclusions:
-    generated: lax
-    presets:
-      - comments
-      - common-false-positives
-      - legacy
-      - std-error-handling
-    paths:
-      - third_party$
-      - builtin$
-      - examples$
-formatters:
+  disable-all: true
  enable:
-    - gofumpt
-  exclusions:
-    generated: lax
-    paths:
-      - third_party$
-      - builtin$
-      - examples$
+    - deadcode
+    - dupl
+    - errcheck
+    - goconst
+    - gocyclo
+    - gofmt
+    - goimports
+    - gosec
+    - gosimple
+    - govet
+    - ineffassign
+    - lll
+    - misspell
+    - nakedret
+    - prealloc
+    - staticcheck
+    - structcheck
+    - typecheck
+    - unconvert
+    - unparam
+    - unused
+    - varcheck
+    - revive
+    - exportloopref
+run:
+  deadline: 5m
+  skip-dirs:
+    - api
+  # skip-files:
+  #   - ".*_test\\.go$"
+  modules-download-mode: mod
+# all available settings of specific linters
+linters-settings:
+  lll:
+    # max line length, lines longer will be reported. Default is 120.
+    # '\t' is counted as 1 character by default, and can be changed with the tab-width option
+    line-length: 150
+    # tab width in spaces. Default to 1.
+    tab-width: 1
--- a/5
+++ b/5
@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM node:20.20.1 AS FRONT
+FROM --platform=$BUILDPLATFORM node:18.19.0 AS FRONT
 WORKDIR /web

 # Copy only dependency files first for better caching
@@ -9,7 +9,7 @@ RUN yarn install --frozen-lockfile --network-timeout 1000000
 COPY ./web .
 RUN NODE_OPTIONS="--max-old-space-size=4096" yarn run build

-FROM --platform=$BUILDPLATFORM golang:1.25.8 AS BACK
+FROM --platform=$BUILDPLATFORM golang:1.23.12 AS BACK
 WORKDIR /go/src/casdoor

 # Copy only go.mod and go.sum first for dependency caching
@@ -19,6 +19,7 @@ RUN go mod download
 # Copy source files
 COPY . .

+RUN go test -v -run TestGetVersionInfo ./util/system_test.go ./util/system.go ./util/variable.go
 RUN ./build.sh

 FROM alpine:latest AS STANDARD
--- a/8
+++ b/8
@@ -90,12 +90,12 @@ deps: ## Run dependencies for local development
 	docker compose up -d db

 lint-install: ## Install golangci-lint
-	@# Keep the local golangci-lint version aligned with CI. Both local and CI lint run the gofumpt-only ruleset from .golangci.yml.
-	GOTOOLCHAIN=go1.25.8 go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.4
+	@# The following installs a specific version of golangci-lint, which is appropriate for a CI server to avoid different results from build to build
+	go get github.com/golangci/golangci-lint/cmd/golangci-lint@v1.40.1

-lint: vendor ## Run golangci-lint
+lint: ## Run golangci-lint
 	@echo "---lint---"
-	golangci-lint run ./...
+	golangci-lint run --modules-download-mode=vendor ./...

 ##@ Deployment

--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
 <h1 align="center" style="border-bottom: none;">📦⚡️ Casdoor</h1>
-<h3 align="center">An open-source AI-first Identity and Access Management (IAM) /AI MCP gateway and auth server with web UI supporting MCP, A2A, OAuth 2.1, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD</h3>
+<h3 align="center">An open-source UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform with web UI supporting OAuth 2.0, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA and RADIUS</h3>
 <p align="center">
  <a href="#badge">
    <img alt="semantic-release" src="https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg">
--- a/authz/authz.go
+++ b/authz/authz.go
@@ -68,8 +68,6 @@ p, *, *, POST, /api/upload-users, *, *
 p, *, *, GET, /api/get-resources, *, *
 p, *, *, GET, /api/get-records, *, *
 p, *, *, GET, /api/get-product, *, *
-p, *, *, GET, /api/get-products, *, *
-p, *, *, POST, /api/buy-product, *, *
 p, *, *, GET, /api/get-order, *, *
 p, *, *, GET, /api/get-orders, *, *
 p, *, *, GET, /api/get-user-orders, *, *
@@ -86,19 +84,12 @@ p, *, *, POST, /api/send-verification-code, *, *
 p, *, *, GET, /api/get-captcha, *, *
 p, *, *, POST, /api/verify-captcha, *, *
 p, *, *, POST, /api/verify-code, *, *
-p, *, *, POST, /api/v1/traces, *, *
-p, *, *, POST, /api/v1/metrics, *, *
-p, *, *, POST, /api/v1/logs, *, *
 p, *, *, POST, /api/reset-email-or-phone, *, *
 p, *, *, POST, /api/upload-resource, *, *
 p, *, *, GET, /.well-known/openid-configuration, *, *
-p, *, *, GET, /.well-known/oauth-authorization-server, *, *
-p, *, *, GET, /.well-known/oauth-protected-resource, *, *
 p, *, *, GET, /.well-known/webfinger, *, *
 p, *, *, *, /.well-known/jwks, *, *
 p, *, *, GET, /.well-known/:application/openid-configuration, *, *
-p, *, *, GET, /.well-known/:application/oauth-authorization-server, *, *
-p, *, *, GET, /.well-known/:application/oauth-protected-resource, *, *
 p, *, *, GET, /.well-known/:application/webfinger, *, *
 p, *, *, *, /.well-known/:application/jwks, *, *
 p, *, *, GET, /api/get-saml-login, *, *
@@ -126,7 +117,6 @@ p, *, *, GET, /api/run-casbin-command, *, *
 p, *, *, POST, /api/refresh-engines, *, *
 p, *, *, GET, /api/get-invitation-info, *, *
 p, *, *, GET, /api/faceid-signin-begin, *, *
-p, *, *, GET, /api/kerberos-login, *, *
 `

 		sa := stringadapter.NewAdapter(ruleText)
@@ -179,7 +169,7 @@ func IsAllowed(subOwner string, subName string, method string, urlPath string, o
 			return true
 		}

-		if user.IsAdmin && subOwner == objOwner {
+		if user.IsAdmin && (subOwner == objOwner || (objOwner == "admin")) {
 			return true
 		}
 	}
--- a/certificate/account.go
+++ b/certificate/account.go
@@ -1,107 +0,0 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package certificate
-
-import (
-	"crypto"
-
-	"github.com/casbin/lego/v4/acme"
-	"github.com/casbin/lego/v4/certcrypto"
-	"github.com/casbin/lego/v4/lego"
-	"github.com/casbin/lego/v4/registration"
-	"github.com/casdoor/casdoor/proxy"
-)
-
-type Account struct {
-	Email        string
-	Registration *registration.Resource
-	Key          crypto.PrivateKey
-}
-
-/** Implementation of the registration.User interface **/
-
-// GetEmail returns the email address for the account.
-func (a *Account) GetEmail() string {
-	return a.Email
-}
-
-// GetPrivateKey returns the private RSA account key.
-func (a *Account) GetPrivateKey() crypto.PrivateKey {
-	return a.Key
-}
-
-// GetRegistration returns the server registration.
-func (a *Account) GetRegistration() *registration.Resource {
-	return a.Registration
-}
-
-func getLegoClientAndAccount(email string, privateKey string, devMode bool) (*lego.Client, *Account, error) {
-	key, err := decodeEccKey(privateKey)
-	if err != nil {
-		return nil, nil, err
-	}
-	account := &Account{
-		Email: email,
-		Key:   key,
-	}
-
-	config := lego.NewConfig(account)
-	if devMode {
-		config.CADirURL = lego.LEDirectoryStaging
-	} else {
-		config.CADirURL = lego.LEDirectoryProduction
-	}
-
-	config.Certificate.KeyType = certcrypto.RSA2048
-	config.HTTPClient = proxy.ProxyHttpClient
-
-	client, err := lego.NewClient(config)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	return client, account, err
-}
-
-// GetAcmeClient Incoming an email ,a privatekey and a Boolean value that controls the opening of the test environment
-// When this function is started for the first time, it will initialize the account-related configuration,
-// After initializing the configuration, It will try to obtain an account based on the private key,
-// if it fails, it will create an account based on the private key.
-// This account will be used during the running of the program
-func GetAcmeClient(email string, privateKey string, devMode bool) (*lego.Client, error) {
-	// Create a user. New accounts need an email and private key to start.
-	client, account, err := getLegoClientAndAccount(email, privateKey, devMode)
-
-	// try to obtain an account based on the private key
-	account.Registration, err = client.Registration.ResolveAccountByKey()
-	if err != nil {
-		acmeError, ok := err.(*acme.ProblemDetails)
-		if !ok {
-			return nil, err
-		}
-
-		if acmeError.Type != "urn:ietf:params:acme:error:accountDoesNotExist" {
-			return nil, acmeError
-		}
-
-		// Failed to get account, so create an account based on the private key.
-		account.Registration, err = client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	return client, nil
-}
--- a/certificate/account_test.go
+++ b/certificate/account_test.go
@@ -1,47 +0,0 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//go:build !skipCi
-// +build !skipCi
-
-package certificate
-
-import (
-	"testing"
-
-	"github.com/beego/beego/v2/server/web"
-	"github.com/casdoor/casdoor/proxy"
-	"github.com/casdoor/casdoor/util"
-	"github.com/stretchr/testify/assert"
-)
-
-func TestGetClient(t *testing.T) {
-	err := web.LoadAppConfig("ini", "../conf/app.conf")
-	if err != nil {
-		panic(err)
-	}
-
-	proxy.InitHttpClient()
-
-	eccKey := util.ReadStringFromPath("acme_account.key")
-	println(eccKey)
-
-	client, err := GetAcmeClient("acme2@casbin.org", eccKey, false)
-	assert.Nil(t, err)
-	pem, key, err := ObtainCertificateAli(client, "casbin.com", accessKeyId, accessKeySecret)
-	assert.Nil(t, err)
-	println(pem)
-	println()
-	println(key)
-}
--- a/certificate/conf.go
+++ b/certificate/conf.go
@@ -1,20 +0,0 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package certificate
-
-var (
-	accessKeyId     = ""
-	accessKeySecret = ""
-)
--- a/certificate/dns.go
+++ b/certificate/dns.go
@@ -1,151 +0,0 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package certificate
-
-import (
-	"fmt"
-	"time"
-
-	"github.com/casbin/lego/v4/certificate"
-	"github.com/casbin/lego/v4/challenge/dns01"
-	"github.com/casbin/lego/v4/cmd"
-	"github.com/casbin/lego/v4/lego"
-	"github.com/casbin/lego/v4/providers/dns/alidns"
-	"github.com/casbin/lego/v4/providers/dns/godaddy"
-)
-
-type AliConf struct {
-	Domains       []string // The domain names for which you want to apply for a certificate
-	AccessKey     string   // Aliyun account's AccessKey, if this is not empty, Secret is required.
-	Secret        string
-	RAMRole       string // Use Ramrole to control aliyun account
-	SecurityToken string // Optional
-	Path          string // The path to store cert file
-	Timeout       int    // Maximum waiting time for certificate application, in minutes
-}
-
-type GodaddyConf struct {
-	Domains   []string // The domain names for which you want to apply for a certificate
-	APIKey    string   // GoDaddy account's API Key
-	APISecret string
-	Path      string // The path to store cert file
-	Timeout   int    // Maximum waiting time for certificate application, in minutes
-}
-
-// getCert Verify domain ownership, then obtain a certificate, and finally store it locally.
-// Need to pass in an AliConf struct, some parameters are required, other parameters can be left blank
-func getAliCert(client *lego.Client, conf AliConf) (string, string, error) {
-	if conf.Timeout <= 0 {
-		conf.Timeout = 3
-	}
-
-	config := alidns.NewDefaultConfig()
-	config.PropagationTimeout = time.Duration(conf.Timeout) * time.Minute
-	config.APIKey = conf.AccessKey
-	config.SecretKey = conf.Secret
-	config.RAMRole = conf.RAMRole
-	config.SecurityToken = conf.SecurityToken
-
-	dnsProvider, err := alidns.NewDNSProvider(config)
-	if err != nil {
-		return "", "", err
-	}
-
-	// Choose a local DNS service provider to increase the authentication speed
-	servers := []string{"223.5.5.5:53"}
-	err = client.Challenge.SetDNS01Provider(dnsProvider, dns01.CondOption(len(servers) > 0, dns01.AddRecursiveNameservers(dns01.ParseNameservers(servers))), dns01.DisableCompletePropagationRequirement())
-	if err != nil {
-		return "", "", err
-	}
-
-	// Obtain the certificate
-	request := certificate.ObtainRequest{
-		Domains: conf.Domains,
-		Bundle:  true,
-	}
-	cert, err := client.Certificate.Obtain(request)
-	if err != nil {
-		return "", "", err
-	}
-
-	return string(cert.Certificate), string(cert.PrivateKey), nil
-}
-
-func getGoDaddyCert(client *lego.Client, conf GodaddyConf) (string, string, error) {
-	if conf.Timeout <= 0 {
-		conf.Timeout = 3
-	}
-
-	config := godaddy.NewDefaultConfig()
-	config.PropagationTimeout = time.Duration(conf.Timeout) * time.Minute
-	config.PollingInterval = time.Duration(conf.Timeout) * time.Minute / 9
-	config.APIKey = conf.APIKey
-	config.APISecret = conf.APISecret
-
-	dnsProvider, err := godaddy.NewDNSProvider(config)
-	if err != nil {
-		return "", "", err
-	}
-
-	// Choose a local DNS service provider to increase the authentication speed
-	servers := []string{"223.5.5.5:53"}
-	err = client.Challenge.SetDNS01Provider(dnsProvider, dns01.CondOption(len(servers) > 0, dns01.AddRecursiveNameservers(dns01.ParseNameservers(servers))), dns01.DisableCompletePropagationRequirement())
-	if err != nil {
-		return "", "", err
-	}
-
-	// Obtain the certificate
-	request := certificate.ObtainRequest{
-		Domains: conf.Domains,
-		Bundle:  true,
-	}
-	cert, err := client.Certificate.Obtain(request)
-	if err != nil {
-		return "", "", err
-	}
-
-	return string(cert.Certificate), string(cert.PrivateKey), nil
-}
-
-func ObtainCertificateAli(client *lego.Client, domain string, accessKey string, accessSecret string) (string, string, error) {
-	conf := AliConf{
-		Domains:       []string{fmt.Sprintf("*.%s", domain), domain},
-		AccessKey:     accessKey,
-		Secret:        accessSecret,
-		RAMRole:       "",
-		SecurityToken: "",
-		Path:          "",
-		Timeout:       3,
-	}
-	return getAliCert(client, conf)
-}
-
-func ObtainCertificateGoDaddy(client *lego.Client, domain string, accessKey string, accessSecret string) (string, string, error) {
-	conf := GodaddyConf{
-		Domains:   []string{fmt.Sprintf("*.%s", domain), domain},
-		APIKey:    accessKey,
-		APISecret: accessSecret,
-		Path:      "",
-		Timeout:   3,
-	}
-	return getGoDaddyCert(client, conf)
-}
-
-func SaveCert(path, filename string, cert *certificate.Resource) {
-	// Store the certificate file locally
-	certsStorage := cmd.NewCertificatesStorageLib(path, filename, true)
-	certsStorage.CreateRootFolder()
-	certsStorage.SaveResource(cert)
-}
--- a/certificate/ecc.go
+++ b/certificate/ecc.go
@@ -1,55 +0,0 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package certificate
-
-import (
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/x509"
-	"encoding/pem"
-	"fmt"
-)
-
-// generateEccKey generates a public and private key pair.(NIST P-256)
-func generateEccKey() (*ecdsa.PrivateKey, error) {
-	return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-}
-
-// encodeEccKey Return the input private key object as string type private key
-func encodeEccKey(privateKey *ecdsa.PrivateKey) (string, error) {
-	x509Encoded, err := x509.MarshalECPrivateKey(privateKey)
-	if err != nil {
-		return "", err
-	}
-
-	pemEncoded := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: x509Encoded})
-	return string(pemEncoded), nil
-}
-
-// decodeEccKey Return the entered private key string as a private key object that can be used
-func decodeEccKey(pemEncoded string) (*ecdsa.PrivateKey, error) {
-	block, _ := pem.Decode([]byte(pemEncoded))
-	if block == nil {
-		return nil, fmt.Errorf("invalid PEM-encoded EC private key")
-	}
-	x509Encoded := block.Bytes
-	privateKey, err := x509.ParseECPrivateKey(x509Encoded)
-	if err != nil {
-		return nil, err
-	}
-
-	return privateKey, nil
-}
--- a/certificate/ecc_test.go
+++ b/certificate/ecc_test.go
@@ -1,34 +0,0 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//go:build !skipCi
-// +build !skipCi
-
-package certificate
-
-import (
-	"testing"
-
-	"github.com/casdoor/casdoor/util"
-	"github.com/stretchr/testify/assert"
-)
-
-func TestGenerateEccKey(t *testing.T) {
-	eccKey, err := generateEccKey()
-	assert.Nil(t, err)
-	eccKeyStr, err := encodeEccKey(eccKey)
-	assert.Nil(t, err)
-	println(eccKeyStr)
-	util.WriteStringToPath(eccKeyStr, "acme_account.key")
-}
--- a/conf/app.conf
+++ b/conf/app.conf
@@ -1,37 +1,37 @@
-appname = casdoor
-httpport = 8000
-runmode = dev
-copyrequestbody = true
-driverName = postgres
-dataSourceName = "user=casdoor password=casdoor_dev host=localhost port=5434 sslmode=disable dbname=casdoor"
-dbName = casdoor
-tableNamePrefix =
-showSql = false
-redisEndpoint =
-defaultStorageProvider =
-isCloudIntranet = false
-authState = "casdoor"
-socks5Proxy = ""
-verificationCodeTimeout = 10
-initScore = 0
-logPostOnly = true
-isUsernameLowered = false
-origin = "http://localhost:8000"
-originFrontend = "http://localhost:7001"
-staticBaseUrl = "https://cdn.casbin.org"
-isDemoMode = false
-batchSize = 100
-showGithubCorner = false
-forceLanguage = ""
-defaultLanguage = "ru"
-enableErrorMask = false
-enableGzip = true
-ldapServerPort = 389
-ldapsServerPort = 636
-radiusServerPort = 1812
-radiusDefaultOrganization = "built-in"
-radiusSecret = "secret"
-quota = {"organization": -1, "user": -1, "application": -1, "provider": -1}
-logConfig = {"adapter":"file", "filename": "logs/casdoor.log", "maxdays":99999, "perm":"0770"}
-initDataNewOnly = false
-initDataFile = "./init_data.json"
+appname = casdoor
+httpport = 8000
+runmode = dev
+copyrequestbody = true
+driverName = mysql
+dataSourceName = root:123456@tcp(localhost:3306)/
+dbName = casdoor
+tableNamePrefix =
+showSql = false
+redisEndpoint =
+defaultStorageProvider =
+isCloudIntranet = false
+authState = "casdoor"
+socks5Proxy = "127.0.0.1:10808"
+verificationCodeTimeout = 10
+initScore = 0
+logPostOnly = true
+isUsernameLowered = false
+origin =
+originFrontend =
+staticBaseUrl = "https://cdn.casbin.org"
+isDemoMode = false
+batchSize = 100
+enableErrorMask = false
+enableGzip = true
+inactiveTimeoutMinutes =
+ldapServerPort = 389
+ldapsCertId = ""
+ldapsServerPort = 636
+radiusServerPort = 1812
+radiusDefaultOrganization = "built-in"
+radiusSecret = "secret"
+quota = {"organization": -1, "user": -1, "application": -1, "provider": -1}
+logConfig = {"adapter":"file", "filename": "logs/casdoor.log", "maxdays":99999, "perm":"0770"}
+initDataNewOnly = false
+initDataFile = "./init_data.json"
+frontendBaseDir = "../cc_0"
--- a/conf/app.conf.orig
+++ b/conf/app.conf.orig
@@ -1,43 +0,0 @@
-appname = casdoor
-httpport = 8000
-runmode = dev
-copyrequestbody = true
-driverName = mysql
-dataSourceName = root:123456@tcp(localhost:3306)/
-dbName = casdoor
-tableNamePrefix =
-showSql = false
-redisEndpoint =
-defaultStorageProvider =
-isCloudIntranet = false
-authState = "casdoor"
-socks5Proxy = "127.0.0.1:10808"
-verificationCodeTimeout = 10
-initScore = 0
-logPostOnly = true
-isUsernameLowered = false
-origin =
-originFrontend =
-staticBaseUrl = "https://cdn.casbin.org"
-isDemoMode = false
-batchSize = 100
-showGithubCorner = false
-forceLanguage = ""
-defaultLanguage = "en"
-aiAssistantUrl = "https://ai.casbin.com"
-defaultApplication = "app-built-in"
-maxItemsForFlatMenu = 7
-enableErrorMask = false
-enableGzip = true
-inactiveTimeoutMinutes =
-ldapServerPort = 389
-ldapsCertId = ""
-ldapsServerPort = 636
-radiusServerPort = 1812
-radiusDefaultOrganization = "built-in"
-radiusSecret = "secret"
-quota = {"organization": -1, "user": -1, "application": -1, "provider": -1}
-logConfig = {"adapter":"file", "filename": "logs/casdoor.log", "maxdays":99999, "perm":"0770"}
-initDataNewOnly = false
-initDataFile = "./init_data.json"
-frontendBaseDir = "../cc_0"
--- a/conf/app.dev.conf
+++ b/conf/app.dev.conf
@@ -1,37 +0,0 @@
-appname = casdoor
-httpport = 8000
-runmode = dev
-copyrequestbody = true
-driverName = postgres
-dataSourceName = "user=casdoor password=casdoor_dev host=localhost port=5434 sslmode=disable dbname=casdoor"
-dbName = casdoor
-tableNamePrefix =
-showSql = false
-redisEndpoint =
-defaultStorageProvider =
-isCloudIntranet = false
-authState = "casdoor"
-socks5Proxy = ""
-verificationCodeTimeout = 10
-initScore = 0
-logPostOnly = true
-isUsernameLowered = false
-origin = "http://localhost:8000"
-originFrontend = "http://localhost:7001"
-staticBaseUrl = "https://cdn.casbin.org"
-isDemoMode = false
-batchSize = 100
-showGithubCorner = false
-forceLanguage = ""
-defaultLanguage = "ru"
-enableErrorMask = false
-enableGzip = true
-ldapServerPort = 389
-ldapsServerPort = 636
-radiusServerPort = 1812
-radiusDefaultOrganization = "built-in"
-radiusSecret = "secret"
-quota = {"organization": -1, "user": -1, "application": -1, "provider": -1}
-logConfig = {"adapter":"file", "filename": "logs/casdoor.log", "maxdays":99999, "perm":"0770"}
-initDataNewOnly = false
-initDataFile = "./init_data.json"
--- a/conf/conf.go
+++ b/conf/conf.go
@@ -15,7 +15,6 @@
 package conf

 import (
-	_ "embed"
 	"fmt"
 	"os"
 	"runtime"
@@ -25,9 +24,6 @@ import (
 	"github.com/beego/beego/v2/server/web"
 )

-//go:embed waf.conf
-var WafConf string
-
 func init() {
 	// this array contains the beego configuration items that may be modified via env
 	presetConfigItems := []string{"httpport", "appname"}
--- a/conf/waf.conf
+++ b/conf/waf.conf
@@ -1,246 +0,0 @@
-# -- Rule engine initialization ----------------------------------------------
-
-# Enable Coraza, attaching it to every transaction. Use detection
-# only to start with, because that minimises the chances of post-installation
-# disruption.
-#
-SecRuleEngine DetectionOnly
-
-
-# -- Request body handling ---------------------------------------------------
-
-# Allow Coraza to access request bodies. If you don't, Coraza
-# won't be able to see any POST parameters, which opens a large security
-# hole for attackers to exploit.
-#
-SecRequestBodyAccess On
-
-# Enable XML request body parser.
-# Initiate XML Processor in case of xml content-type
-#
-SecRule REQUEST_HEADERS:Content-Type "^(?:application(?:/soap\+|/)|text/)xml" \
-     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
-
-# Enable JSON request body parser.
-# Initiate JSON Processor in case of JSON content-type; change accordingly
-# if your application does not use 'application/json'
-#
-SecRule REQUEST_HEADERS:Content-Type "^application/json" \
-     "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
-
-# Sample rule to enable JSON request body parser for more subtypes.
-# Uncomment or adapt this rule if you want to engage the JSON
-# Processor for "+json" subtypes
-#
-#SecRule REQUEST_HEADERS:Content-Type "^application/[a-z0-9.-]+[+]json" \
-#     "id:'200006',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
-
-# Maximum request body size we will accept for buffering. If you support
-# file uploads then the value given on the first line has to be as large
-# as the largest file you are willing to accept. The second value refers
-# to the size of data, with files excluded. You want to keep that value as
-# low as practical.
-#
-SecRequestBodyLimit 13107200
-
-SecRequestBodyInMemoryLimit 131072
-
-# SecRequestBodyNoFilesLimit is currently not supported by Coraza
-# SecRequestBodyNoFilesLimit 131072
-
-# What to do if the request body size is above our configured limit.
-# Keep in mind that this setting will automatically be set to ProcessPartial
-# when SecRuleEngine is set to DetectionOnly mode in order to minimize
-# disruptions when initially deploying Coraza.
-#
-SecRequestBodyLimitAction Reject
-
-# Verify that we've correctly processed the request body.
-# As a rule of thumb, when failing to process a request body
-# you should reject the request (when deployed in blocking mode)
-# or log a high-severity alert (when deployed in detection-only mode).
-#
-SecRule REQBODY_ERROR "!@eq 0" \
-"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
-
-# By default be strict with what we accept in the multipart/form-data
-# request body. If the rule below proves to be too strict for your
-# environment consider changing it to detection-only. You are encouraged
-# _not_ to remove it altogether.
-#
-SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
-"id:'200003',phase:2,t:none,log,deny,status:400, \
-msg:'Multipart request body failed strict validation: \
-PE %{REQBODY_PROCESSOR_ERROR}, \
-BQ %{MULTIPART_BOUNDARY_QUOTED}, \
-BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
-DB %{MULTIPART_DATA_BEFORE}, \
-DA %{MULTIPART_DATA_AFTER}, \
-HF %{MULTIPART_HEADER_FOLDING}, \
-LF %{MULTIPART_LF_LINE}, \
-SM %{MULTIPART_MISSING_SEMICOLON}, \
-IQ %{MULTIPART_INVALID_QUOTING}, \
-IP %{MULTIPART_INVALID_PART}, \
-IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
-FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
-
-# Did we see anything that might be a boundary?
-#
-# Here is a short description about the Coraza Multipart parser: the
-# parser returns with value 0, if all "boundary-like" line matches with
-# the boundary string which given in MIME header. In any other cases it returns
-# with different value, eg. 1 or 2.
-#
-# The RFC 1341 descript the multipart content-type and its syntax must contains
-# only three mandatory lines (above the content):
-# * Content-Type: multipart/mixed; boundary=BOUNDARY_STRING
-# * --BOUNDARY_STRING
-# * --BOUNDARY_STRING--
-#
-# First line indicates, that this is a multipart content, second shows that
-# here starts a part of the multipart content, third shows the end of content.
-#
-# If there are any other lines, which starts with "--", then it should be
-# another boundary id - or not.
-#
-# After 3.0.3, there are two kinds of types of boundary errors: strict and permissive.
-#
-# If multipart content contains the three necessary lines with correct order, but
-# there are one or more lines with "--", then parser returns with value 2 (non-zero).
-#
-# If some of the necessary lines (usually the start or end) misses, or the order
-# is wrong, then parser returns with value 1 (also a non-zero).
-#
-# You can choose, which one is what you need. The example below contains the
-# 'strict' mode, which means if there are any lines with start of "--", then
-# Coraza blocked the content. But the next, commented example contains
-# the 'permissive' mode, then you check only if the necessary lines exists in
-# correct order. Whit this, you can enable to upload PEM files (eg "----BEGIN.."),
-# or other text files, which contains eg. HTTP headers.
-#
-# The difference is only the operator - in strict mode (first) the content blocked
-# in case of any non-zero value. In permissive mode (second, commented) the
-# content blocked only if the value is explicit 1. If it 0 or 2, the content will
-# allowed.
-#
-
-#
-# See #1747 and #1924 for further information on the possible values for
-# MULTIPART_UNMATCHED_BOUNDARY.
-#
-SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
-    "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
-
-# Some internal errors will set flags in TX and we will need to look for these.
-# All of these are prefixed with "MSC_".  The following flags currently exist:
-#
-# COR_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
-#
-SecRule TX:/^COR_/ "!@streq 0" \
-        "id:'200005',phase:2,t:none,deny,msg:'Coraza internal error flagged: %{MATCHED_VAR_NAME}'"
-
-
-# -- Response body handling --------------------------------------------------
-
-# Allow Coraza to access response bodies. 
-# You should have this directive enabled in order to identify errors
-# and data leakage issues.
-# 
-# Do keep in mind that enabling this directive does increases both
-# memory consumption and response latency.
-#
-SecResponseBodyAccess On
-
-# Which response MIME types do you want to inspect? You should adjust the
-# configuration below to catch documents but avoid static files
-# (e.g., images and archives).
-#
-SecResponseBodyMimeType text/plain text/html text/xml
-
-# Buffer response bodies of up to 512 KB in length.
-SecResponseBodyLimit 524288
-
-# What happens when we encounter a response body larger than the configured
-# limit? By default, we process what we have and let the rest through.
-# That's somewhat less secure, but does not break any legitimate pages.
-#
-SecResponseBodyLimitAction ProcessPartial
-
-
-# -- Filesystem configuration ------------------------------------------------
-
-# The location where Coraza will keep its persistent data.  This default setting 
-# is chosen due to all systems have /tmp available however, it
-# too should be updated to a place that other users can't access.
-#
-SecDataDir /tmp/
-
-
-# -- File uploads handling configuration -------------------------------------
-
-# The location where Coraza stores intercepted uploaded files. This
-# location must be private to Coraza. You don't want other users on
-# the server to access the files, do you?
-#
-#SecUploadDir /opt/coraza/var/upload/
-
-# By default, only keep the files that were determined to be unusual
-# in some way (by an external inspection script). For this to work you
-# will also need at least one file inspection rule.
-#
-#SecUploadKeepFiles RelevantOnly
-
-# Uploaded files are by default created with permissions that do not allow
-# any other user to access them. You may need to relax that if you want to
-# interface Coraza to an external program (e.g., an anti-virus).
-#
-#SecUploadFileMode 0600
-
-
-# -- Debug log configuration -------------------------------------------------
-
-# Default debug log path
-# Debug levels:
-# 0:   No logging (least verbose)
-# 1:   Error
-# 2:   Warn
-# 3:   Info
-# 4-8: Debug
-# 9:   Trace (most verbose)
-# Most logging has not been implemented because it will be replaced with
-# advanced rule profiling options
-#SecDebugLog /opt/coraza/var/log/debug.log
-#SecDebugLogLevel 3
-
-
-# -- Audit log configuration -------------------------------------------------
-
-# Log the transactions that are marked by a rule, as well as those that
-# trigger a server error (determined by a 5xx or 4xx, excluding 404,  
-# level response status codes).
-#
-SecAuditEngine RelevantOnly
-SecAuditLogRelevantStatus "^(?:(5|4)(0|1)[0-9])$"
-
-# Log everything we know about a transaction.
-SecAuditLogParts ABIJDEFHZ
-
-# Use a single file for logging. This is much easier to look at, but
-# assumes that you will use the audit log only occasionally.
-#
-SecAuditLogType Serial
-
-
-# -- Miscellaneous -----------------------------------------------------------
-
-# Use the most commonly used application/x-www-form-urlencoded parameter
-# separator. There's probably only one application somewhere that uses
-# something else so don't expect to change this value.
-#
-SecArgumentSeparator &
-
-# Settle on version 0 (zero) cookies, as that is what most applications
-# use. Using an incorrect cookie version may open your installation to
-# evasion attacks (against the rules that examine named cookies).
-#
-SecCookieFormat 0
--- a/conf/web_config.go
+++ b/conf/web_config.go
@@ -1,49 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package conf
-
-type WebConfig struct {
-	ShowGithubCorner    bool   `json:"showGithubCorner"`
-	ForceLanguage       string `json:"forceLanguage"`
-	DefaultLanguage     string `json:"defaultLanguage"`
-	IsDemoMode          bool   `json:"isDemoMode"`
-	StaticBaseUrl       string `json:"staticBaseUrl"`
-	AiAssistantUrl      string `json:"aiAssistantUrl"`
-	DefaultApplication  string `json:"defaultApplication"`
-	MaxItemsForFlatMenu int64  `json:"maxItemsForFlatMenu"`
-}
-
-func GetWebConfig() *WebConfig {
-	config := &WebConfig{}
-
-	config.ShowGithubCorner = GetConfigBool("showGithubCorner")
-	config.ForceLanguage = GetLanguage(GetConfigString("forceLanguage"))
-	config.DefaultLanguage = GetLanguage(GetConfigString("defaultLanguage"))
-	config.IsDemoMode = IsDemoMode()
-	config.StaticBaseUrl = GetConfigString("staticBaseUrl")
-	config.AiAssistantUrl = GetConfigString("aiAssistantUrl")
-	config.DefaultApplication = GetConfigString("defaultApplication")
-	if config.DefaultApplication == "" {
-		config.DefaultApplication = "app-built-in"
-	}
-
-	maxItemsForFlatMenu, err := GetConfigInt64("maxItemsForFlatMenu")
-	if err != nil {
-		maxItemsForFlatMenu = 7
-	}
-	config.MaxItemsForFlatMenu = maxItemsForFlatMenu
-
-	return config
-}
--- a/controllers/account.go
+++ b/controllers/account.go
@@ -21,7 +21,6 @@ import (
 	"net/http"
 	"strings"

-	"github.com/beego/beego/v2/core/logs"
 	"github.com/casdoor/casdoor/form"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
@@ -324,17 +323,6 @@ func (c *ApiController) Signup() {

 	// If OAuth parameters are present, generate OAuth code and return it
 	if clientId != "" && responseType == ResponseTypeCode {
-		consentRequired, err := object.CheckConsentRequired(user, application, scope)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		if consentRequired {
-			c.ResponseOk(map[string]bool{"required": true})
-			return
-		}
-
 		code, err := object.GetOAuthCode(userId, clientId, "", "password", responseType, redirectUri, scope, state, nonce, codeChallenge, "", c.Ctx.Request.Host, c.GetAcceptLanguage())
 		if err != nil {
 			c.ResponseError(err.Error(), nil)
@@ -374,21 +362,22 @@ func (c *ApiController) Logout() {
 			return
 		}

-		// Retrieve application and token before clearing the session
-		application := c.GetSessionApplication()
-		sessionToken := c.GetSessionToken()
-
 		c.ClearUserSession()
 		c.ClearTokenSession()
-
-		if err := c.deleteUserSession(user); err != nil {
+		owner, username, err := util.GetOwnerAndNameFromIdWithError(user)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+		_, err = object.DeleteSessionId(util.GetSessionId(owner, username, object.CasdoorApplication), c.Ctx.Input.CruSession.SessionID(context.Background()))
+		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}

-		// Propagate logout to external Custom OAuth2 providers
-		object.InvokeCustomProviderLogout(application, sessionToken)
+		util.LogInfo(c.Ctx, "API: [%s] logged out", user)

+		application := c.GetSessionApplication()
 		if application == nil || application.Name == "app-built-in" || application.HomepageUrl == "" {
 			c.ResponseOk(user)
 			return
@@ -416,7 +405,7 @@ func (c *ApiController) Logout() {
 			return
 		}
 		if application == nil {
-			c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist"), token.Application))
+			c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist")), token.Application)
 			return
 		}

@@ -426,15 +415,20 @@ func (c *ApiController) Logout() {

 		c.ClearUserSession()
 		c.ClearTokenSession()
-
 		// TODO https://github.com/casdoor/casdoor/pull/1494#discussion_r1095675265
-		if err := c.deleteUserSession(user); err != nil {
+		owner, username, err := util.GetOwnerAndNameFromIdWithError(user)
+		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}

-		// Propagate logout to external Custom OAuth2 providers
-		object.InvokeCustomProviderLogout(application, accessToken)
+		_, err = object.DeleteSessionId(util.GetSessionId(owner, username, object.CasdoorApplication), c.Ctx.Input.CruSession.SessionID(context.Background()))
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+
+		util.LogInfo(c.Ctx, "API: [%s] logged out", user)

 		if redirectUri == "" {
 			c.ResponseOk()
@@ -478,10 +472,6 @@ func (c *ApiController) SsoLogout() {
 	logoutAll := c.Ctx.Input.Query("logoutAll")
 	logoutAllSessions := logoutAll == "" || logoutAll == "true" || logoutAll == "1"

-	// Retrieve application and token before clearing the session
-	ssoApplication := c.GetSessionApplication()
-	ssoSessionToken := c.GetSessionToken()
-
 	c.ClearUserSession()
 	c.ClearTokenSession()
 	owner, username, err := util.GetOwnerAndNameFromIdWithError(user)
@@ -561,9 +551,6 @@ func (c *ApiController) SsoLogout() {
 		}
 	}

-	// Propagate logout to external Custom OAuth2 providers
-	object.InvokeCustomProviderLogout(ssoApplication, ssoSessionToken)
-
 	c.ResponseOk()
 }

@@ -575,11 +562,6 @@ func (c *ApiController) SsoLogout() {
 // @router /get-account [get]
 func (c *ApiController) GetAccount() {
 	var err error
-	err = util.AppendWebConfigCookie(c.Ctx)
-	if err != nil {
-		logs.Error("AppendWebConfigCookie failed in GetAccount, error: %s", err)
-	}
-
 	user, ok := c.RequireSignedInUser()
 	if !ok {
 		return
@@ -784,24 +766,3 @@ func (c *ApiController) GetCaptcha() {

 	c.ResponseOk(Captcha{Type: "none"})
 }
-
-func (c *ApiController) deleteUserSession(user string) error {
-	owner, username, err := util.GetOwnerAndNameFromIdWithError(user)
-	if err != nil {
-		return err
-	}
-
-	// Casdoor session ID derived from owner, username, and application
-	sessionId := util.GetSessionId(owner, username, object.CasdoorApplication)
-
-	// Explicitly get the Beego session ID from the context
-	beegoSessionId := c.Ctx.Input.CruSession.SessionID(context.Background())
-
-	_, err = object.DeleteSessionId(sessionId, beegoSessionId)
-	if err != nil {
-		return err
-	}
-
-	util.LogInfo(c.Ctx, "API: [%s] logged out", user)
-	return nil
-}
--- a/controllers/agent.go
+++ b/controllers/agent.go
@@ -1,149 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package controllers
-
-import (
-	"encoding/json"
-
-	"github.com/beego/beego/v2/server/web/pagination"
-	"github.com/casdoor/casdoor/object"
-	"github.com/casdoor/casdoor/util"
-)
-
-// GetAgents
-// @Title GetAgents
-// @Tag Agent API
-// @Description get agents
-// @Param   owner     query    string  true        "The owner of agents"
-// @Success 200 {array} object.Agent The Response object
-// @router /get-agents [get]
-func (c *ApiController) GetAgents() {
-	owner := c.Ctx.Input.Query("owner")
-	if owner == "admin" {
-		owner = ""
-	}
-
-	limit := c.Ctx.Input.Query("pageSize")
-	page := c.Ctx.Input.Query("p")
-	field := c.Ctx.Input.Query("field")
-	value := c.Ctx.Input.Query("value")
-	sortField := c.Ctx.Input.Query("sortField")
-	sortOrder := c.Ctx.Input.Query("sortOrder")
-
-	if limit == "" || page == "" {
-		agents, err := object.GetAgents(owner)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-		c.ResponseOk(agents)
-		return
-	}
-
-	limitInt := util.ParseInt(limit)
-	count, err := object.GetAgentCount(owner, field, value)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	paginator := pagination.SetPaginator(c.Ctx, limitInt, count)
-	agents, err := object.GetPaginationAgents(owner, paginator.Offset(), limitInt, field, value, sortField, sortOrder)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk(agents, paginator.Nums())
-}
-
-// GetAgent
-// @Title GetAgent
-// @Tag Agent API
-// @Description get agent
-// @Param   id     query    string  true        "The id ( owner/name ) of the agent"
-// @Success 200 {object} object.Agent The Response object
-// @router /get-agent [get]
-func (c *ApiController) GetAgent() {
-	id := c.Ctx.Input.Query("id")
-
-	agent, err := object.GetAgent(id)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk(agent)
-}
-
-// UpdateAgent
-// @Title UpdateAgent
-// @Tag Agent API
-// @Description update agent
-// @Param   id     query    string  true        "The id ( owner/name ) of the agent"
-// @Param   body    body   object.Agent  true        "The details of the agent"
-// @Success 200 {object} controllers.Response The Response object
-// @router /update-agent [post]
-func (c *ApiController) UpdateAgent() {
-	id := c.Ctx.Input.Query("id")
-
-	var agent object.Agent
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &agent)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.UpdateAgent(id, &agent))
-	c.ServeJSON()
-}
-
-// AddAgent
-// @Title AddAgent
-// @Tag Agent API
-// @Description add agent
-// @Param   body    body   object.Agent  true        "The details of the agent"
-// @Success 200 {object} controllers.Response The Response object
-// @router /add-agent [post]
-func (c *ApiController) AddAgent() {
-	var agent object.Agent
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &agent)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.AddAgent(&agent))
-	c.ServeJSON()
-}
-
-// DeleteAgent
-// @Title DeleteAgent
-// @Tag Agent API
-// @Description delete agent
-// @Param   body    body   object.Agent  true        "The details of the agent"
-// @Success 200 {object} controllers.Response The Response object
-// @router /delete-agent [post]
-func (c *ApiController) DeleteAgent() {
-	var agent object.Agent
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &agent)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.DeleteAgent(&agent))
-	c.ServeJSON()
-}
--- a/controllers/auth.go
+++ b/controllers/auth.go
@@ -37,6 +37,7 @@ import (
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/proxy"
 	"github.com/casdoor/casdoor/util"
+	"github.com/google/uuid"
 	"golang.org/x/oauth2"
 )

@@ -166,19 +167,6 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 			c.ResponseError(c.T("auth:Challenge method should be S256"))
 			return
 		}
-
-		consentRequired, err := object.CheckConsentRequired(user, application, scope)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		if consentRequired {
-			resp = &Response{Status: "ok", Data: map[string]bool{"required": true}}
-			resp.Data3 = user.NeedUpdatePassword
-			return
-		}
-
 		code, err := object.GetOAuthCode(userId, clientId, form.Provider, form.SigninMethod, responseType, redirectUri, scope, state, nonce, codeChallenge, resource, c.Ctx.Request.Host, c.GetAcceptLanguage())
 		if err != nil {
 			c.ResponseError(err.Error(), nil)
@@ -197,15 +185,10 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 		} else {
 			scope := c.Ctx.Input.Query("scope")
 			nonce := c.Ctx.Input.Query("nonce")
-			expandedScope, valid := object.IsScopeValidAndExpand(scope, application)
-			if !valid {
-				resp = &Response{Status: "error", Msg: "error: invalid_scope", Data: ""}
-			} else {
-				token, _ := object.GetTokenByUser(application, user, expandedScope, nonce, c.Ctx.Request.Host)
-				resp = tokenToResponse(token)
+			token, _ := object.GetTokenByUser(application, user, scope, nonce, c.Ctx.Request.Host)
+			resp = tokenToResponse(token)

-				resp.Data3 = user.NeedUpdatePassword
-			}
+			resp.Data3 = user.NeedUpdatePassword
 		}
 	} else if form.Type == ResponseTypeDevice {
 		authCache, ok := object.DeviceAuthMap.LoadAndDelete(form.UserCode)
@@ -455,55 +438,6 @@ func checkMfaEnable(c *ApiController, user *object.User, organization *object.Or
 	return false
 }

-func getExistUserByBindingRule(providerItem *object.ProviderItem, application *object.Application, userInfo *idp.UserInfo) (user *object.User, err error) {
-	if providerItem.BindingRule == nil {
-		providerItem.BindingRule = &[]string{"Email", "Phone", "Name"}
-	}
-	if len(*providerItem.BindingRule) == 0 {
-		return nil, nil
-	}
-
-	for _, rule := range *providerItem.BindingRule {
-		// Find existing user with Email
-		if rule == "Email" {
-			user, err = object.GetUserByField(application.Organization, "email", userInfo.Email)
-			if err != nil {
-				return nil, err
-			}
-			if user != nil {
-				return user, nil
-			}
-		}
-
-		// Find existing user with phone number
-		if rule == "Phone" {
-			user, err = object.GetUserByField(application.Organization, "phone", userInfo.Phone)
-			if err != nil {
-				return nil, err
-			}
-			if user != nil {
-				return user, nil
-			}
-		}
-
-		// Try to find existing user by username (case-insensitive)
-		// This allows OAuth providers (e.g., Wecom) to automatically associate with
-		// existing users when usernames match, particularly useful for enterprise
-		// scenarios where signup is disabled and users already exist in Casdoor
-		if rule == "Name" {
-			user, err = object.GetUserByFields(application.Organization, userInfo.Username)
-			if err != nil {
-				return nil, err
-			}
-			if user != nil {
-				return user, nil
-			}
-		}
-	}
-
-	return user, nil
-}
-
 // Login ...
 // @Title Login
 // @Tag Login API
@@ -805,11 +739,7 @@ func (c *ApiController) Login() {
 			}
 		} else if provider.Category == "OAuth" || provider.Category == "Web3" {
 			// OAuth
-			idpInfo, err := object.FromProviderToIdpInfo(c.Ctx, provider)
-			if err != nil {
-				c.ResponseError(err.Error())
-				return
-			}
+			idpInfo := object.FromProviderToIdpInfo(c.Ctx, provider)
 			idpInfo.CodeVerifier = authForm.CodeVerifier
 			var idProvider idp.IdProvider
 			idProvider, err = idp.GetIdProvider(idpInfo, authForm.RedirectUri)
@@ -855,7 +785,7 @@ func (c *ApiController) Login() {
 					return
 				}
 				if !reg.MatchString(userInfo.Email) {
-					c.ResponseError(c.T("check:Email is invalid"))
+					c.ResponseError(fmt.Sprintf(c.T("check:Email is invalid")))
 				}
 			}
 		}
@@ -895,10 +825,36 @@ func (c *ApiController) Login() {
 				c.Ctx.Input.SetParam("recordUserId", user.GetId())
 			} else if provider.Category == "OAuth" || provider.Category == "Web3" || provider.Category == "SAML" {
 				// Sign up via OAuth
-				user, err = getExistUserByBindingRule(providerItem, application, userInfo)
-				if err != nil {
-					c.ResponseError(err.Error())
-					return
+				if application.EnableLinkWithEmail {
+					if userInfo.Email != "" {
+						// Find existing user with Email
+						user, err = object.GetUserByField(application.Organization, "email", userInfo.Email)
+						if err != nil {
+							c.ResponseError(err.Error())
+							return
+						}
+					}
+
+					if user == nil && userInfo.Phone != "" {
+						// Find existing user with phone number
+						user, err = object.GetUserByField(application.Organization, "phone", userInfo.Phone)
+						if err != nil {
+							c.ResponseError(err.Error())
+							return
+						}
+					}
+				}
+
+				// Try to find existing user by username (case-insensitive)
+				// This allows OAuth providers (e.g., Wecom) to automatically associate with
+				// existing users when usernames match, particularly useful for enterprise
+				// scenarios where signup is disabled and users already exist in Casdoor
+				if user == nil && userInfo.Username != "" {
+					user, err = object.GetUserByFields(application.Organization, userInfo.Username)
+					if err != nil {
+						c.ResponseError(err.Error())
+						return
+					}
 				}

 				if user == nil {
@@ -937,7 +893,14 @@ func (c *ApiController) Login() {
 					}

 					if tmpUser != nil {
-						uidStr := strings.Split(util.GenerateUUID(), "-")
+						var uid uuid.UUID
+						uid, err = uuid.NewRandom()
+						if err != nil {
+							c.ResponseError(err.Error())
+							return
+						}
+
+						uidStr := strings.Split(uid.String(), "-")
 						userInfo.Username = fmt.Sprintf("%s_%s", userInfo.Username, uidStr[1])
 					}

@@ -987,13 +950,11 @@ func (c *ApiController) Login() {
 						RegisterSource:    fmt.Sprintf("%s/%s", application.Organization, application.Name),
 					}

-					// Set group from invitation code if available, otherwise use provider's signup group or application's default group
+					// Set group from invitation code if available, otherwise use provider's signup group
 					if invitation != nil && invitation.SignupGroup != "" {
 						user.Groups = []string{invitation.SignupGroup}
 					} else if providerItem.SignupGroup != "" {
 						user.Groups = []string{providerItem.SignupGroup}
-					} else if application.DefaultGroup != "" {
-						user.Groups = []string{application.DefaultGroup}
 					}

 					var affected bool
@@ -1406,7 +1367,7 @@ func (c *ApiController) Callback() {
 	code := c.GetString("code")
 	state := c.GetString("state")

-	frontendCallbackUrl := fmt.Sprintf("/callback?code=%s&state=%s", url.QueryEscape(code), url.QueryEscape(state))
+	frontendCallbackUrl := fmt.Sprintf("/callback?code=%s&state=%s", code, state)
 	c.Ctx.Redirect(http.StatusFound, frontendCallbackUrl)
 }

--- a/controllers/base.go
+++ b/controllers/base.go
@@ -21,7 +21,6 @@ import (

 	"github.com/beego/beego/v2/core/logs"
 	"github.com/beego/beego/v2/server/web"
-	"github.com/casdoor/casdoor/mcpself"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -292,14 +291,3 @@ func (c *ApiController) Finish() {
 	}
 	c.Controller.Finish()
 }
-
-func (c *ApiController) McpResponseError(id interface{}, code int, message string, data interface{}) {
-	resp := mcpself.BuildMcpResponse(id, nil, &mcpself.McpError{
-		Code:    code,
-		Message: message,
-		Data:    data,
-	})
-	c.Ctx.Output.Header("Content-Type", "application/json")
-	c.Data["json"] = resp
-	c.ServeJSON()
-}
--- a/controllers/casbin_api.go
+++ b/controllers/casbin_api.go
@@ -57,9 +57,7 @@ func (c *ApiController) Enforce() {
 		return
 	}

-	// Accept both plain string arrays (["alice","data1","read"]) and mixed arrays
-	// with JSON objects ([{"DivisionGuid":"x"}, "resource", "read"]) for ABAC support.
-	var request []interface{}
+	var request []string
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &request)
 	if err != nil {
 		c.ResponseError(err.Error())
@@ -76,8 +74,8 @@ func (c *ApiController) Enforce() {
 		res := []bool{}
 		keyRes := []string{}

-		// Convert elements: JSON-object strings and maps become anonymous structs for ABAC.
-		interfaceRequest := util.InterfaceToEnforceArray(request)
+		// type transformation
+		interfaceRequest := util.StringToInterfaceArray(request)

 		enforceResult, err := enforcer.Enforce(interfaceRequest...)
 		if err != nil {
@@ -199,8 +197,7 @@ func (c *ApiController) BatchEnforce() {
 		return
 	}

-	// Accept both string arrays and mixed arrays with JSON objects for ABAC support.
-	var requests [][]interface{}
+	var requests [][]string
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &requests)
 	if err != nil {
 		c.ResponseError(err.Error())
@@ -217,8 +214,8 @@ func (c *ApiController) BatchEnforce() {
 		res := [][]bool{}
 		keyRes := []string{}

-		// Convert elements: JSON-object strings and maps become anonymous structs for ABAC.
-		interfaceRequests := util.InterfaceToEnforceArray2d(requests)
+		// type transformation
+		interfaceRequests := util.StringToInterfaceArray2d(requests)

 		enforceResult, err := enforcer.BatchEnforce(interfaceRequests)
 		if err != nil {
--- a/controllers/casbin_cli_api.go
+++ b/controllers/casbin_cli_api.go
@@ -26,8 +26,6 @@ import (
 	"strings"
 	"sync"
 	"time"
-
-	"github.com/casdoor/casdoor/conf"
 )

 type CLIVersionInfo struct {
@@ -166,11 +164,6 @@ func processArgsToTempFiles(args []string) ([]string, []string, error) {
 // @Success 200 {object} controllers.Response The Response object
 // @router /run-casbin-command [get]
 func (c *ApiController) RunCasbinCommand() {
-	if !conf.IsDemoMode() && !c.IsAdmin() {
-		c.ResponseError(c.T("auth:Unauthorized operation"))
-		return
-	}
-
 	if err := validateIdentifier(c); err != nil {
 		c.ResponseError(err.Error())
 		return
--- a/controllers/cert.go
+++ b/controllers/cert.go
@@ -183,40 +183,3 @@ func (c *ApiController) DeleteCert() {
 	c.Data["json"] = wrapActionResponse(object.DeleteCert(&cert))
 	c.ServeJSON()
 }
-
-// UpdateCertDomainExpire
-// @Title UpdateCertDomainExpire
-// @Tag Cert API
-// @Description update cert domain expire time
-// @Param   id     query   string  true        "The ID of the cert"
-// @Success 200 {object} controllers.Response The Response object
-// @router /update-cert-domain-expire [post]
-func (c *ApiController) UpdateCertDomainExpire() {
-	if _, ok := c.RequireSignedIn(); !ok {
-		return
-	}
-
-	id := c.Ctx.Input.Query("id")
-	cert, err := object.GetCert(id)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	domainExpireTime, err := object.GetDomainExpireTime(cert.Name)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	if domainExpireTime == "" {
-		c.ResponseError("Failed to determine domain expiration time for domain " + cert.Name +
-			". Please verify that the domain is valid, publicly resolvable, and has a retrievable expiration date, " +
-			"or update the domain expiration time manually.")
-		return
-	}
-	cert.DomainExpireTime = domainExpireTime
-
-	c.Data["json"] = wrapActionResponse(object.UpdateCert(id, cert))
-	c.ServeJSON()
-}
--- a/controllers/cli_downloader.go
+++ b/controllers/cli_downloader.go
@@ -16,7 +16,6 @@ import (
 	"time"

 	"github.com/beego/beego/v2/server/web"
-	"github.com/casdoor/casdoor/conf"
 	"github.com/casdoor/casdoor/proxy"
 	"github.com/casdoor/casdoor/util"
 )
@@ -447,8 +446,8 @@ func downloadCLI() error {
 // @Success 200 {object} controllers.Response The Response object
 // @router /refresh-engines [post]
 func (c *ApiController) RefreshEngines() {
-	if !conf.IsDemoMode() && !c.IsAdmin() {
-		c.ResponseError(c.T("auth:Unauthorized operation"))
+	if !web.AppConfig.DefaultBool("isDemoMode", false) {
+		c.ResponseError("refresh engines is only available in demo mode")
 		return
 	}

--- a/controllers/consent.go
+++ b/controllers/consent.go
@@ -1,226 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package controllers
-
-import (
-	"encoding/json"
-
-	"github.com/casdoor/casdoor/object"
-)
-
-// RevokeConsent revokes a consent record
-// @Title RevokeConsent
-// @Tag Consent API
-// @Description revoke a consent record
-// @Param body body object.ConsentRecord true "The consent object"
-// @Success 200 {object} controllers.Response The Response object
-// @router /revoke-consent [post]
-func (c *ApiController) RevokeConsent() {
-	userId := c.GetSessionUsername()
-	if userId == "" {
-		c.ResponseError(c.T("general:Please login first"))
-		return
-	}
-
-	var consent object.ConsentRecord
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &consent)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	// Validate that consent.Application is not empty
-	if consent.Application == "" {
-		c.ResponseError(c.T("general:Application cannot be empty"))
-		return
-	}
-
-	// Validate that GrantedScopes is not empty when scope-specific revoke is requested
-	if len(consent.GrantedScopes) == 0 {
-		c.ResponseError(c.T("general:Granted scopes cannot be empty"))
-		return
-	}
-
-	userObj, err := object.GetUser(userId)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-	if userObj == nil {
-		c.ResponseError(c.T("general:The user doesn't exist"))
-		return
-	}
-
-	newScopes := []object.ConsentRecord{}
-	for _, record := range userObj.ApplicationScopes {
-		if record.Application != consent.Application {
-			// skip other applications
-			newScopes = append(newScopes, record)
-			continue
-		}
-		// revoke specified scopes
-		revokeSet := make(map[string]bool)
-		for _, s := range consent.GrantedScopes {
-			revokeSet[s] = true
-		}
-		remaining := []string{}
-		for _, s := range record.GrantedScopes {
-			if !revokeSet[s] {
-				remaining = append(remaining, s)
-			}
-		}
-		if len(remaining) > 0 {
-			// still have remaining scopes, keep the record and update
-			record.GrantedScopes = remaining
-			newScopes = append(newScopes, record)
-		}
-		// otherwise the application authorization is revoked, delete the whole record
-	}
-	userObj.ApplicationScopes = newScopes
-	success, err := object.UpdateUser(userObj.GetId(), userObj, nil, false)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-	c.ResponseOk(success)
-}
-
-// GrantConsent grants consent for an OAuth application and returns authorization code
-// @Title GrantConsent
-// @Tag Consent API
-// @Description grant consent for an OAuth application and get authorization code
-// @Param body body object.ConsentRecord true "The consent object with OAuth parameters"
-// @Success 200 {object} controllers.Response The Response object
-// @router /grant-consent [post]
-func (c *ApiController) GrantConsent() {
-	userId := c.GetSessionUsername()
-	if userId == "" {
-		c.ResponseError(c.T("general:Please login first"))
-		return
-	}
-
-	var request struct {
-		Application  string   `json:"application"`
-		Scopes       []string `json:"grantedScopes"`
-		ClientId     string   `json:"clientId"`
-		Provider     string   `json:"provider"`
-		SigninMethod string   `json:"signinMethod"`
-		ResponseType string   `json:"responseType"`
-		RedirectUri  string   `json:"redirectUri"`
-		Scope        string   `json:"scope"`
-		State        string   `json:"state"`
-		Nonce        string   `json:"nonce"`
-		Challenge    string   `json:"challenge"`
-		Resource     string   `json:"resource"`
-	}
-
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &request)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	// Validate application by clientId
-	application, err := object.GetApplicationByClientId(request.ClientId)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-	if application == nil {
-		c.ResponseError(c.T("general:Invalid client_id"))
-		return
-	}
-
-	// Verify that request.Application matches the application's actual ID
-	if request.Application != application.GetId() {
-		c.ResponseError(c.T("general:Invalid application"))
-		return
-	}
-
-	// Update user's ApplicationScopes
-	userObj, err := object.GetUser(userId)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-	if userObj == nil {
-		c.ResponseError(c.T("general:User not found"))
-		return
-	}
-
-	appId := application.GetId()
-	found := false
-	// Insert new scope into existing applicationScopes
-	for i, record := range userObj.ApplicationScopes {
-		if record.Application == appId {
-			existing := make(map[string]bool)
-			for _, s := range userObj.ApplicationScopes[i].GrantedScopes {
-				existing[s] = true
-			}
-			for _, s := range request.Scopes {
-				if !existing[s] {
-					userObj.ApplicationScopes[i].GrantedScopes = append(userObj.ApplicationScopes[i].GrantedScopes, s)
-					existing[s] = true
-				}
-			}
-			found = true
-			break
-		}
-	}
-	// create a new applicationScopes if not found
-	if !found {
-		uniqueScopes := []string{}
-		existing := make(map[string]bool)
-		for _, s := range request.Scopes {
-			if !existing[s] {
-				uniqueScopes = append(uniqueScopes, s)
-				existing[s] = true
-			}
-		}
-		userObj.ApplicationScopes = append(userObj.ApplicationScopes, object.ConsentRecord{
-			Application:   appId,
-			GrantedScopes: uniqueScopes,
-		})
-	}
-
-	_, err = object.UpdateUser(userObj.GetId(), userObj, []string{"application_scopes"}, false)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	// Now get the OAuth code
-	code, err := object.GetOAuthCode(
-		userId,
-		request.ClientId,
-		request.Provider,
-		request.SigninMethod,
-		request.ResponseType,
-		request.RedirectUri,
-		request.Scope,
-		request.State,
-		request.Nonce,
-		request.Challenge,
-		request.Resource,
-		c.Ctx.Request.Host,
-		c.GetAcceptLanguage(),
-	)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk(code.Code)
-}
--- a/controllers/entry.go
+++ b/controllers/entry.go
@@ -1,168 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package controllers
-
-import (
-	"encoding/json"
-
-	"github.com/beego/beego/v2/server/web/pagination"
-	"github.com/casdoor/casdoor/object"
-	"github.com/casdoor/casdoor/util"
-)
-
-// GetEntries
-// @Title GetEntries
-// @Tag Entry API
-// @Description get entries
-// @Param   owner     query    string  true        "The owner of entries"
-// @Success 200 {array} object.Entry The Response object
-// @router /get-entries [get]
-func (c *ApiController) GetEntries() {
-	owner := c.Ctx.Input.Query("owner")
-	if owner == "admin" {
-		owner = ""
-	}
-
-	limit := c.Ctx.Input.Query("pageSize")
-	page := c.Ctx.Input.Query("p")
-	field := c.Ctx.Input.Query("field")
-	value := c.Ctx.Input.Query("value")
-	sortField := c.Ctx.Input.Query("sortField")
-	sortOrder := c.Ctx.Input.Query("sortOrder")
-
-	if limit == "" || page == "" {
-		entries, err := object.GetEntries(owner)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-		c.ResponseOk(entries)
-		return
-	}
-
-	limitInt := util.ParseInt(limit)
-	count, err := object.GetEntryCount(owner, field, value)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	paginator := pagination.SetPaginator(c.Ctx, limitInt, count)
-	entries, err := object.GetPaginationEntries(owner, paginator.Offset(), limitInt, field, value, sortField, sortOrder)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk(entries, paginator.Nums())
-}
-
-// GetEntry
-// @Title GetEntry
-// @Tag Entry API
-// @Description get entry
-// @Param   id     query    string  true        "The id ( owner/name ) of the entry"
-// @Success 200 {object} object.Entry The Response object
-// @router /get-entry [get]
-func (c *ApiController) GetEntry() {
-	id := c.Ctx.Input.Query("id")
-
-	entry, err := object.GetEntry(id)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk(entry)
-}
-
-// GetOpenClawSessionGraph
-// @Title GetOpenClawSessionGraph
-// @Tag Entry API
-// @Description get OpenClaw session graph
-// @Param   id     query    string  true        "The id ( owner/name ) of the entry"
-// @Success 200 {object} object.OpenClawSessionGraph The Response object
-// @router /get-openclaw-session-graph [get]
-func (c *ApiController) GetOpenClawSessionGraph() {
-	id := c.Ctx.Input.Query("id")
-
-	graph, err := object.GetOpenClawSessionGraph(id)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk(graph)
-}
-
-// UpdateEntry
-// @Title UpdateEntry
-// @Tag Entry API
-// @Description update entry
-// @Param   id     query    string  true        "The id ( owner/name ) of the entry"
-// @Param   body    body   object.Entry  true        "The details of the entry"
-// @Success 200 {object} controllers.Response The Response object
-// @router /update-entry [post]
-func (c *ApiController) UpdateEntry() {
-	id := c.Ctx.Input.Query("id")
-
-	var entry object.Entry
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &entry)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.UpdateEntry(id, &entry))
-	c.ServeJSON()
-}
-
-// AddEntry
-// @Title AddEntry
-// @Tag Entry API
-// @Description add entry
-// @Param   body    body   object.Entry  true        "The details of the entry"
-// @Success 200 {object} controllers.Response The Response object
-// @router /add-entry [post]
-func (c *ApiController) AddEntry() {
-	var entry object.Entry
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &entry)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.AddEntry(&entry))
-	c.ServeJSON()
-}
-
-// DeleteEntry
-// @Title DeleteEntry
-// @Tag Entry API
-// @Description delete entry
-// @Param   body    body   object.Entry  true        "The details of the entry"
-// @Success 200 {object} controllers.Response The Response object
-// @router /delete-entry [post]
-func (c *ApiController) DeleteEntry() {
-	var entry object.Entry
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &entry)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.DeleteEntry(&entry))
-	c.ServeJSON()
-}
--- a/controllers/entry_opentelemetry.go
+++ b/controllers/entry_opentelemetry.go
@@ -1,148 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package controllers
-
-import (
-	collogspb "go.opentelemetry.io/proto/otlp/collector/logs/v1"
-	colmetricspb "go.opentelemetry.io/proto/otlp/collector/metrics/v1"
-	coltracepb "go.opentelemetry.io/proto/otlp/collector/trace/v1"
-	"google.golang.org/protobuf/encoding/protojson"
-	"google.golang.org/protobuf/proto"
-
-	"github.com/casdoor/casdoor/util"
-)
-
-// @Title AddOtlpTrace
-// @Tag OTLP API
-// @Description receive otlp trace protobuf
-// @Success 200 {object} string
-// @router /api/v1/traces [post]
-func (c *ApiController) AddOtlpTrace() {
-	body := readProtobufBody(c.Ctx)
-	if body == nil {
-		return
-	}
-	provider, status, err := resolveOpenClawProvider(c.Ctx)
-	if err != nil {
-		responseOtlpError(c.Ctx, status, body, "%s", err.Error())
-		return
-	}
-
-	var req coltracepb.ExportTraceServiceRequest
-	if err := proto.Unmarshal(body, &req); err != nil {
-		responseOtlpError(c.Ctx, 400, body, "bad protobuf: %v", err)
-		return
-	}
-
-	message, err := protojson.MarshalOptions{Multiline: true, Indent: "  "}.Marshal(&req)
-	if err != nil {
-		responseOtlpError(c.Ctx, 500, body, "marshal trace failed: %v", err)
-		return
-	}
-
-	clientIp := util.GetClientIpFromRequest(c.Ctx.Request)
-	userAgent := c.Ctx.Request.Header.Get("User-Agent")
-	if err := provider.AddTrace(message, clientIp, userAgent); err != nil {
-		responseOtlpError(c.Ctx, 500, body, "save trace failed: %v", err)
-		return
-	}
-
-	resp, _ := proto.Marshal(&coltracepb.ExportTraceServiceResponse{})
-	c.Ctx.Output.Header("Content-Type", "application/x-protobuf")
-	c.Ctx.Output.SetStatus(200)
-	c.Ctx.Output.Body(resp)
-}
-
-// @Title AddOtlpMetrics
-// @Tag OTLP API
-// @Description receive otlp metrics protobuf
-// @Success 200 {object} string
-// @router /api/v1/metrics [post]
-func (c *ApiController) AddOtlpMetrics() {
-	body := readProtobufBody(c.Ctx)
-	if body == nil {
-		return
-	}
-	provider, status, err := resolveOpenClawProvider(c.Ctx)
-	if err != nil {
-		responseOtlpError(c.Ctx, status, body, "%s", err.Error())
-		return
-	}
-
-	var req colmetricspb.ExportMetricsServiceRequest
-	if err := proto.Unmarshal(body, &req); err != nil {
-		responseOtlpError(c.Ctx, 400, body, "bad protobuf: %v", err)
-		return
-	}
-
-	message, err := protojson.MarshalOptions{Multiline: true, Indent: "  "}.Marshal(&req)
-	if err != nil {
-		responseOtlpError(c.Ctx, 500, body, "marshal metrics failed: %v", err)
-		return
-	}
-
-	clientIp := util.GetClientIpFromRequest(c.Ctx.Request)
-	userAgent := c.Ctx.Request.Header.Get("User-Agent")
-	if err := provider.AddMetrics(message, clientIp, userAgent); err != nil {
-		responseOtlpError(c.Ctx, 500, body, "save metrics failed: %v", err)
-		return
-	}
-
-	resp, _ := proto.Marshal(&colmetricspb.ExportMetricsServiceResponse{})
-	c.Ctx.Output.Header("Content-Type", "application/x-protobuf")
-	c.Ctx.Output.SetStatus(200)
-	c.Ctx.Output.Body(resp)
-}
-
-// @Title AddOtlpLogs
-// @Tag OTLP API
-// @Description receive otlp logs protobuf
-// @Success 200 {object} string
-// @router /api/v1/logs [post]
-func (c *ApiController) AddOtlpLogs() {
-	body := readProtobufBody(c.Ctx)
-	if body == nil {
-		return
-	}
-	provider, status, err := resolveOpenClawProvider(c.Ctx)
-	if err != nil {
-		responseOtlpError(c.Ctx, status, body, "%s", err.Error())
-		return
-	}
-
-	var req collogspb.ExportLogsServiceRequest
-	if err := proto.Unmarshal(body, &req); err != nil {
-		responseOtlpError(c.Ctx, 400, body, "bad protobuf: %v", err)
-		return
-	}
-
-	message, err := protojson.MarshalOptions{Multiline: true, Indent: "  "}.Marshal(&req)
-	if err != nil {
-		responseOtlpError(c.Ctx, 500, body, "marshal logs failed: %v", err)
-		return
-	}
-
-	clientIp := util.GetClientIpFromRequest(c.Ctx.Request)
-	userAgent := c.Ctx.Request.Header.Get("User-Agent")
-	if err := provider.AddLogs(message, clientIp, userAgent); err != nil {
-		responseOtlpError(c.Ctx, 500, body, "save logs failed: %v", err)
-		return
-	}
-
-	resp, _ := proto.Marshal(&collogspb.ExportLogsServiceResponse{})
-	c.Ctx.Output.Header("Content-Type", "application/x-protobuf")
-	c.Ctx.Output.SetStatus(200)
-	c.Ctx.Output.Body(resp)
-}
--- a/controllers/entry_util.go
+++ b/controllers/entry_util.go
@@ -1,78 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package controllers
-
-import (
-	"fmt"
-	"io"
-	"strings"
-
-	"github.com/beego/beego/v2/server/web/context"
-	"github.com/casdoor/casdoor/log"
-	"github.com/casdoor/casdoor/object"
-	"github.com/casdoor/casdoor/util"
-)
-
-func responseOtlpError(ctx *context.Context, status int, body []byte, format string, args ...interface{}) {
-	msg := fmt.Sprintf(format, args...)
-	req := ctx.Request
-	bodyInfo := "(no body)"
-	if len(body) > 0 {
-		bodyInfo = fmt.Sprintf("%d bytes: %q", len(body), truncate(body, 256))
-	}
-	fmt.Printf("responseOtlpError: [%d] %s | %s %s | remoteAddr=%s | Content-Type=%s | User-Agent=%s | body=%s\n",
-		status, msg,
-		req.Method, req.URL.Path,
-		req.RemoteAddr,
-		req.Header.Get("Content-Type"),
-		req.Header.Get("User-Agent"),
-		bodyInfo,
-	)
-	ctx.Output.SetStatus(status)
-	ctx.Output.Body([]byte(msg))
-}
-
-func truncate(b []byte, max int) []byte {
-	if len(b) <= max {
-		return b
-	}
-	return b[:max]
-}
-
-func resolveOpenClawProvider(ctx *context.Context) (*log.OpenClawProvider, int, error) {
-	clientIP := util.GetClientIpFromRequest(ctx.Request)
-	provider, err := object.GetOpenClawProviderByIP(clientIP)
-	if err != nil {
-		return nil, 500, fmt.Errorf("provider lookup failed: %w", err)
-	}
-	if provider == nil {
-		return nil, 403, fmt.Errorf("forbidden: no OpenClaw provider configured for IP %s", clientIP)
-	}
-	return provider, 0, nil
-}
-
-func readProtobufBody(ctx *context.Context) []byte {
-	if !strings.HasPrefix(ctx.Input.Header("Content-Type"), "application/x-protobuf") {
-		preview, _ := io.ReadAll(io.LimitReader(ctx.Request.Body, 256))
-		responseOtlpError(ctx, 415, preview, "unsupported content type")
-		return nil
-	}
-	body, err := io.ReadAll(ctx.Request.Body)
-	if err != nil {
-		responseOtlpError(ctx, 400, nil, "read body failed")
-		return nil
-	}
-	return body
-}
--- a/controllers/kerberos.go
+++ b/controllers/kerberos.go
@@ -1,105 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package controllers
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/casdoor/casdoor/form"
-	"github.com/casdoor/casdoor/object"
-	"github.com/casdoor/casdoor/util"
-)
-
-// KerberosLogin
-// @Title KerberosLogin
-// @Tag Login API
-// @Description Kerberos/SPNEGO login via Integrated Windows Authentication
-// @Param   application     query    string  true        "application name"
-// @Success 200 {object} controllers.Response The Response object
-// @router /kerberos-login [get]
-func (c *ApiController) KerberosLogin() {
-	applicationName := c.Ctx.Input.Query("application")
-	if applicationName == "" {
-		c.ResponseError(c.T("general:Missing parameter") + ": application")
-		return
-	}
-
-	application, err := object.GetApplication(fmt.Sprintf("admin/%s", applicationName))
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-	if application == nil {
-		c.ResponseError(fmt.Sprintf(c.T("auth:The application: %s does not exist"), applicationName))
-		return
-	}
-
-	organization, err := object.GetOrganization(util.GetId("admin", application.Organization))
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-	if organization == nil {
-		c.ResponseError(fmt.Sprintf("The organization: %s does not exist", application.Organization))
-		return
-	}
-
-	if organization.KerberosRealm == "" || organization.KerberosKeytab == "" {
-		c.ResponseError("Kerberos is not configured for this organization")
-		return
-	}
-
-	authHeader := c.Ctx.Input.Header("Authorization")
-	if authHeader == "" || !strings.HasPrefix(authHeader, "Negotiate ") {
-		c.Ctx.Output.Header("WWW-Authenticate", "Negotiate")
-		c.Ctx.Output.SetStatus(401)
-		c.Ctx.Output.Body([]byte("Kerberos authentication required"))
-		return
-	}
-
-	spnegoToken := strings.TrimPrefix(authHeader, "Negotiate ")
-
-	kerberosUsername, err := object.ValidateKerberosToken(organization, spnegoToken)
-	if err != nil {
-		c.Ctx.Output.Header("WWW-Authenticate", "Negotiate")
-		c.ResponseError(fmt.Sprintf("Kerberos authentication failed: %s", err.Error()))
-		return
-	}
-
-	user, err := object.GetUserByKerberosName(organization.Name, kerberosUsername)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-	if user == nil {
-		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), kerberosUsername))
-		return
-	}
-
-	application.OrganizationObj = organization
-
-	authForm := &form.AuthForm{
-		Type:         "code",
-		Application:  applicationName,
-		Organization: organization.Name,
-	}
-
-	resp := c.HandleLoggedIn(application, user, authForm)
-	if resp != nil {
-		c.Data["json"] = resp
-		c.ServeJSON()
-	}
-}
--- a/controllers/key.go
+++ b/controllers/key.go
@@ -1,222 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package controllers
-
-import (
-	"encoding/json"
-
-	"github.com/beego/beego/v2/core/utils/pagination"
-	"github.com/casdoor/casdoor/object"
-	"github.com/casdoor/casdoor/util"
-)
-
-// GetKeys
-// @Title GetKeys
-// @Tag Key API
-// @Description get keys
-// @Param   owner     query    string  true        "The owner of keys"
-// @Success 200 {array} object.Key The Response object
-// @router /get-keys [get]
-func (c *ApiController) GetKeys() {
-	owner := c.Ctx.Input.Query("owner")
-	limit := c.Ctx.Input.Query("pageSize")
-	page := c.Ctx.Input.Query("p")
-	field := c.Ctx.Input.Query("field")
-	value := c.Ctx.Input.Query("value")
-	sortField := c.Ctx.Input.Query("sortField")
-	sortOrder := c.Ctx.Input.Query("sortOrder")
-
-	if limit == "" || page == "" {
-		keys, err := object.GetKeys(owner)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-		maskedKeys, err := object.GetMaskedKeys(keys, true, nil)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		c.ResponseOk(maskedKeys)
-	} else {
-		limit := util.ParseInt(limit)
-		count, err := object.GetKeyCount(owner, field, value)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
-		keys, err := object.GetPaginationKeys(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-		maskedKeys, err := object.GetMaskedKeys(keys, true, nil)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		c.ResponseOk(maskedKeys, paginator.Nums())
-	}
-}
-
-// GetGlobalKeys
-// @Title GetGlobalKeys
-// @Tag Key API
-// @Description get global keys
-// @Success 200 {array} object.Key The Response object
-// @router /get-global-keys [get]
-func (c *ApiController) GetGlobalKeys() {
-	limit := c.Ctx.Input.Query("pageSize")
-	page := c.Ctx.Input.Query("p")
-	field := c.Ctx.Input.Query("field")
-	value := c.Ctx.Input.Query("value")
-	sortField := c.Ctx.Input.Query("sortField")
-	sortOrder := c.Ctx.Input.Query("sortOrder")
-
-	if limit == "" || page == "" {
-		keys, err := object.GetGlobalKeys()
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-		maskedKeys, err := object.GetMaskedKeys(keys, true, nil)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		c.ResponseOk(maskedKeys)
-	} else {
-		limit := util.ParseInt(limit)
-		count, err := object.GetGlobalKeyCount(field, value)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
-		keys, err := object.GetPaginationGlobalKeys(paginator.Offset(), limit, field, value, sortField, sortOrder)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-		maskedKeys, err := object.GetMaskedKeys(keys, true, nil)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		c.ResponseOk(maskedKeys, paginator.Nums())
-	}
-}
-
-// GetKey
-// @Title GetKey
-// @Tag Key API
-// @Description get key
-// @Param   id     query    string  true        "The id ( owner/name ) of the key"
-// @Success 200 {object} object.Key The Response object
-// @router /get-key [get]
-func (c *ApiController) GetKey() {
-	id := c.Ctx.Input.Query("id")
-
-	key, err := object.GetKey(id)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk(key)
-}
-
-// UpdateKey
-// @Title UpdateKey
-// @Tag Key API
-// @Description update key
-// @Param   id     query    string  true        "The id ( owner/name ) of the key"
-// @Param   body    body   object.Key  true        "The details of the key"
-// @Success 200 {object} controllers.Response The Response object
-// @router /update-key [post]
-func (c *ApiController) UpdateKey() {
-	id := c.Ctx.Input.Query("id")
-
-	oldKey, err := object.GetKey(id)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-	if oldKey == nil {
-		c.Data["json"] = wrapActionResponse(false)
-		c.ServeJSON()
-		return
-	}
-
-	var key object.Key
-	err = json.Unmarshal(c.Ctx.Input.RequestBody, &key)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	if !c.IsGlobalAdmin() && oldKey.Owner != key.Owner {
-		c.ResponseError(c.T("auth:Unauthorized operation"))
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.UpdateKey(id, &key))
-	c.ServeJSON()
-}
-
-// AddKey
-// @Title AddKey
-// @Tag Key API
-// @Description add key
-// @Param   body    body   object.Key  true        "The details of the key"
-// @Success 200 {object} controllers.Response The Response object
-// @router /add-key [post]
-func (c *ApiController) AddKey() {
-	var key object.Key
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &key)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.AddKey(&key))
-	c.ServeJSON()
-}
-
-// DeleteKey
-// @Title DeleteKey
-// @Tag Key API
-// @Description delete key
-// @Param   body    body   object.Key  true        "The details of the key"
-// @Success 200 {object} controllers.Response The Response object
-// @router /delete-key [post]
-func (c *ApiController) DeleteKey() {
-	var key object.Key
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &key)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.DeleteKey(&key))
-	c.ServeJSON()
-}
--- a/controllers/mcp_server.go
+++ b/controllers/mcp_server.go
@@ -1,112 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package controllers
-
-import (
-	"encoding/json"
-	"net/http"
-	"net/http/httputil"
-	"net/url"
-
-	"github.com/casdoor/casdoor/mcpself"
-	"github.com/casdoor/casdoor/object"
-	"github.com/casdoor/casdoor/util"
-)
-
-// ProxyServer
-// @Title ProxyServer
-// @Tag Server API
-// @Description proxy request to the upstream MCP server by Server URL
-// @Param   owner    path    string  true        "The owner name of the server"
-// @Param   name     path    string  true        "The name of the server"
-// @Success 200 {object} mcp.McpResponse The Response object
-// @router /server/:owner/:name [get,post]
-func (c *ApiController) ProxyServer() {
-	owner := c.Ctx.Input.Param(":owner")
-	name := c.Ctx.Input.Param(":name")
-
-	var mcpReq *mcpself.McpRequest
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &mcpReq)
-	if err != nil {
-		c.McpResponseError(1, -32700, "Parse error", err.Error())
-		return
-	}
-	if util.IsStringsEmpty(owner, name) {
-		c.McpResponseError(1, -32600, "invalid server identifier", nil)
-		return
-	}
-
-	server, err := object.GetServer(util.GetId(owner, name))
-	if err != nil {
-		c.McpResponseError(mcpReq.ID, -32600, "server not found", err.Error())
-		return
-	}
-	if server == nil {
-		c.McpResponseError(mcpReq.ID, -32600, "server not found", nil)
-		return
-	}
-	if server.Url == "" {
-		c.McpResponseError(mcpReq.ID, -32600, "server URL is empty", nil)
-		return
-	}
-
-	targetUrl, err := url.Parse(server.Url)
-	if err != nil || !targetUrl.IsAbs() || targetUrl.Host == "" {
-		c.McpResponseError(mcpReq.ID, -32600, "server URL is invalid", nil)
-		return
-	}
-	if targetUrl.Scheme != "http" && targetUrl.Scheme != "https" {
-		c.McpResponseError(mcpReq.ID, -32600, "server URL scheme is invalid", nil)
-		return
-	}
-
-	if mcpReq.Method == "tools/call" {
-		var params mcpself.McpCallToolParams
-		err = json.Unmarshal(mcpReq.Params, &params)
-		if err != nil {
-			c.McpResponseError(mcpReq.ID, -32600, "Invalid request", err.Error())
-			return
-		}
-
-		for _, tool := range server.Tools {
-			if tool.Name == params.Name && !tool.IsAllowed {
-				c.McpResponseError(mcpReq.ID, -32600, "tool is forbidden", nil)
-				return
-			} else if tool.Name == params.Name {
-				break
-			}
-		}
-	}
-
-	proxy := httputil.NewSingleHostReverseProxy(targetUrl)
-	proxy.ErrorHandler = func(writer http.ResponseWriter, request *http.Request, proxyErr error) {
-		c.Ctx.Output.SetStatus(http.StatusBadGateway)
-		c.McpResponseError(mcpReq.ID, -32603, "failed to proxy server request: %s", proxyErr.Error())
-	}
-	proxy.Director = func(request *http.Request) {
-		request.URL.Scheme = targetUrl.Scheme
-		request.URL.Host = targetUrl.Host
-		request.Host = targetUrl.Host
-		request.URL.Path = targetUrl.Path
-		request.URL.RawPath = ""
-		request.URL.RawQuery = targetUrl.RawQuery
-
-		if server.Token != "" {
-			request.Header.Set("Authorization", "Bearer "+server.Token)
-		}
-	}
-
-	proxy.ServeHTTP(c.Ctx.ResponseWriter, c.Ctx.Request)
-}
--- a/controllers/mfa.go
+++ b/controllers/mfa.go
@@ -19,6 +19,7 @@ import (

 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
+	"github.com/google/uuid"
 )

 // MfaSetupInitiate
@@ -76,7 +77,7 @@ func (c *ApiController) MfaSetupInitiate() {
 		return
 	}

-	recoveryCode := util.GenerateUUID()
+	recoveryCode := uuid.NewString()
 	mfaProps.RecoveryCodes = []string{recoveryCode}
 	mfaProps.MfaRememberInHours = organization.MfaRememberInHours

--- a/controllers/product.go
+++ b/controllers/product.go
@@ -16,8 +16,6 @@ package controllers

 import (
 	"encoding/json"
-	"fmt"
-	"strconv"

 	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
@@ -151,78 +149,3 @@ func (c *ApiController) DeleteProduct() {
 	c.Data["json"] = wrapActionResponse(object.DeleteProduct(&product))
 	c.ServeJSON()
 }
-
-// BuyProduct
-// @Title BuyProduct (Deprecated)
-// @Tag Product API
-// @Description buy product using the deprecated compatibility endpoint, prefer place-order plus pay-order for new integrations
-// @Param   id             query    string  true   "The id ( owner/name ) of the product"
-// @Param   providerName   query    string  true   "The name of the provider"
-// @Param   pricingName    query    string  false  "The name of the pricing (for subscription)"
-// @Param   planName       query    string  false  "The name of the plan (for subscription)"
-// @Param   userName       query    string  false  "The username to buy product for (admin only)"
-// @Param   paymentEnv     query    string  false  "The payment environment"
-// @Param   customPrice    query    number  false  "Custom price for recharge products"
-// @Success 200 {object} controllers.Response The Response object
-// @router /buy-product [post]
-func (c *ApiController) BuyProduct() {
-	id := c.Ctx.Input.Query("id")
-	host := c.Ctx.Request.Host
-	providerName := c.Ctx.Input.Query("providerName")
-	paymentEnv := c.Ctx.Input.Query("paymentEnv")
-	customPriceStr := c.Ctx.Input.Query("customPrice")
-	if customPriceStr == "" {
-		customPriceStr = "0"
-	}
-
-	customPrice, err := strconv.ParseFloat(customPriceStr, 64)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	pricingName := c.Ctx.Input.Query("pricingName")
-	planName := c.Ctx.Input.Query("planName")
-	paidUserName := c.Ctx.Input.Query("userName")
-
-	owner, _, err := util.GetOwnerAndNameFromIdWithError(id)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	var userId string
-	if paidUserName != "" {
-		userId = util.GetId(owner, paidUserName)
-		if userId != c.GetSessionUsername() && !c.IsAdmin() && userId != c.GetPaidUsername() {
-			c.ResponseError(c.T("general:Only admin user can specify user"))
-			return
-		}
-
-		c.SetSession("paidUsername", "")
-	} else {
-		userId = c.GetSessionUsername()
-	}
-	if userId == "" {
-		c.ResponseError(c.T("general:Please login first"))
-		return
-	}
-
-	user, err := object.GetUser(userId)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-	if user == nil {
-		c.ResponseError(fmt.Sprintf(c.T("general:The user: %s doesn't exist"), userId))
-		return
-	}
-
-	payment, attachInfo, err := object.BuyProduct(id, user, providerName, pricingName, planName, host, paymentEnv, customPrice, c.GetAcceptLanguage())
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk(payment, attachInfo)
-}
--- a/controllers/record.go
+++ b/controllers/record.go
@@ -17,6 +17,8 @@ package controllers
 import (
 	"encoding/json"

+	"github.com/casvisor/casvisor-go-sdk/casvisorsdk"
+
 	"github.com/beego/beego/v2/core/utils/pagination"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
@@ -57,7 +59,7 @@ func (c *ApiController) GetRecords() {
 		if c.IsGlobalAdmin() && organizationName != "" {
 			organization = organizationName
 		}
-		filterRecord := &object.Record{Organization: organization}
+		filterRecord := &casvisorsdk.Record{Organization: organization}
 		count, err := object.GetRecordCount(field, value, filterRecord)
 		if err != nil {
 			c.ResponseError(err.Error())
@@ -90,7 +92,7 @@ func (c *ApiController) GetRecordsByFilter() {

 	body := string(c.Ctx.Input.RequestBody)

-	record := &object.Record{}
+	record := &casvisorsdk.Record{}
 	err := util.JsonToStruct(body, record)
 	if err != nil {
 		c.ResponseError(err.Error())
@@ -114,7 +116,7 @@ func (c *ApiController) GetRecordsByFilter() {
 // @Success 200 {object} controllers.Response The Response object
 // @router /add-record [post]
 func (c *ApiController) AddRecord() {
-	var record object.Record
+	var record casvisorsdk.Record
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &record)
 	if err != nil {
 		c.ResponseError(err.Error())
--- a/controllers/rule.go
+++ b/controllers/rule.go
@@ -1,229 +0,0 @@
-// Copyright 2023 The casbin Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package controllers
-
-import (
-	"encoding/json"
-	"errors"
-	"net"
-	"strings"
-
-	"github.com/beego/beego/v2/server/web/pagination"
-	"github.com/casdoor/casdoor/object"
-	"github.com/casdoor/casdoor/util"
-	"github.com/hsluoyz/modsecurity-go/seclang/parser"
-)
-
-// GetRules
-// @Title GetRules
-// @Tag Rule API
-// @Description get rules
-// @Param   owner     query    string  true        "The owner of rules"
-// @Success 200 {array} object.Rule The Response object
-// @router /get-rules [get]
-func (c *ApiController) GetRules() {
-	owner := c.Ctx.Input.Query("owner")
-	if owner == "admin" {
-		owner = ""
-	}
-	limit := c.Ctx.Input.Query("pageSize")
-	page := c.Ctx.Input.Query("p")
-	field := c.Ctx.Input.Query("field")
-	value := c.Ctx.Input.Query("value")
-	sortField := c.Ctx.Input.Query("sortField")
-	sortOrder := c.Ctx.Input.Query("sortOrder")
-
-	if limit == "" || page == "" {
-		rules, err := object.GetRules(owner)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		c.ResponseOk(rules)
-	} else {
-		limit := util.ParseInt(limit)
-		count, err := object.GetRuleCount(owner, field, value)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		paginator := pagination.SetPaginator(c.Ctx, limit, count)
-		rules, err := object.GetPaginationRules(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		c.ResponseOk(rules, paginator.Nums())
-	}
-}
-
-// GetRule
-// @Title GetRule
-// @Tag Rule API
-// @Description get rule
-// @Param   id     query    string  true        "The id ( owner/name ) of the rule"
-// @Success 200 {object} object.Rule The Response object
-// @router /get-rule [get]
-func (c *ApiController) GetRule() {
-	id := c.Ctx.Input.Query("id")
-	rule, err := object.GetRule(id)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk(rule)
-}
-
-// AddRule
-// @Title AddRule
-// @Tag Rule API
-// @Description add rule
-// @Param   body    body   object.Rule  true        "The details of the rule"
-// @Success 200 {object} controllers.Response The Response object
-// @router /add-rule [post]
-func (c *ApiController) AddRule() {
-	currentTime := util.GetCurrentTime()
-	rule := object.Rule{
-		CreatedTime: currentTime,
-		UpdatedTime: currentTime,
-	}
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &rule)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-	err = checkExpressions(rule.Expressions, rule.Type)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-	c.Data["json"] = wrapActionResponse(object.AddRule(&rule))
-	c.ServeJSON()
-}
-
-// UpdateRule
-// @Title UpdateRule
-// @Tag Rule API
-// @Description update rule
-// @Param   id     query    string  true        "The id ( owner/name ) of the rule"
-// @Param   body    body   object.Rule  true        "The details of the rule"
-// @Success 200 {object} controllers.Response The Response object
-// @router /update-rule [post]
-func (c *ApiController) UpdateRule() {
-	var rule object.Rule
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &rule)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	err = checkExpressions(rule.Expressions, rule.Type)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	id := c.Ctx.Input.Query("id")
-	c.Data["json"] = wrapActionResponse(object.UpdateRule(id, &rule))
-	c.ServeJSON()
-}
-
-// DeleteRule
-// @Title DeleteRule
-// @Tag Rule API
-// @Description delete rule
-// @Param   body    body   object.Rule  true        "The details of the rule"
-// @Success 200 {object} controllers.Response The Response object
-// @router /delete-rule [post]
-func (c *ApiController) DeleteRule() {
-	var rule object.Rule
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &rule)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.DeleteRule(&rule))
-	c.ServeJSON()
-}
-
-func checkExpressions(expressions []*object.Expression, ruleType string) error {
-	values := make([]string, len(expressions))
-	for i, expression := range expressions {
-		values[i] = expression.Value
-	}
-	switch ruleType {
-	case "WAF":
-		return checkWafRule(values)
-	case "IP":
-		return checkIpRule(values)
-	case "IP Rate Limiting":
-		return checkIpRateRule(expressions)
-	case "Compound":
-		return checkCompoundRules(values)
-	}
-	return nil
-}
-
-func checkWafRule(rules []string) error {
-	for _, rule := range rules {
-		scanner := parser.NewSecLangScannerFromString(rule)
-		_, err := scanner.AllDirective()
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func checkIpRule(ipLists []string) error {
-	for _, ipList := range ipLists {
-		for _, ip := range strings.Split(ipList, ",") {
-			_, _, err := net.ParseCIDR(ip)
-			if net.ParseIP(ip) == nil && err != nil {
-				return errors.New("Invalid IP address: " + ip)
-			}
-		}
-	}
-	return nil
-}
-
-func checkIpRateRule(expressions []*object.Expression) error {
-	if len(expressions) != 1 {
-		return errors.New("IP Rate Limiting rule must have exactly one expression")
-	}
-	expression := expressions[0]
-	_, err := util.ParseIntWithError(expression.Operator)
-	if err != nil {
-		return err
-	}
-	_, err = util.ParseIntWithError(expression.Value)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func checkCompoundRules(rules []string) error {
-	_, err := object.GetRulesByRuleIds(rules)
-	if err != nil {
-		return err
-	}
-	return nil
-}
--- a/controllers/server.go
+++ b/controllers/server.go
@@ -1,173 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package controllers
-
-import (
-	"encoding/json"
-
-	"github.com/beego/beego/v2/server/web/pagination"
-	"github.com/casdoor/casdoor/object"
-	"github.com/casdoor/casdoor/util"
-)
-
-// GetServers
-// @Title GetServers
-// @Tag Server API
-// @Description get servers
-// @Param   owner     query    string  true        "The owner of servers"
-// @Success 200 {array} object.Server The Response object
-// @router /get-servers [get]
-func (c *ApiController) GetServers() {
-	owner := c.Ctx.Input.Query("owner")
-	if owner == "admin" {
-		owner = ""
-	}
-
-	limit := c.Ctx.Input.Query("pageSize")
-	page := c.Ctx.Input.Query("p")
-	field := c.Ctx.Input.Query("field")
-	value := c.Ctx.Input.Query("value")
-	sortField := c.Ctx.Input.Query("sortField")
-	sortOrder := c.Ctx.Input.Query("sortOrder")
-
-	if limit == "" || page == "" {
-		servers, err := object.GetServers(owner)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-		c.ResponseOk(servers)
-		return
-	}
-
-	limitInt := util.ParseInt(limit)
-	count, err := object.GetServerCount(owner, field, value)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	paginator := pagination.SetPaginator(c.Ctx, limitInt, count)
-	servers, err := object.GetPaginationServers(owner, paginator.Offset(), limitInt, field, value, sortField, sortOrder)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk(servers, paginator.Nums())
-}
-
-// GetServer
-// @Title GetServer
-// @Tag Server API
-// @Description get server
-// @Param   id     query    string  true        "The id ( owner/name ) of the server"
-// @Success 200 {object} object.Server The Response object
-// @router /get-server [get]
-func (c *ApiController) GetServer() {
-	id := c.Ctx.Input.Query("id")
-
-	server, err := object.GetServer(id)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk(server)
-}
-
-// UpdateServer
-// @Title UpdateServer
-// @Tag Server API
-// @Description update server
-// @Param   id     query    string  true        "The id ( owner/name ) of the server"
-// @Param   body    body   object.Server  true        "The details of the server"
-// @Success 200 {object} controllers.Response The Response object
-// @router /update-server [post]
-func (c *ApiController) UpdateServer() {
-	id := c.Ctx.Input.Query("id")
-
-	var server object.Server
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &server)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.UpdateServer(id, &server))
-	c.ServeJSON()
-}
-
-// SyncMcpTool
-// @Title SyncMcpTool
-// @Tag Server API
-// @Description sync MCP tools for a server and return sync errors directly
-// @Param   id     query    string  true        "The id ( owner/name ) of the server"
-// @Param   isCleared  query    bool    false       "Whether to clear all tools instead of syncing"
-// @Param   body    body   object.Server  true        "The details of the server"
-// @Success 200 {object} controllers.Response The Response object
-// @router /sync-mcp-tool [post]
-func (c *ApiController) SyncMcpTool() {
-	id := c.Ctx.Input.Query("id")
-	isCleared := c.Ctx.Input.Query("isCleared") == "1"
-
-	var server object.Server
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &server)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.SyncMcpTool(id, &server, isCleared))
-	c.ServeJSON()
-}
-
-// AddServer
-// @Title AddServer
-// @Tag Server API
-// @Description add server
-// @Param   body    body   object.Server  true        "The details of the server"
-// @Success 200 {object} controllers.Response The Response object
-// @router /add-server [post]
-func (c *ApiController) AddServer() {
-	var server object.Server
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &server)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.AddServer(&server))
-	c.ServeJSON()
-}
-
-// DeleteServer
-// @Title DeleteServer
-// @Tag Server API
-// @Description delete server
-// @Param   body    body   object.Server  true        "The details of the server"
-// @Success 200 {object} controllers.Response The Response object
-// @router /delete-server [post]
-func (c *ApiController) DeleteServer() {
-	var server object.Server
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &server)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.DeleteServer(&server))
-	c.ServeJSON()
-}
--- a/controllers/server_online.go
+++ b/controllers/server_online.go
@@ -1,56 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package controllers
-
-import (
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"time"
-)
-
-const onlineServerListUrl = "https://mcp.casdoor.org/registry.json"
-
-// GetOnlineServers
-// @Title GetOnlineServers
-// @Tag Server API
-// @Description get online MCP server list
-// @Success 200 {object} controllers.Response The Response object
-// @router /get-online-servers [get]
-func (c *ApiController) GetOnlineServers() {
-	httpClient := &http.Client{Timeout: 10 * time.Second}
-	resp, err := httpClient.Get(onlineServerListUrl)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-	defer func() {
-		_ = resp.Body.Close()
-	}()
-
-	if resp.StatusCode < http.StatusOK || resp.StatusCode >= http.StatusMultipleChoices {
-		c.ResponseError(fmt.Sprintf("failed to get online server list, status code: %d", resp.StatusCode))
-		return
-	}
-
-	var onlineServers interface{}
-	err = json.NewDecoder(resp.Body).Decode(&onlineServers)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk(onlineServers)
-}
--- a/controllers/server_sync.go
+++ b/controllers/server_sync.go
@@ -1,170 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package controllers
-
-import (
-	"context"
-	"encoding/json"
-	"net/http"
-	"slices"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/casdoor/casdoor/mcp"
-)
-
-const (
-	defaultSyncTimeoutMs      = 1200
-	defaultSyncMaxConcurrency = 32
-	maxSyncHosts              = 1024
-)
-
-var (
-	defaultSyncPorts = []int{3000, 8080, 80}
-	defaultSyncPaths = []string{"/", "/mcp", "/sse", "/mcp/sse"}
-)
-
-type SyncInnerServersRequest struct {
-	CIDR           []string `json:"cidr"`
-	Scheme         string   `json:"scheme"`
-	Ports          []string `json:"ports"`
-	Paths          []string `json:"paths"`
-	TimeoutMs      int      `json:"timeoutMs"`
-	MaxConcurrency int      `json:"maxConcurrency"`
-}
-
-type SyncInnerServersResult struct {
-	CIDR         []string              `json:"cidr"`
-	ScannedHosts int                   `json:"scannedHosts"`
-	OnlineHosts  []string              `json:"onlineHosts"`
-	Servers      []*mcp.InnerMcpServer `json:"servers"`
-}
-
-// SyncIntranetServers
-// @Title SyncIntranetServers
-// @Tag Server API
-// @Description scan intranet IP/CIDR targets and detect MCP servers by probing common ports and paths
-// @Param   body    body   controllers.SyncInnerServersRequest  true  "Intranet MCP server scan request"
-// @Success 200 {object} controllers.Response The Response object
-// @router /sync-intranet-servers [post]
-func (c *ApiController) SyncIntranetServers() {
-	_, ok := c.RequireAdmin()
-	if !ok {
-		return
-	}
-
-	var req SyncInnerServersRequest
-	if err := json.Unmarshal(c.Ctx.Input.RequestBody, &req); err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	for i := range req.CIDR {
-		req.CIDR[i] = strings.TrimSpace(req.CIDR[i])
-	}
-	if len(req.CIDR) == 0 {
-		c.ResponseError("scan target (CIDR/IP) is required")
-		return
-	}
-
-	hosts, err := mcp.ParseScanTargets(req.CIDR, maxSyncHosts)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	timeout := mcp.SanitizeTimeout(req.TimeoutMs, defaultSyncTimeoutMs, 10000)
-	concurrency := mcp.SanitizeConcurrency(req.MaxConcurrency, defaultSyncMaxConcurrency, 256)
-	ports := mcp.SanitizePorts(req.Ports, defaultSyncPorts)
-	paths := mcp.SanitizePaths(req.Paths, defaultSyncPaths)
-	scheme := mcp.SanitizeScheme(req.Scheme)
-
-	client := &http.Client{
-		Timeout: timeout,
-		CheckRedirect: func(_ *http.Request, _ []*http.Request) error {
-			return http.ErrUseLastResponse
-		},
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
-	defer cancel()
-
-	onlineHostSet := map[string]struct{}{}
-	serverMap := map[string]*mcp.InnerMcpServer{}
-	mutex := sync.Mutex{}
-	waitGroup := sync.WaitGroup{}
-	sem := make(chan struct{}, concurrency)
-
-	for _, host := range hosts {
-		host := host.String()
-		waitGroup.Add(1)
-		go func() {
-			defer waitGroup.Done()
-
-			select {
-			case sem <- struct{}{}:
-			case <-ctx.Done():
-				return
-			}
-			defer func() { <-sem }()
-
-			isOnline, servers := mcp.ProbeHost(ctx, client, scheme, host, ports, paths, timeout)
-			if !isOnline {
-				return
-			}
-
-			mutex.Lock()
-			onlineHostSet[host] = struct{}{}
-			for _, server := range servers {
-				serverMap[server.Url] = server
-			}
-			mutex.Unlock()
-		}()
-	}
-
-	waitGroup.Wait()
-
-	onlineHosts := make([]string, 0, len(onlineHostSet))
-	for host := range onlineHostSet {
-		onlineHosts = append(onlineHosts, host)
-	}
-	slices.Sort(onlineHosts)
-
-	servers := make([]*mcp.InnerMcpServer, 0, len(serverMap))
-	for _, server := range serverMap {
-		servers = append(servers, server)
-	}
-	slices.SortFunc(servers, func(a, b *mcp.InnerMcpServer) int {
-		if a.Url < b.Url {
-			return -1
-		}
-		if a.Url > b.Url {
-			return 1
-		}
-		return 0
-	})
-
-	c.ResponseOk(&SyncInnerServersResult{
-		CIDR:         req.CIDR,
-		ScannedHosts: len(hosts),
-		OnlineHosts:  onlineHosts,
-		Servers:      servers,
-	})
-}
-
-func (c *ApiController) SyncInnerServers() {
-	c.SyncIntranetServers()
-}
--- a/controllers/site.go
+++ b/controllers/site.go
@@ -1,165 +0,0 @@
-// Copyright 2023 The casbin Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package controllers
-
-import (
-	"encoding/json"
-
-	"github.com/beego/beego/v2/server/web/pagination"
-	"github.com/casdoor/casdoor/object"
-	"github.com/casdoor/casdoor/util"
-)
-
-// GetGlobalSites
-// @Title GetGlobalSites
-// @Tag Site API
-// @Description get global sites
-// @Success 200 {array} object.Site The Response object
-// @router /get-global-sites [get]
-func (c *ApiController) GetGlobalSites() {
-	sites, err := object.GetGlobalSites()
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk(object.GetMaskedSites(sites, util.GetHostname()))
-}
-
-// GetSites
-// @Title GetSites
-// @Tag Site API
-// @Description get sites
-// @Param   owner     query    string  true        "The owner of sites"
-// @Success 200 {array} object.Site The Response object
-// @router /get-sites [get]
-func (c *ApiController) GetSites() {
-	owner := c.Ctx.Input.Query("owner")
-	if owner == "admin" {
-		owner = ""
-	}
-
-	limit := c.Ctx.Input.Query("pageSize")
-	page := c.Ctx.Input.Query("p")
-	field := c.Ctx.Input.Query("field")
-	value := c.Ctx.Input.Query("value")
-	sortField := c.Ctx.Input.Query("sortField")
-	sortOrder := c.Ctx.Input.Query("sortOrder")
-
-	if limit == "" || page == "" {
-		sites, err := object.GetSites(owner)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-		c.ResponseOk(object.GetMaskedSites(sites, util.GetHostname()))
-		return
-	}
-
-	limitInt := util.ParseInt(limit)
-	count, err := object.GetSiteCount(owner, field, value)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	paginator := pagination.SetPaginator(c.Ctx, limitInt, count)
-	sites, err := object.GetPaginationSites(owner, paginator.Offset(), limitInt, field, value, sortField, sortOrder)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk(object.GetMaskedSites(sites, util.GetHostname()), paginator.Nums())
-}
-
-// GetSite
-// @Title GetSite
-// @Tag Site API
-// @Description get site
-// @Param   id     query    string  true        "The id ( owner/name ) of the site"
-// @Success 200 {object} object.Site The Response object
-// @router /get-site [get]
-func (c *ApiController) GetSite() {
-	id := c.Ctx.Input.Query("id")
-
-	site, err := object.GetSite(id)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk(object.GetMaskedSite(site, util.GetHostname()))
-}
-
-// UpdateSite
-// @Title UpdateSite
-// @Tag Site API
-// @Description update site
-// @Param   id     query    string  true        "The id ( owner/name ) of the site"
-// @Param   body    body   object.Site  true        "The details of the site"
-// @Success 200 {object} controllers.Response The Response object
-// @router /update-site [post]
-func (c *ApiController) UpdateSite() {
-	id := c.Ctx.Input.Query("id")
-
-	var site object.Site
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &site)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.UpdateSite(id, &site))
-	c.ServeJSON()
-}
-
-// AddSite
-// @Title AddSite
-// @Tag Site API
-// @Description add site
-// @Param   body    body   object.Site  true        "The details of the site"
-// @Success 200 {object} controllers.Response The Response object
-// @router /add-site [post]
-func (c *ApiController) AddSite() {
-	var site object.Site
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &site)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.AddSite(&site))
-	c.ServeJSON()
-}
-
-// DeleteSite
-// @Title DeleteSite
-// @Tag Site API
-// @Description delete site
-// @Param   body    body   object.Site  true        "The details of the site"
-// @Success 200 {object} controllers.Response The Response object
-// @router /delete-site [post]
-func (c *ApiController) DeleteSite() {
-	var site object.Site
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &site)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.DeleteSite(&site))
-	c.ServeJSON()
-}
--- a/controllers/token.go
+++ b/controllers/token.go
@@ -162,9 +162,6 @@ func (c *ApiController) DeleteToken() {
 func (c *ApiController) GetOAuthToken() {
 	clientId := c.Ctx.Input.Query("client_id")
 	clientSecret := c.Ctx.Input.Query("client_secret")
-	assertion := c.Ctx.Input.Query("assertion")
-	clientAssertion := c.Ctx.Input.Query("client_assertion")
-	clientAssertionType := c.Ctx.Input.Query("client_assertion_type")
 	grantType := c.Ctx.Input.Query("grant_type")
 	code := c.Ctx.Input.Query("code")
 	verifier := c.Ctx.Input.Query("code_verifier")
@@ -196,12 +193,6 @@ func (c *ApiController) GetOAuthToken() {
 			if clientSecret == "" {
 				clientSecret = tokenRequest.ClientSecret
 			}
-			if clientAssertion == "" {
-				clientAssertion = tokenRequest.ClientAssertion
-			}
-			if clientAssertionType == "" {
-				clientAssertionType = tokenRequest.ClientAssertionType
-			}
 			if grantType == "" {
 				grantType = tokenRequest.GrantType
 			}
@@ -244,16 +235,9 @@ func (c *ApiController) GetOAuthToken() {
 			if resource == "" {
 				resource = tokenRequest.Resource
 			}
-			if assertion == "" {
-				assertion = tokenRequest.Assertion
-			}
 		}
 	}

-	// Extract DPoP proof header (RFC 9449). Empty string when DPoP is not used.
-	dpopProof := c.Ctx.Request.Header.Get("DPoP")
-
-	host := c.Ctx.Request.Host
 	if deviceCode != "" {
 		deviceAuthCache, ok := object.DeviceAuthMap.Load(deviceCode)
 		if !ok {
@@ -294,7 +278,8 @@ func (c *ApiController) GetOAuthToken() {
 		username = deviceAuthCacheCast.UserName
 	}

-	token, err := object.GetOAuthToken(grantType, clientId, clientSecret, code, verifier, scope, nonce, username, password, host, refreshToken, tag, avatar, c.GetAcceptLanguage(), subjectToken, subjectTokenType, assertion, clientAssertion, clientAssertionType, audience, resource, dpopProof)
+	host := c.Ctx.Request.Host
+	token, err := object.GetOAuthToken(grantType, clientId, clientSecret, code, verifier, scope, nonce, username, password, host, refreshToken, tag, avatar, c.GetAcceptLanguage(), subjectToken, subjectTokenType, audience, resource)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
@@ -338,13 +323,7 @@ func (c *ApiController) RefreshToken() {
 		}
 	}

-	ok, application, clientId, _, err := c.ValidateOAuth(true)
-	if err != nil || !ok {
-		return
-	}
-
-	dpopProof := c.Ctx.Request.Header.Get("DPoP")
-	refreshToken2, err := object.RefreshToken(application, grantType, refreshToken, scope, clientId, clientSecret, host, dpopProof)
+	refreshToken2, err := object.RefreshToken(grantType, refreshToken, scope, clientId, clientSecret, host)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
@@ -355,79 +334,14 @@ func (c *ApiController) RefreshToken() {
 	c.ServeJSON()
 }

-func (c *ApiController) ResponseTokenError(errorMsg string, errorDescription string) {
+func (c *ApiController) ResponseTokenError(errorMsg string) {
 	c.Data["json"] = &object.TokenError{
-		Error:            errorMsg,
-		ErrorDescription: errorDescription,
+		Error: errorMsg,
 	}
 	c.SetTokenErrorHttpStatus()
 	c.ServeJSON()
 }

-func (c *ApiController) ValidateOAuth(ignoreValidSecret bool) (ok bool, application *object.Application, clientId, clientSecret string, err error) {
-	reqClientId := c.Ctx.Input.Query("client_id")
-	reqClientSecret := c.Ctx.Input.Query("client_secret")
-	clientAssertion := c.Ctx.Input.Query("client_assertion")
-	clientAssertionType := c.Ctx.Input.Query("client_assertion_type")
-
-	if reqClientId == "" && clientAssertionType == "" {
-		var tokenRequest TokenRequest
-		if err := json.Unmarshal(c.Ctx.Input.RequestBody, &tokenRequest); err == nil {
-			reqClientId = tokenRequest.ClientId
-			reqClientSecret = tokenRequest.ClientSecret
-			clientAssertion = tokenRequest.ClientAssertion
-			clientAssertionType = tokenRequest.ClientAssertionType
-		}
-	}
-
-	if clientAssertionType == "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" {
-		ok, application, err = object.ValidateClientAssertion(clientAssertion, c.Ctx.Request.Host)
-		if err != nil {
-			c.ResponseTokenError(object.InvalidClient, err.Error())
-			return
-		}
-
-		if !ok || application == nil {
-			c.ResponseTokenError(object.InvalidClient, "client_assertion is invalid")
-			return
-		}
-
-		clientSecret = application.ClientSecret
-		clientId = application.ClientId
-		ok = true
-		return
-	}
-
-	if reqClientId == "" && reqClientSecret == "" {
-		clientId, clientSecret, ok = c.Ctx.Request.BasicAuth()
-		if !ok {
-			clientId = c.Ctx.Input.Query("client_id")
-			clientSecret = c.Ctx.Input.Query("client_secret")
-			if clientId == "" || clientSecret == "" {
-				c.ResponseTokenError(object.InvalidRequest, "")
-				return
-			}
-		}
-	} else {
-		clientId = reqClientId
-		clientSecret = reqClientSecret
-	}
-
-	application, err = object.GetApplicationByClientId(clientId)
-	if err != nil {
-		c.ResponseTokenError(object.InvalidClient, err.Error())
-		return
-	}
-
-	if application == nil || (application.ClientSecret != clientSecret && !ignoreValidSecret) {
-		c.ResponseTokenError(object.InvalidClient, c.T("token:Invalid application or wrong clientSecret"))
-		return
-	}
-
-	ok = true
-	return
-}
-
 // IntrospectToken
 // @Title IntrospectToken
 // @Tag Login API
@@ -435,7 +349,7 @@ func (c *ApiController) ValidateOAuth(ignoreValidSecret bool) (ok bool, applicat
 // parameter representing an OAuth 2.0 token and returns a JSON document
 // representing the meta information surrounding the
 // token, including whether this token is currently active.
-// This endpoint support Basic Authorization and authorization defined in RFC 7523.
+// This endpoint only support Basic Authorization.
 //
 // @Param token formData string true "access_token's value or refresh_token's value"
 // @Param token_type_hint formData string true "the token type access_token or refresh_token"
@@ -445,9 +359,24 @@ func (c *ApiController) ValidateOAuth(ignoreValidSecret bool) (ok bool, applicat
 // @router /login/oauth/introspect [post]
 func (c *ApiController) IntrospectToken() {
 	tokenValue := c.Ctx.Input.Query("token")
+	clientId, clientSecret, ok := c.Ctx.Request.BasicAuth()
+	if !ok {
+		clientId = c.Ctx.Input.Query("client_id")
+		clientSecret = c.Ctx.Input.Query("client_secret")
+		if clientId == "" || clientSecret == "" {
+			c.ResponseTokenError(object.InvalidRequest)
+			return
+		}
+	}

-	ok, application, clientId, _, err := c.ValidateOAuth(false)
-	if err != nil || !ok {
+	application, err := object.GetApplicationByClientId(clientId)
+	if err != nil {
+		c.ResponseTokenError(err.Error())
+		return
+	}
+
+	if application == nil || application.ClientSecret != clientSecret {
+		c.ResponseTokenError(c.T("token:Invalid application or wrong clientSecret"))
 		return
 	}

@@ -461,7 +390,7 @@ func (c *ApiController) IntrospectToken() {
 	if tokenTypeHint != "" {
 		token, err = object.GetTokenByTokenValue(tokenValue, tokenTypeHint)
 		if err != nil {
-			c.ResponseTokenError(object.InvalidRequest, err.Error())
+			c.ResponseTokenError(err.Error())
 			return
 		}
 		if token == nil || token.ExpiresIn <= 0 {
@@ -538,7 +467,7 @@ func (c *ApiController) IntrospectToken() {
 	if tokenTypeHint == "" {
 		token, err = object.GetTokenByTokenValue(tokenValue, introspectionResponse.TokenType)
 		if err != nil {
-			c.ResponseTokenError(object.InvalidRequest, err.Error())
+			c.ResponseTokenError(err.Error())
 			return
 		}
 		if token == nil || token.ExpiresIn <= 0 {
@@ -550,7 +479,7 @@ func (c *ApiController) IntrospectToken() {
 	if token != nil {
 		application, err = object.GetApplication(fmt.Sprintf("%s/%s", token.Owner, token.Application))
 		if err != nil {
-			c.ResponseTokenError(object.InvalidClient, err.Error())
+			c.ResponseTokenError(err.Error())
 			return
 		}
 		if application == nil {
@@ -560,11 +489,6 @@ func (c *ApiController) IntrospectToken() {

 		introspectionResponse.TokenType = token.TokenType
 		introspectionResponse.ClientId = application.ClientId
-
-		// Expose DPoP key binding in the introspection response (RFC 9449 §8).
-		if token.DPoPJkt != "" {
-			introspectionResponse.Cnf = &object.DPoPConfirmation{JKT: token.DPoPJkt}
-		}
 	}

 	c.Data["json"] = introspectionResponse
--- a/controllers/types.go
+++ b/controllers/types.go
@@ -15,23 +15,20 @@
 package controllers

 type TokenRequest struct {
-	Assertion           string `json:"assertion"`
-	ClientId            string `json:"client_id"`
-	ClientSecret        string `json:"client_secret"`
-	ClientAssertion     string `json:"client_assertion"`
-	ClientAssertionType string `json:"client_assertion_type"`
-	GrantType           string `json:"grant_type"`
-	Code                string `json:"code"`
-	Verifier            string `json:"code_verifier"`
-	Scope               string `json:"scope"`
-	Nonce               string `json:"nonce"`
-	Username            string `json:"username"`
-	Password            string `json:"password"`
-	Tag                 string `json:"tag"`
-	Avatar              string `json:"avatar"`
-	RefreshToken        string `json:"refresh_token"`
-	SubjectToken        string `json:"subject_token"`
-	SubjectTokenType    string `json:"subject_token_type"`
-	Audience            string `json:"audience"`
-	Resource            string `json:"resource"` // RFC 8707 Resource Indicator
+	ClientId         string `json:"client_id"`
+	ClientSecret     string `json:"client_secret"`
+	GrantType        string `json:"grant_type"`
+	Code             string `json:"code"`
+	Verifier         string `json:"code_verifier"`
+	Scope            string `json:"scope"`
+	Nonce            string `json:"nonce"`
+	Username         string `json:"username"`
+	Password         string `json:"password"`
+	Tag              string `json:"tag"`
+	Avatar           string `json:"avatar"`
+	RefreshToken     string `json:"refresh_token"`
+	SubjectToken     string `json:"subject_token"`
+	SubjectTokenType string `json:"subject_token_type"`
+	Audience         string `json:"audience"`
+	Resource         string `json:"resource"` // RFC 8707 Resource Indicator
 }
--- a/controllers/user.go
+++ b/controllers/user.go
@@ -730,6 +730,29 @@ func (c *ApiController) GetUserCount() {
 	c.ResponseOk(count)
 }

+// AddUserKeys
+// @Title AddUserKeys
+// @router /add-user-keys [post]
+// @Tag User API
+// @Success 200 {object} object.Userinfo The Response object
+func (c *ApiController) AddUserKeys() {
+	var user object.User
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &user)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	isAdmin := c.IsAdmin()
+	affected, err := object.AddUserKeys(&user, isAdmin)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(affected)
+}
+
 func (c *ApiController) RemoveUserFromGroup() {
 	owner := c.Ctx.Request.Form.Get("owner")
 	name := c.Ctx.Request.Form.Get("name")
--- a/controllers/util.go
+++ b/controllers/util.go
@@ -15,7 +15,6 @@
 package controllers

 import (
-	"errors"
 	"fmt"
 	"strings"

@@ -231,7 +230,7 @@ func (c *ApiController) GetProviderFromContext(category string) (*object.Provide

 	userId, ok := c.RequireSignedIn()
 	if !ok {
-		return nil, errors.New(c.T("general:Please login first"))
+		return nil, fmt.Errorf(c.T("general:Please login first"))
 	}

 	application, err := object.GetApplicationByUserId(userId)
--- a/controllers/verification.go
+++ b/controllers/verification.go
@@ -252,10 +252,6 @@ func (c *ApiController) SendVerificationCode() {
 		return
 	}

-	if vform.CaptchaToken != "" {
-		enableCaptcha = true
-	}
-
 	// Only verify CAPTCHA if it should be enabled
 	if enableCaptcha {
 		captchaProvider, err := object.GetCaptchaProviderByApplication(vform.ApplicationId, "false", c.GetAcceptLanguage())
@@ -444,8 +440,6 @@ func (c *ApiController) ResetEmailOrPhone() {
 		return
 	}

-	clientIp := util.GetClientIpFromRequest(c.Ctx.Request)
-
 	destType := c.Ctx.Request.Form.Get("type")
 	dest := c.Ctx.Request.Form.Get("dest")
 	code := c.Ctx.Request.Form.Get("code")
@@ -500,9 +494,13 @@ func (c *ApiController) ResetEmailOrPhone() {
 		}
 	}

-	err = object.CheckVerifyCodeWithLimitAndIp(user, clientIp, checkDest, code, c.GetAcceptLanguage())
+	result, err := object.CheckVerificationCode(checkDest, code, c.GetAcceptLanguage())
 	if err != nil {
-		c.ResponseError(err.Error())
+		c.ResponseError(c.T(err.Error()))
+		return
+	}
+	if result.Code != object.VerificationSuccess {
+		c.ResponseError(result.Msg)
 		return
 	}

@@ -600,12 +598,15 @@ func (c *ApiController) VerifyCode() {
 	}

 	if !passed {
-		clientIp := util.GetClientIpFromRequest(c.Ctx.Request)
-		err = object.CheckVerifyCodeWithLimitAndIp(user, clientIp, checkDest, authForm.Code, c.GetAcceptLanguage())
+		result, err := object.CheckVerificationCode(checkDest, authForm.Code, c.GetAcceptLanguage())
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}
+		if result.Code != object.VerificationSuccess {
+			c.ResponseError(result.Msg)
+			return
+		}

 		err = object.DisableVerificationCode(checkDest)
 		if err != nil {
--- a/controllers/webhook_event.go
+++ b/controllers/webhook_event.go
@@ -1,202 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package controllers
-
-import (
-	"encoding/json"
-
-	"github.com/beego/beego/v2/core/utils/pagination"
-	"github.com/casdoor/casdoor/object"
-	"github.com/casdoor/casdoor/util"
-)
-
-const defaultWebhookEventListLimit = 100
-
-func (c *ApiController) getScopedWebhookEventQuery() (string, string, bool) {
-	organization, ok := c.RequireAdmin()
-	if !ok {
-		return "", "", false
-	}
-
-	owner := ""
-	if c.IsGlobalAdmin() {
-		owner = c.Ctx.Input.Query("owner")
-
-		requestedOrganization := c.Ctx.Input.Query("organization")
-		if requestedOrganization != "" {
-			organization = requestedOrganization
-		}
-	}
-
-	return owner, organization, true
-}
-
-func (c *ApiController) checkWebhookEventAccess(event *object.WebhookEvent, organization string) bool {
-	if event == nil || c.IsGlobalAdmin() {
-		return true
-	}
-
-	if event.Organization != organization {
-		c.ResponseError(c.T("auth:Unauthorized operation"))
-		return false
-	}
-
-	return true
-}
-
-// GetWebhookEvents
-// @Title GetWebhookEvents
-// @Tag Webhook Event API
-// @Description get webhook events with filtering
-// @Param   owner     query    string  false       "The owner of webhook events"
-// @Param   organization     query    string  false       "The organization"
-// @Param   webhookName     query    string  false       "The webhook name"
-// @Param   status     query    string  false       "Event status (pending, success, failed, retrying)"
-// @Success 200 {array} object.WebhookEvent The Response object
-// @router /get-webhook-events [get]
-func (c *ApiController) GetWebhookEvents() {
-	owner, organization, ok := c.getScopedWebhookEventQuery()
-	if !ok {
-		return
-	}
-	webhookName := c.Ctx.Input.Query("webhookName")
-	status := c.Ctx.Input.Query("status")
-	limit := c.Ctx.Input.Query("pageSize")
-	page := c.Ctx.Input.Query("p")
-	sortField := c.Ctx.Input.Query("sortField")
-	sortOrder := c.Ctx.Input.Query("sortOrder")
-
-	if limit != "" && page != "" {
-		limit := util.ParseInt(limit)
-		count, err := object.GetWebhookEventCount(owner, organization, webhookName, object.WebhookEventStatus(status))
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		paginator := pagination.NewPaginator(c.Ctx.Request, limit, count)
-		events, err := object.GetWebhookEvents(owner, organization, webhookName, object.WebhookEventStatus(status), paginator.Offset(), limit, sortField, sortOrder)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		c.ResponseOk(events, paginator.Nums())
-	} else {
-		events, err := object.GetWebhookEvents(owner, organization, webhookName, object.WebhookEventStatus(status), 0, defaultWebhookEventListLimit, sortField, sortOrder)
-		if err != nil {
-			c.ResponseError(err.Error())
-			return
-		}
-
-		c.ResponseOk(events)
-	}
-}
-
-// GetWebhookEvent
-// @Title GetWebhookEvent
-// @Tag Webhook Event API
-// @Description get webhook event
-// @Param   id     query    string  true        "The id ( owner/name ) of the webhook event"
-// @Success 200 {object} object.WebhookEvent The Response object
-// @router /get-webhook-event-detail [get]
-func (c *ApiController) GetWebhookEvent() {
-	organization, ok := c.RequireAdmin()
-	if !ok {
-		return
-	}
-
-	id := c.Ctx.Input.Query("id")
-
-	event, err := object.GetWebhookEvent(id)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	if !c.checkWebhookEventAccess(event, organization) {
-		return
-	}
-
-	c.ResponseOk(event)
-}
-
-// ReplayWebhookEvent
-// @Title ReplayWebhookEvent
-// @Tag Webhook Event API
-// @Description replay a webhook event
-// @Param   id     query    string  true        "The id ( owner/name ) of the webhook event"
-// @Success 200 {object} controllers.Response The Response object
-// @router /replay-webhook-event [post]
-func (c *ApiController) ReplayWebhookEvent() {
-	organization, ok := c.RequireAdmin()
-	if !ok {
-		return
-	}
-
-	id := c.Ctx.Input.Query("id")
-
-	event, err := object.GetWebhookEvent(id)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	if !c.checkWebhookEventAccess(event, organization) {
-		return
-	}
-
-	err = object.ReplayWebhookEvent(id)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	c.ResponseOk("Webhook event replay triggered")
-}
-
-// DeleteWebhookEvent
-// @Title DeleteWebhookEvent
-// @Tag Webhook Event API
-// @Description delete webhook event
-// @Param   body    body   object.WebhookEvent  true        "The details of the webhook event"
-// @Success 200 {object} controllers.Response The Response object
-// @router /delete-webhook-event [post]
-func (c *ApiController) DeleteWebhookEvent() {
-	organization, ok := c.RequireAdmin()
-	if !ok {
-		return
-	}
-
-	var event object.WebhookEvent
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &event)
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	storedEvent, err := object.GetWebhookEvent(event.GetId())
-	if err != nil {
-		c.ResponseError(err.Error())
-		return
-	}
-
-	if !c.checkWebhookEventAccess(storedEvent, organization) {
-		return
-	}
-
-	c.Data["json"] = wrapActionResponse(object.DeleteWebhookEvent(&event))
-	c.ServeJSON()
-}
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -1,20 +0,0 @@
-services:
-  db:
-    image: postgres:16-alpine
-    restart: unless-stopped
-    ports:
-      - "5434:5432"
-    environment:
-      POSTGRES_USER: casdoor
-      POSTGRES_PASSWORD: casdoor_dev
-      POSTGRES_DB: casdoor
-    volumes:
-      - casdoor_pg_data:/var/lib/postgresql/data
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U casdoor"]
-      interval: 5s
-      timeout: 5s
-      retries: 5
-
-volumes:
-  casdoor_pg_data:
--- a/email/azure_acs.go
+++ b/email/azure_acs.go
@@ -26,7 +26,7 @@ import (
 	"strings"
 	"time"

-	"github.com/casdoor/casdoor/util"
+	"github.com/google/uuid"
 )

 const (
@@ -141,7 +141,7 @@ func (a *AzureACSEmailProvider) Send(fromAddress string, fromName string, toAddr
 	}

 	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("repeatability-request-id", util.GenerateUUID())
+	req.Header.Set("repeatability-request-id", uuid.New().String())
 	req.Header.Set("repeatability-first-sent", time.Now().UTC().Format(http.TimeFormat))

 	client := &http.Client{}
--- a/email/provider.go
+++ b/email/provider.go
@@ -19,16 +19,13 @@ type EmailProvider interface {
 }

 func GetEmailProvider(typ string, clientId string, clientSecret string, host string, port int, sslMode string, endpoint string, method string, httpHeaders map[string]string, bodyMapping map[string]string, contentType string, enableProxy bool) EmailProvider {
-	switch typ {
-	case "Azure ACS":
+	if typ == "Azure ACS" {
 		return NewAzureACSEmailProvider(clientSecret, host)
-	case "Custom HTTP Email":
+	} else if typ == "Custom HTTP Email" {
 		return NewHttpEmailProvider(endpoint, method, httpHeaders, bodyMapping, contentType)
-	case "SendGrid":
+	} else if typ == "SendGrid" {
 		return NewSendgridEmailProvider(clientSecret, host, endpoint)
-	case "Resend":
-		return NewResendEmailProvider(clientSecret)
-	default:
+	} else {
 		return NewSmtpEmailProvider(clientId, clientSecret, host, port, typ, sslMode, enableProxy)
 	}
 }
--- a/email/resend.go
+++ b/email/resend.go
@@ -1,48 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//	http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package email
-
-import (
-	"fmt"
-
-	"github.com/resend/resend-go/v3"
-)
-
-type ResendEmailProvider struct {
-	Client *resend.Client
-}
-
-func NewResendEmailProvider(apiKey string) *ResendEmailProvider {
-	client := resend.NewClient(apiKey)
-	client.UserAgent += " Casdoor"
-	return &ResendEmailProvider{Client: client}
-}
-
-func (s *ResendEmailProvider) Send(fromAddress string, fromName string, toAddresses []string, subject string, content string) error {
-	from := fromAddress
-	if fromName != "" {
-		from = fmt.Sprintf("%s <%s>", fromName, fromAddress)
-	}
-	params := &resend.SendEmailRequest{
-		From:    from,
-		To:      toAddresses,
-		Subject: subject,
-		Html:    content,
-	}
-	if _, err := s.Client.Emails.Send(params); err != nil {
-		return err
-	}
-	return nil
-}
--- a/go.mod
+++ b/go.mod
@@ -1,8 +1,6 @@
 module github.com/casdoor/casdoor

-go 1.25.0
-
-toolchain go1.25.8
+go 1.23.0

 require (
 	github.com/Masterminds/squirrel v1.5.3
@@ -24,21 +22,19 @@ require (
 	github.com/beego/beego/v2 v2.3.8
 	github.com/beevik/etree v1.1.0
 	github.com/casbin/casbin/v2 v2.77.2
-	github.com/casbin/lego/v4 v4.5.4
-	github.com/casdoor/casdoor-go-sdk v0.50.0
 	github.com/casdoor/go-sms-sender v0.25.0
 	github.com/casdoor/gomail/v2 v2.2.0
 	github.com/casdoor/ldapserver v1.2.0
 	github.com/casdoor/notify2 v1.6.0
 	github.com/casdoor/oss v1.8.0
 	github.com/casdoor/xorm-adapter/v3 v3.1.0
-	github.com/corazawaf/coraza/v3 v3.3.3
+	github.com/casvisor/casvisor-go-sdk v1.4.0
 	github.com/dchest/captcha v0.0.0-20200903113550-03f5f0333e1f
 	github.com/elimity-com/scim v0.0.0-20230426070224-941a5eac92f3
 	github.com/fogleman/gg v1.3.0
 	github.com/go-asn1-ber/asn1-ber v1.5.5
 	github.com/go-git/go-git/v5 v5.16.3
-	github.com/go-jose/go-jose/v4 v4.1.3
+	github.com/go-jose/go-jose/v4 v4.1.2
 	github.com/go-ldap/ldap/v3 v3.4.6
 	github.com/go-mysql-org/go-mysql v1.7.0
 	github.com/go-pay/gopay v1.5.115
@@ -46,27 +42,21 @@ require (
 	github.com/go-sql-driver/mysql v1.8.1
 	github.com/go-telegram-bot-api/telegram-bot-api v4.6.4+incompatible
 	github.com/go-webauthn/webauthn v0.10.2
-	github.com/golang-jwt/jwt/v5 v5.3.0
+	github.com/golang-jwt/jwt/v5 v5.2.2
 	github.com/google/uuid v1.6.0
-	github.com/hsluoyz/modsecurity-go v0.0.7
-	github.com/jcmturner/gokrb5/v8 v8.4.4
 	github.com/json-iterator/go v1.1.12
 	github.com/lestrrat-go/jwx v1.2.29
 	github.com/lib/pq v1.10.9
-	github.com/likexian/whois v1.15.1
-	github.com/likexian/whois-parser v1.24.9
 	github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3
 	github.com/markbates/goth v1.82.0
 	github.com/microsoft/go-mssqldb v1.9.0
 	github.com/mitchellh/mapstructure v1.5.0
-	github.com/modelcontextprotocol/go-sdk v1.4.0
 	github.com/nyaruka/phonenumbers v1.2.2
 	github.com/polarsource/polar-go v0.12.0
 	github.com/pquerna/otp v1.4.0
 	github.com/prometheus/client_golang v1.19.0
-	github.com/prometheus/client_model v0.6.2
+	github.com/prometheus/client_model v0.6.0
 	github.com/qiangmzsx/string-adapter/v2 v2.1.0
-	github.com/resend/resend-go/v3 v3.1.0
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/russellhaering/gosaml2 v0.9.0
 	github.com/russellhaering/goxmldsig v1.2.0
@@ -80,12 +70,10 @@ require (
 	github.com/xorm-io/builder v0.3.13
 	github.com/xorm-io/core v0.7.4
 	github.com/xorm-io/xorm v1.1.6
-	go.opentelemetry.io/proto/otlp v1.7.1
-	golang.org/x/crypto v0.47.0
-	golang.org/x/net v0.49.0
-	golang.org/x/oauth2 v0.34.0
-	golang.org/x/text v0.33.0
-	golang.org/x/time v0.8.0
+	golang.org/x/crypto v0.40.0
+	golang.org/x/net v0.41.0
+	golang.org/x/oauth2 v0.27.0
+	golang.org/x/text v0.27.0
 	google.golang.org/api v0.215.0
 	layeh.com/radius v0.0.0-20231213012653-1006025d24f8
 	maunium.net/go/mautrix v0.22.1
@@ -93,11 +81,11 @@ require (
 )

 require (
-	cel.dev/expr v0.25.1 // indirect
+	cel.dev/expr v0.18.0 // indirect
 	cloud.google.com/go v0.116.0 // indirect
 	cloud.google.com/go/auth v0.13.0 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.6 // indirect
-	cloud.google.com/go/compute/metadata v0.9.0 // indirect
+	cloud.google.com/go/compute/metadata v0.6.0 // indirect
 	cloud.google.com/go/iam v1.2.2 // indirect
 	cloud.google.com/go/monitoring v1.21.2 // indirect
 	cloud.google.com/go/storage v1.47.0 // indirect
@@ -107,7 +95,7 @@ require (
 	github.com/Azure/azure-storage-blob-go v0.15.0 // indirect
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/BurntSushi/toml v0.3.1 // indirect
-	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.31.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.49.0 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.49.0 // indirect
 	github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible // indirect
@@ -134,16 +122,16 @@ require (
 	github.com/boombuler/barcode v1.0.1 // indirect
 	github.com/bwmarrin/discordgo v0.28.1 // indirect
 	github.com/caarlos0/go-reddit/v3 v3.0.1 // indirect
+	github.com/casdoor/casdoor-go-sdk v0.50.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/clbanning/mxj/v2 v2.7.0 // indirect
 	github.com/cloudflare/circl v1.6.1 // indirect
-	github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 // indirect
-	github.com/corazawaf/libinjection-go v0.2.2 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect
+	github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 // indirect
 	github.com/cschomburg/go-pushbullet v0.0.0-20171206132031-67759df45fbb // indirect
 	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
-	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
 	github.com/dghubble/oauth1 v0.7.3 // indirect
 	github.com/dghubble/sling v1.4.2 // indirect
@@ -153,8 +141,8 @@ require (
 	github.com/drswork/go-twitter v0.0.0-20221107160839-dea1b6ed53d7 // indirect
 	github.com/ebitengine/purego v0.9.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/envoyproxy/go-control-plane/envoy v1.36.0 // indirect
-	github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect
+	github.com/envoyproxy/go-control-plane v0.13.1 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fxamacker/cbor/v2 v2.6.0 // indirect
 	github.com/ggicci/httpin v0.19.0 // indirect
@@ -162,7 +150,7 @@ require (
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.6.2 // indirect
 	github.com/go-lark/lark v1.15.1 // indirect
-	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
 	github.com/go-pay/crypto v0.0.1 // indirect
@@ -181,22 +169,14 @@ require (
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/go-tpm v0.9.0 // indirect
-	github.com/google/jsonschema-go v0.4.2 // indirect
 	github.com/google/s2a-go v0.1.8 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
 	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
 	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/gregdel/pushover v1.3.1 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/golang-lru v0.5.4 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
-	github.com/jcmturner/aescts/v2 v2.0.0 // indirect
-	github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect
-	github.com/jcmturner/gofork v1.7.6 // indirect
-	github.com/jcmturner/goidentity/v6 v6.0.1 // indirect
-	github.com/jcmturner/rpc/v2 v2.0.3 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/jonboulle/clockwork v0.2.2 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
@@ -208,51 +188,41 @@ require (
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
 	github.com/lestrrat-go/iter v1.0.2 // indirect
 	github.com/lestrrat-go/option v1.0.1 // indirect
-	github.com/likexian/gokit v0.25.13 // indirect
 	github.com/line/line-bot-sdk-go v7.8.0+incompatible // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
-	github.com/magefile/mage v1.15.1-0.20241126214340-bdc92f694516 // indirect
 	github.com/markbates/going v1.0.0 // indirect
 	github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-ieproxy v0.0.1 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/miekg/dns v1.1.57 // indirect
 	github.com/mileusna/viber v1.0.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/mrjones/oauth v0.0.0-20180629183705-f4e24b6d100c // indirect
 	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
-	github.com/petar-dambovaliev/aho-corasick v0.0.0-20240411101913-e07a1f0e8eb4 // indirect
 	github.com/pingcap/errors v0.11.5-0.20210425183316-da1aaba5fb63 // indirect
 	github.com/pingcap/log v0.0.0-20210625125904-98ed8e2eb1c7 // indirect
 	github.com/pingcap/tidb/parser v0.0.0-20221126021158-6b02a5d8ba7d // indirect
 	github.com/pjbgf/sha1cd v0.3.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
-	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
 	github.com/prometheus/common v0.48.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/qiniu/go-sdk/v7 v7.12.1 // indirect
-	github.com/rainycape/memcache v0.0.0-20150622160815-1031fa0ce2f2 // indirect
 	github.com/redis/go-redis/v9 v9.5.5 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 // indirect
 	github.com/rs/zerolog v1.33.0 // indirect
-	github.com/russross/blackfriday/v2 v2.0.1 // indirect
 	github.com/scim2/filter-parser/v2 v2.2.0 // indirect
-	github.com/segmentio/asm v1.1.3 // indirect
-	github.com/segmentio/encoding v0.5.3 // indirect
 	github.com/sendgrid/rest v2.6.9+incompatible // indirect
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/shiena/ansicolor v0.0.0-20200904210342-c7312218db18 // indirect
 	github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24 // indirect
-	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
 	github.com/siddontang/go v0.0.0-20180604090527-bdc77568d726 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
 	github.com/slack-go/slack v0.15.0 // indirect
-	github.com/spiffe/go-spiffe/v2 v2.6.0 // indirect
 	github.com/spyzhov/ajson v0.8.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/syndtr/goleveldb v1.0.0 // indirect
@@ -268,43 +238,40 @@ require (
 	github.com/tklauser/numcpus v0.10.0 // indirect
 	github.com/twilio/twilio-go v1.13.0 // indirect
 	github.com/ucloud/ucloud-sdk-go v0.22.5 // indirect
-	github.com/urfave/cli v1.22.5 // indirect
 	github.com/utahta/go-linenotify v0.5.0 // indirect
-	github.com/valllabh/ocsf-schema-golang v1.0.3 // indirect
 	github.com/volcengine/volc-sdk-golang v1.0.117 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
-	github.com/yosida95/uritemplate/v3 v3.0.2 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.mau.fi/util v0.8.3 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/contrib/detectors/gcp v1.40.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.65.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 // indirect
-	go.opentelemetry.io/otel v1.40.0 // indirect
-	go.opentelemetry.io/otel/metric v1.40.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.40.0 // indirect
-	go.opentelemetry.io/otel/sdk/metric v1.40.0 // indirect
-	go.opentelemetry.io/otel/trace v1.40.0 // indirect
+	go.opentelemetry.io/contrib/detectors/gcp v1.32.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.57.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.57.0 // indirect
+	go.opentelemetry.io/otel v1.32.0 // indirect
+	go.opentelemetry.io/otel/metric v1.32.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.32.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.32.0 // indirect
+	go.opentelemetry.io/otel/trace v1.32.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.7.0 // indirect
 	go.uber.org/zap v1.19.1 // indirect
 	golang.org/x/exp v0.0.0-20241215155358-4a5509556b9e // indirect
-	golang.org/x/image v0.18.0 // indirect
-	golang.org/x/mod v0.32.0 // indirect
-	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/sys v0.40.0 // indirect
-	golang.org/x/tools v0.41.0 // indirect
+	golang.org/x/image v0.0.0-20220302094943-723b81ca9867 // indirect
+	golang.org/x/mod v0.25.0 // indirect
+	golang.org/x/sync v0.16.0 // indirect
+	golang.org/x/sys v0.35.0 // indirect
+	golang.org/x/time v0.8.0 // indirect
+	golang.org/x/tools v0.34.0 // indirect
 	google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 // indirect
-	google.golang.org/grpc v1.79.3 // indirect
-	google.golang.org/protobuf v1.36.11 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241223144023-3abc09e42ca8 // indirect
+	google.golang.org/grpc v1.68.0 // indirect
+	google.golang.org/grpc/stats/opentelemetry v0.0.0-20241028142157-ada6787961b3 // indirect
+	google.golang.org/protobuf v1.36.1 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
-	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/uint128 v1.2.0 // indirect
@@ -316,5 +283,4 @@ require (
 	modernc.org/opt v0.1.3 // indirect
 	modernc.org/strutil v1.1.3 // indirect
 	modernc.org/token v1.0.1 // indirect
-	rsc.io/binaryregexp v0.2.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,5 @@
-cel.dev/expr v0.25.1 h1:1KrZg61W6TWSxuNZ37Xy49ps13NUovb66QLprthtwi4=
-cel.dev/expr v0.25.1/go.mod h1:hrXvqGP6G6gyx8UAHSHJ5RGk//1Oj5nXQ2NI02Nrsg4=
+cel.dev/expr v0.18.0 h1:CJ6drgk+Hf96lkLikr4rFf19WrU0BOWEihyZnI2TAzo=
+cel.dev/expr v0.18.0/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
@@ -186,8 +186,8 @@ cloud.google.com/go/compute/metadata v0.1.0/go.mod h1:Z1VN+bulIf6bt4P/C37K4DyZYZ
 cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
 cloud.google.com/go/compute/metadata v0.2.1/go.mod h1:jgHgmJd2RKBGzXqF5LR2EZMGxBkeanZ9wwa75XHJgOM=
 cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
-cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
-cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
+cloud.google.com/go/compute/metadata v0.6.0 h1:A6hENjEsCDtC1k8byVsgwvVcioamEHvZ4j01OwKxG9I=
+cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg=
 cloud.google.com/go/contactcenterinsights v1.3.0/go.mod h1:Eu2oemoePuEFc/xKFPjbTuPSj0fYJcPls9TFlPNnHHY=
 cloud.google.com/go/contactcenterinsights v1.4.0/go.mod h1:L2YzkGbPsv+vMQMCADxJoT9YiTTnSEd6fEvCeHTYVck=
 cloud.google.com/go/contactcenterinsights v1.6.0/go.mod h1:IIDlT6CLcDoyv79kDv8iWxMSTZhLxSCofVV5W6YFM/w=
@@ -658,8 +658,8 @@ github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
-github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.31.0 h1:DHa2U07rk8syqvCge0QIGMCE1WxGj9njT44GH7zNJLQ=
-github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.31.0/go.mod h1:P4WPRUkOhJC13W//jWpyfJNDAIpvRbAUIYLX/4jtlE0=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0 h1:3c8yed4lgqTt+oTQ+JNMDo+F4xprBf+O/il4ZC0nRLw=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0/go.mod h1:obipzmGjfSjam60XLwGfqUkJsfiheAl+TUjG+4yzyPM=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.49.0 h1:o90wcURuxekmXrtxmYWTyNla0+ZEHhud6DI1ZTxd1vI=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.49.0/go.mod h1:6fTWu4m3jocfUZLYF5KsZC1TUfRvEjs7lM4crme/irw=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.49.0 h1:jJKWl98inONJAr/IZrdFQUWcwUO95DLY1XMD1ZIut+g=
@@ -778,7 +778,6 @@ github.com/alibabacloud-go/tea-xml v1.1.1/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCE
 github.com/alibabacloud-go/tea-xml v1.1.2/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCEtyBy9+DPF6GgEu8=
 github.com/alibabacloud-go/tea-xml v1.1.3 h1:7LYnm+JbOq2B+T/B0fHC4Ies4/FofC4zHzYtqw7dgt0=
 github.com/alibabacloud-go/tea-xml v1.1.3/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCEtyBy9+DPF6GgEu8=
-github.com/aliyun/alibaba-cloud-sdk-go v1.61.1183/go.mod h1:pUKYbK5JQ+1Dfxk80P0qxGqe5dkxDoabbZS7zOcouyA=
 github.com/aliyun/alibaba-cloud-sdk-go v1.63.107 h1:qagvUyrgOnBIlVRQWOyCZGVKUIYbMBdGdJ104vBpRFU=
 github.com/aliyun/alibaba-cloud-sdk-go v1.63.107/go.mod h1:SOSDHfe1kX91v3W5QiBsWSLqeLxImobbMX1mxrFHsVQ=
 github.com/aliyun/aliyun-oss-go-sdk v2.2.2+incompatible h1:9gWa46nstkJ9miBReJcN8Gq34cBFbzSpQZVVT9N09TM=
@@ -851,8 +850,6 @@ github.com/casbin/casbin/v2 v2.28.3/go.mod h1:vByNa/Fchek0KZUgG5wEsl7iFsiviAYKRt
 github.com/casbin/casbin/v2 v2.37.0/go.mod h1:vByNa/Fchek0KZUgG5wEsl7iFsiviAYKRtgrQfcJqHg=
 github.com/casbin/casbin/v2 v2.77.2 h1:yQinn/w9x8AswiwqwtrXz93VU48R1aYTXdHEx4RI3jM=
 github.com/casbin/casbin/v2 v2.77.2/go.mod h1:mzGx0hYW9/ksOSpw3wNjk3NRAroq5VMFYUQ6G43iGPk=
-github.com/casbin/lego/v4 v4.5.4 h1:WdVEj1A5KmKZheNuFNLF/5+UUkpXLt9mEOrLX3E81Vo=
-github.com/casbin/lego/v4 v4.5.4/go.mod h1:JjTyJgN5pyrDPcg3+aAM1NtFQIXl8zDgsoSS1TnVpJ8=
 github.com/casdoor/casdoor-go-sdk v0.50.0 h1:bUYbz/MzJuWfLKJbJM0+U0YpYewAur+THp5TKnufWZM=
 github.com/casdoor/casdoor-go-sdk v0.50.0/go.mod h1:cMnkCQJgMYpgAlgEx8reSt1AVaDIQLcJ1zk5pzBaz+4=
 github.com/casdoor/go-sms-sender v0.25.0 h1:eF4cOCSbjVg7+0uLlJQnna/FQ0BWW+Fp/x4cXhzQu1Y=
@@ -867,12 +864,15 @@ github.com/casdoor/oss v1.8.0 h1:uuyKhDIp7ydOtV4lpqhAY23Ban2Ln8La8+QT36CwylM=
 github.com/casdoor/oss v1.8.0/go.mod h1:uaqO7KBI2lnZcnB8rF7O6C2bN7llIbfC5Ql8ex1yR1U=
 github.com/casdoor/xorm-adapter/v3 v3.1.0 h1:NodWayRtSLVSeCvL9H3Hc61k0G17KhV9IymTCNfh3kk=
 github.com/casdoor/xorm-adapter/v3 v3.1.0/go.mod h1:4WTcUw+bTgBylGHeGHzTtBvuTXRS23dtwzFLl9tsgFM=
+github.com/casvisor/casvisor-go-sdk v1.4.0 h1:hbZEGGJ1cwdHFAxeXrMoNw6yha6Oyg2F0qQhBNCN/dg=
+github.com/casvisor/casvisor-go-sdk v1.4.0/go.mod h1:frnNtH5GA0wxzAQLyZxxfL0RSsSub9GQPi2Ybe86ocE=
 github.com/cenkalti/backoff/v4 v4.1.1/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw=
 github.com/cenkalti/backoff/v4 v4.1.2/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g=
 github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
@@ -905,20 +905,12 @@ github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWH
 github.com/cncf/xds/go v0.0.0-20220314180256-7f1daf1720fc/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20230105202645-06c439db220b/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20230310173818-32f1caf87195/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 h1:6xNmx7iTtyBRev0+D/Tv1FZd4SCg8axKApyNyRsAt/w=
-github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5/go.mod h1:KdCmV+x/BuvyMxRnYBlmVaq4OLiKW6iRQfvC62cvdkI=
-github.com/corazawaf/coraza-coreruleset v0.0.0-20240226094324-415b1017abdc h1:OlJhrgI3I+FLUCTI3JJW8MoqyM78WbqJjecqMnqG+wc=
-github.com/corazawaf/coraza-coreruleset v0.0.0-20240226094324-415b1017abdc/go.mod h1:7rsocqNDkTCira5T0M7buoKR2ehh7YZiPkzxRuAgvVU=
-github.com/corazawaf/coraza/v3 v3.3.3 h1:kqjStHAgWqwP5dh7n0vhTOF0a3t+VikNS/EaMiG0Fhk=
-github.com/corazawaf/coraza/v3 v3.3.3/go.mod h1:xSaXWOhFMSbrV8qOOfBKAyw3aOqfwaSaOy5BgSF8XlA=
-github.com/corazawaf/libinjection-go v0.2.2 h1:Chzodvb6+NXh6wew5/yhD0Ggioif9ACrQGR4qjTCs1g=
-github.com/corazawaf/libinjection-go v0.2.2/go.mod h1:OP4TM7xdJ2skyXqNX1AN1wN5nNZEmJNuWbNPOItn7aw=
+github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 h1:QVw89YDxXxEe+l8gU8ETbOasdwEV+avkR75ZzsVV9WI=
+github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
-github.com/cpuguy83/go-md2man/v2 v2.0.0 h1:EoUDS0afbrsXAZ9YQ9jdu/mZ2sXgT1/2yyNng4PGlyM=
-github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/cschomburg/go-pushbullet v0.0.0-20171206132031-67759df45fbb h1:7X9nrm+LNWdxzQOiCjy0G51rNUxbH35IDHCjAMvogyM=
 github.com/cschomburg/go-pushbullet v0.0.0-20171206132031-67759df45fbb/go.mod h1:RfQ9wji3fjcSEsQ+uFCtIh3+BXgcZum8Kt3JxvzYzlk=
@@ -928,9 +920,8 @@ github.com/cznic/mathutil v0.0.0-20181122101859-297441e03548/go.mod h1:e6NPNENfs
 github.com/cznic/sortutil v0.0.0-20181122101858-f5f958428db8/go.mod h1:q2w6Bg5jeox1B+QkJ6Wp/+Vn0G/bo3f1uY7Fn3vivIQ=
 github.com/cznic/strutil v0.0.0-20171016134553-529a34b1c186/go.mod h1:AHHPPPXTw0h6pVabbcbyGRK1DckRn7r/STdZEeIDzZc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
-github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dchest/captcha v0.0.0-20200903113550-03f5f0333e1f h1:q/DpyjJjZs94bziQ7YkBmIlpqbVP7yw179rnzoNVX1M=
 github.com/dchest/captcha v0.0.0-20200903113550-03f5f0333e1f/go.mod h1:QGrK8vMWWHQYQ3QU9bw9Y9OPNfxccGzfb41qjvVeXtY=
 github.com/deckarep/golang-set v1.7.1/go.mod h1:93vsz/8Wt4joVM7c2AVqh+YRMiUSc14yDtF28KmMOgQ=
@@ -980,18 +971,14 @@ github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.
 github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE=
 github.com/envoyproxy/go-control-plane v0.10.3/go.mod h1:fJJn/j26vwOu972OllsvAgJJM//w9BV6Fxbg2LuVd34=
 github.com/envoyproxy/go-control-plane v0.11.0/go.mod h1:VnHyVMpzcLvCFt9yUz1UnCwHLhwx1WguiVDV7pTG/tI=
-github.com/envoyproxy/go-control-plane v0.14.0 h1:hbG2kr4RuFj222B6+7T83thSPqLjwBIfQawTkC++2HA=
-github.com/envoyproxy/go-control-plane v0.14.0/go.mod h1:NcS5X47pLl/hfqxU70yPwL9ZMkUlwlKxtAohpi2wBEU=
-github.com/envoyproxy/go-control-plane/envoy v1.36.0 h1:yg/JjO5E7ubRyKX3m07GF3reDNEnfOboJ0QySbH736g=
-github.com/envoyproxy/go-control-plane/envoy v1.36.0/go.mod h1:ty89S1YCCVruQAm9OtKeEkQLTb+Lkz0k8v9W0Oxsv98=
-github.com/envoyproxy/go-control-plane/ratelimit v0.1.0 h1:/G9QYbddjL25KvtKTv3an9lx6VBE2cnb8wp1vEGNYGI=
-github.com/envoyproxy/go-control-plane/ratelimit v0.1.0/go.mod h1:Wk+tMFAFbCXaJPzVVHnPgRKdUdwW/KdbRt94AzgRee4=
+github.com/envoyproxy/go-control-plane v0.13.1 h1:vPfJZCkob6yTMEgS+0TwfTUfbHjfy/6vOJ8hUWX/uXE=
+github.com/envoyproxy/go-control-plane v0.13.1/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/envoyproxy/protoc-gen-validate v0.6.7/go.mod h1:dyJXwwfPK2VSqiB9Klm1J6romD608Ba7Hij42vrOBCo=
 github.com/envoyproxy/protoc-gen-validate v0.9.1/go.mod h1:OKNgG7TCp5pF4d6XftA0++PMirau2/yoOwVac3AbF2w=
 github.com/envoyproxy/protoc-gen-validate v0.10.0/go.mod h1:DRjgyB0I43LtJapqN6NiRwroiAU2PaFuvk/vjgh61ss=
-github.com/envoyproxy/protoc-gen-validate v1.3.0 h1:TvGH1wof4H33rezVKWSpqKz5NXWg5VPuZ0uONDT6eb4=
-github.com/envoyproxy/protoc-gen-validate v1.3.0/go.mod h1:HvYl7zwPa5mffgyeTUHA9zHIH36nmrm7oCbo4YKoSWA=
+github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM=
+github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
 github.com/fatih/color v1.12.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM=
@@ -1003,8 +990,6 @@ github.com/fogleman/gg v1.3.0/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzP
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible h1:TcekIExNqud5crz4xD2pavyTgWiPvpYe4Xau31I0PRk=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
-github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI=
-github.com/foxcpp/go-mockdns v1.1.0/go.mod h1:IhLeSFGed3mJIAXPH2aiRQB+kqz7oqu8ld2qVbOu7Wk=
 github.com/franela/goblin v0.0.0-20210519012713-85d372ac71e2/go.mod h1:VzmDKDJVZI3aJmnRI9VjAn9nJ8qPPsN1fqzr9dqInIo=
 github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20=
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
@@ -1038,8 +1023,8 @@ github.com/go-git/go-git/v5 v5.16.3/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lo
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
-github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
+github.com/go-jose/go-jose/v4 v4.1.2 h1:TK/7NqRQZfgAh+Td8AlsrvtPoUyiHh0LqVvokh+1vHI=
+github.com/go-jose/go-jose/v4 v4.1.2/go.mod h1:22cg9HWM1pOlnRiY+9cQYJ9XHmya1bYW8OeDM6Ku6Oo=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.12.0/go.mod h1:lHd+EkCZPIwYItmGDDRdhinkzX2A1sj+M9biaEaizzs=
@@ -1056,8 +1041,8 @@ github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
 github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
-github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-mysql-org/go-mysql v1.7.0 h1:qE5FTRb3ZeTQmlk3pjE+/m2ravGxxRDrVDTyDe9tvqI=
@@ -1114,8 +1099,8 @@ github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzw
 github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
 github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
-github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
-github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
 github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA=
 github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
@@ -1192,8 +1177,6 @@ github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17
 github.com/google/go-tpm v0.9.0 h1:sQF6YqWMi+SCXpsmS3fd21oPy/vSddwZry4JnmltHVk=
 github.com/google/go-tpm v0.9.0/go.mod h1:FkNVkc6C+IsvDI9Jw1OveJmxGZUUaKxtrpOS47QWKfU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/jsonschema-go v0.4.2 h1:tmrUohrwoLZZS/P3x7ex0WAVknEkBZM46iALbcqoRA8=
-github.com/google/jsonschema-go v0.4.2/go.mod h1:r5quNTdLOYEz95Ru18zA0ydNbBuYoo9tgaYcxEYhJVE=
 github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
@@ -1267,9 +1250,7 @@ github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/gorilla/pat v0.0.0-20180118222023-199c85a7f6d1 h1:LqbZZ9sNMWVjeXS4NN5oVvhMjDyLhmA1LG86oSo+IqY=
 github.com/gorilla/pat v0.0.0-20180118222023-199c85a7f6d1/go.mod h1:YeAe0gNeiNT5hoiZRI4yiOky6jVdNvfO2N6Kav/HmxY=
-github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
-github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7FsgI=
 github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
@@ -1280,8 +1261,6 @@ github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgf
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4ZsPv9hVvWI6+ch50m39Pf2Ks=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3/go.mod h1:o//XUCC/F+yRGJoPO/VU0GSB0f8Nhgmxx0VIRUvaC0w=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 h1:X5VWvz21y3gzm9Nw/kaUeku/1+uBhcekkmy4IkffJww=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1/go.mod h1:Zanoh4+gvIgluNqcfMVTJueD4wSS5hT7zTt4Mrutd90=
 github.com/hashicorp/consul/api v1.10.1/go.mod h1:XjsvQN+RJGWI2TWy1/kqaE16HrR2J/FWgkYjdZQsX9M=
 github.com/hashicorp/consul/sdk v0.8.0/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -1303,8 +1282,6 @@ github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdv
 github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
-github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
@@ -1314,8 +1291,6 @@ github.com/hashicorp/mdns v1.0.1/go.mod h1:4gW7WsVCke5TE7EPeYliwHlRUyBtfCwuFwuMg
 github.com/hashicorp/memberlist v0.2.2/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE=
 github.com/hashicorp/serf v0.9.5/go.mod h1:UWDWwZeL5cuWDJdl0C6wrvrUwEqtQ4ZKBKKENpqIUyk=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/hsluoyz/modsecurity-go v0.0.7 h1:W5ChaDrm4kM/UhHxoD2zyxQ+6s5kSj6cVftDFgdFzBM=
-github.com/hsluoyz/modsecurity-go v0.0.7/go.mod h1:hi81ySzwvlQFd5pip9c3uwXHDAW9ayxwLbt8ufxRkdY=
 github.com/hudl/fargo v1.4.0/go.mod h1:9Ai6uvFy5fQNq6VPKtg+Ceq1+eTY4nKUlR2JElEOcDo=
 github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
@@ -1325,25 +1300,14 @@ github.com/jarcoal/httpmock v0.0.0-20180424175123-9c70cfe4a1da h1:FjHUJJ7oBW4G/9
 github.com/jarcoal/httpmock v0.0.0-20180424175123-9c70cfe4a1da/go.mod h1:ks+b9deReOc7jgqp+e7LuFiCBH6Rm5hL32cLcEAArb4=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
-github.com/jcchavezs/mergefs v0.1.0 h1:7oteO7Ocl/fnfFMkoVLJxTveCjrsd//UB0j89xmnpec=
-github.com/jcchavezs/mergefs v0.1.0/go.mod h1:eRLTrsA+vFwQZ48hj8p8gki/5v9C2bFtHH5Mnn4bcGk=
-github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
 github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
-github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
 github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
 github.com/jcmturner/gofork v1.0.0/go.mod h1:MK8+TM0La+2rjBD4jE12Kj1pCCxK7d2LK/UM3ncEo0o=
-github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg=
-github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo=
-github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o=
 github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
 github.com/jcmturner/gokrb5/v8 v8.4.2/go.mod h1:sb+Xq/fTY5yktf/VxLsE3wlfPqQjp0aWNYyvBVK62bc=
-github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8=
-github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
-github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/jinzhu/configor v1.2.1 h1:OKk9dsR8i6HPOCZR8BcMtcEImAFjIhbJFZNyn5GCZko=
 github.com/jinzhu/configor v1.2.1/go.mod h1:nX89/MOmDba7ZX7GCyU/VIaQ2Ar2aizBl2d3JLF/rDc=
-github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
@@ -1357,9 +1321,7 @@ github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUB
 github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible h1:jdpOPRN1zP63Td1hDQbZW73xKmzDvZHzVdNYxhnTMDA=
 github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible/go.mod h1:1c7szIrayyPPB/987hsnvNzLushdWf4o/79s3P08L8A=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
-github.com/json-iterator/go v1.1.5/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@@ -1428,12 +1390,6 @@ github.com/lib/pq v1.7.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/likexian/gokit v0.25.13 h1:p2Uw3+6fGG53CwdU2Dz0T6bOycdb2+bAFAa3ymwWVkM=
-github.com/likexian/gokit v0.25.13/go.mod h1:qQhEWFBEfqLCO3/vOEo2EDKd+EycekVtUK4tex+l2H4=
-github.com/likexian/whois v1.15.1 h1:6vTMI8n9s1eJdmcO4R9h1x99aQWIZZX1CD3am68gApU=
-github.com/likexian/whois v1.15.1/go.mod h1:/nxmQ6YXvLz+qTxC/QFtEJNAt0zLuRxJrKiWpBJX8X0=
-github.com/likexian/whois-parser v1.24.9 h1:BT6fzO3lj3F07yzVv0YXoaj+K4Ush0/cF+Yp6tvJJgk=
-github.com/likexian/whois-parser v1.24.9/go.mod h1:b6STMHHDaSKbd4PzGrP50wWE5NzeBUETa/hT9gI0G9I=
 github.com/line/line-bot-sdk-go v7.8.0+incompatible h1:Uf9/OxV0zCVfqyvwZPH8CrdiHXXmMRa/L91G3btQblQ=
 github.com/line/line-bot-sdk-go v7.8.0+incompatible/go.mod h1:0RjLjJEAU/3GIcHkC3av6O4jInAbt25nnZVmOFUgDBg=
 github.com/localtunnel/go-localtunnel v0.0.0-20170326223115-8a804488f275 h1:IZycmTpoUtQK3PD60UYBwjaCUHUP7cML494ao9/O8+Q=
@@ -1445,8 +1401,6 @@ github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2
 github.com/lyft/protoc-gen-star v0.6.0/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA=
 github.com/lyft/protoc-gen-star v0.6.1/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA=
 github.com/lyft/protoc-gen-star/v2 v2.0.1/go.mod h1:RcCdONR2ScXaYnQC5tUzxzlpA3WVYF7/opLeUgcQs/o=
-github.com/magefile/mage v1.15.1-0.20241126214340-bdc92f694516 h1:aAO0L0ulox6m/CLRYvJff+jWXYYCKGpEm3os7dM/Z+M=
-github.com/magefile/mage v1.15.1-0.20241126214340-bdc92f694516/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
 github.com/markbates/going v1.0.0 h1:DQw0ZP7NbNlFGcKbcE/IVSOAFzScxRtLpd0rLMzLhq0=
 github.com/markbates/going v1.0.0/go.mod h1:I6mnB4BPnEeqo85ynXIx1ZFLLbtiLHNXVgWeFO9OGOA=
 github.com/markbates/goth v1.82.0 h1:8j/c34AjBSTNzO7zTsOyP5IYCQCMBTRBHAbBt/PI0bQ=
@@ -1481,8 +1435,6 @@ github.com/microsoft/go-mssqldb v1.9.0/go.mod h1:GBbW9ASTiDC+mpgWDGKdm3FnFLTUsLY
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso=
 github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4=
-github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM=
-github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk=
 github.com/mileusna/viber v1.0.1 h1:gWB6/lKoWYVxkH0Jb8jRnGIRZ/9DEM7RBZRJHRfdYWs=
 github.com/mileusna/viber v1.0.1/go.mod h1:Pxu/iPMnYjnHgu+bEp3SiKWHWmlf/kDp/yOX8XUdYrQ=
 github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8/go.mod h1:mC1jAcsrzbxHt8iiaC+zU4b1ylILSosueou12R++wfY=
@@ -1500,8 +1452,6 @@ github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh
 github.com/mitchellh/mapstructure v1.4.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/modelcontextprotocol/go-sdk v1.4.0 h1:u0kr8lbJc1oBcawK7Df+/ajNMpIDFE41OEPxdeTLOn8=
-github.com/modelcontextprotocol/go-sdk v1.4.0/go.mod h1:Nxc2n+n/GdCebUaqCOhTetptS17SXXNu9IfNTaLDi1E=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -1547,8 +1497,6 @@ github.com/openzipkin/zipkin-go v0.2.5/go.mod h1:KpXfKdgRDnnhsxw4pNIH9Md5lyFqKUa
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/performancecopilot/speed/v4 v4.0.0/go.mod h1:qxrSyuDGrTOWfV+uKRFhfxw6h/4HXRGUiZiufxo49BM=
-github.com/petar-dambovaliev/aho-corasick v0.0.0-20240411101913-e07a1f0e8eb4 h1:1Kw2vDBXmjop+LclnzCb/fFy+sgb3gYARwfmoUcQe6o=
-github.com/petar-dambovaliev/aho-corasick v0.0.0-20240411101913-e07a1f0e8eb4/go.mod h1:EHPiTAKtiFmrMldLUNswFwfZ2eJIYBHktdaUTZxYWRw=
 github.com/phpdave11/gofpdf v1.4.2/go.mod h1:zpO6xFn9yxo3YLyMvW8HcKWVdbNqgIfOOp2dXMnm1mY=
 github.com/phpdave11/gofpdi v1.0.12/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI=
 github.com/phpdave11/gofpdi v1.0.13/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI=
@@ -1579,9 +1527,8 @@ github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZ
 github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
-github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/polarsource/polar-go v0.12.0 h1:um+6ftOPUMg2TQq9Kv/6fKGBOAl7dOc2YiDdx4Bb0y8=
 github.com/polarsource/polar-go v0.12.0/go.mod h1:FB11Q4m2n3wIk6l/POOkz0MVOUx1o0Yt4Y97MnQfe0c=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
@@ -1602,8 +1549,8 @@ github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w=
-github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
-github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/client_model v0.6.0 h1:k1v3CzpSRUTrKMppY35TLwPvxHqBu0bYgxZzqGIgaos=
+github.com/prometheus/client_model v0.6.0/go.mod h1:NTQHnmxFpouOD0DpvP4XujX3CdOAGQPoaGhyTchlyt8=
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4=
 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
@@ -1625,16 +1572,12 @@ github.com/qiniu/dyn v1.3.0/go.mod h1:E8oERcm8TtwJiZvkQPbcAh0RL8jO1G0VXJMW3FAWdk
 github.com/qiniu/go-sdk/v7 v7.12.1 h1:FZG5dhs2MZBV/mHVhmHnsgsQ+j1gSE0RqIoA2WwEDwY=
 github.com/qiniu/go-sdk/v7 v7.12.1/go.mod h1:btsaOc8CA3hdVloULfFdDgDc+g4f3TDZEFsDY0BLE+w=
 github.com/qiniu/x v1.10.5/go.mod h1:03Ni9tj+N2h2aKnAz+6N0Xfl8FwMEDRC2PAlxekASDs=
-github.com/rainycape/memcache v0.0.0-20150622160815-1031fa0ce2f2 h1:dq90+d51/hQRaHEqRAsQ1rE/pC1GUS4sc2rCbbFsAIY=
-github.com/rainycape/memcache v0.0.0-20150622160815-1031fa0ce2f2/go.mod h1:7tZKcyumwBO6qip7RNQ5r77yrssm9bfCowcLEBcU5IA=
 github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/redis/go-redis/v9 v9.5.5 h1:51VEyMF8eOO+NUHFm8fpg+IOc1xFuFOhxs3R+kPu1FM=
 github.com/redis/go-redis/v9 v9.5.5/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M=
 github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 h1:OdAsTTz6OkFY5QxjkYwrChwuRruF69c169dPK26NUlk=
 github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
-github.com/resend/resend-go/v3 v3.1.0 h1:bJpU5gYCDcczLdhCo37oy9mOmdtSVlOzM6IfWX9zhMw=
-github.com/resend/resend-go/v3 v3.1.0/go.mod h1:iI7VA0NoGjWvsNii5iNC5Dy0llsI3HncXPejhniYzwE=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
@@ -1652,7 +1595,6 @@ github.com/russellhaering/gosaml2 v0.9.0 h1:CNMnH42z/GirrKjdmNrSS6bAAs47F9bPdl4P
 github.com/russellhaering/gosaml2 v0.9.0/go.mod h1:byViER/1YPUa0Puj9ROZblpoq2jsE7h/CJmitzX0geU=
 github.com/russellhaering/goxmldsig v1.2.0 h1:Y6GTTc9Un5hCxSzVz4UIWQ/zuVwDvzJk80guqzwx6Vg=
 github.com/russellhaering/goxmldsig v1.2.0/go.mod h1:gM4MDENBQf7M+V824SGfyIUVFWydB7n0KkEubVJl+Tw=
-github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ruudk/golang-pdf417 v0.0.0-20181029194003-1af4ab5afa58/go.mod h1:6lfFZQK844Gfx8o5WFuvpxWRwnSoipWe/p622j1v06w=
 github.com/ruudk/golang-pdf417 v0.0.0-20201230142125-a7e3863a1245/go.mod h1:pQAZKsJ8yyVxGRWYNEm9oFB8ieLgKFnamEyDmSA0BRk=
@@ -1662,10 +1604,6 @@ github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdh
 github.com/scim2/filter-parser/v2 v2.2.0 h1:QGadEcsmypxg8gYChRSM2j1edLyE/2j72j+hdmI4BJM=
 github.com/scim2/filter-parser/v2 v2.2.0/go.mod h1:jWnkDToqX/Y0ugz0P5VvpVEUKcWcyHHj+X+je9ce5JA=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
-github.com/segmentio/asm v1.1.3 h1:WM03sfUOENvvKexOLp+pCqgb/WDjsi7EK8gIsICtzhc=
-github.com/segmentio/asm v1.1.3/go.mod h1:Ld3L4ZXGNcSLRg4JBsZ3//1+f/TjYl0Mzen/DQy1EJg=
-github.com/segmentio/encoding v0.5.3 h1:OjMgICtcSFuNvQCdwqMCv9Tg7lEOXGwm1J5RPQccx6w=
-github.com/segmentio/encoding v0.5.3/go.mod h1:HS1ZKa3kSN32ZHVZ7ZLPLXWvOVIiZtyJnO1gPH1sKt0=
 github.com/sendgrid/rest v2.6.9+incompatible h1:1EyIcsNdn9KIisLW50MKwmSRSK+ekueiEMJ7NEoxJo0=
 github.com/sendgrid/rest v2.6.9+incompatible/go.mod h1:kXX7q3jZtJXK5c5qK83bSGMdV6tsOE70KbHoqJls4lE=
 github.com/sendgrid/sendgrid-go v3.16.0+incompatible h1:i8eE6IMkiCy7vusSdacHHSBUpXyTcTXy/Rl9N9aZ/Qw=
@@ -1678,7 +1616,6 @@ github.com/shirou/gopsutil/v4 v4.25.9 h1:JImNpf6gCVhKgZhtaAHJ0serfFGtlfIlSC08eaK
 github.com/shirou/gopsutil/v4 v4.25.9/go.mod h1:gxIxoC+7nQRwUl/xNhutXlD8lq+jxTgpIkEf3rADHL8=
 github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24 h1:pntxY8Ary0t43dCZ5dqY4YTJCObLY1kIXl0uzMv+7DE=
 github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4=
-github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/siddontang/go v0.0.0-20180604090527-bdc77568d726 h1:xT+JlYxNGqyT+XcU8iUrN18JYed2TvG9yN5ULG2jATM=
 github.com/siddontang/go v0.0.0-20180604090527-bdc77568d726/go.mod h1:3yhqj7WBBfRhbBlzyOC3gUxftwsU0u8gqevxwIHQpMw=
@@ -1699,9 +1636,7 @@ github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQ
 github.com/slack-go/slack v0.15.0 h1:LE2lj2y9vqqiOf+qIIy0GvEoxgF1N5yLGZffmEZykt0=
 github.com/slack-go/slack v0.15.0/go.mod h1:hlGi5oXA+Gt+yWTPP0plCdRKmjsDxecdHxYQdlMQKOw=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
-github.com/smartystreets/assertions v1.0.1/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM=
 github.com/smartystreets/assertions v1.1.0/go.mod h1:tcbTF8ujkAEcZ8TElKY+i30BzYlVhC/LOxJk7iOWnoo=
-github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/sony/gobreaker v0.4.1/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY=
 github.com/sony/sonyflake v1.0.0 h1:MpU6Ro7tfXwgn2l5eluf9xQvQJDROTBImNCfRXn/YeM=
@@ -1710,8 +1645,6 @@ github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasO
 github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=
 github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
 github.com/spf13/afero v1.9.2/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y=
-github.com/spiffe/go-spiffe/v2 v2.6.0 h1:l+DolpxNWYgruGQVV0xsfeya3CsC7m8iBzDnMpsbLuo=
-github.com/spiffe/go-spiffe/v2 v2.6.0/go.mod h1:gm2SeUoMZEtpnzPNs2Csc0D/gX33k1xIx7lEzqblHEs=
 github.com/spyzhov/ajson v0.8.0 h1:sFXyMbi4Y/BKjrsfkUZHSjA2JM1184enheSjjoT/zCc=
 github.com/spyzhov/ajson v0.8.0/go.mod h1:63V+CGM6f1Bu/p4nLIN8885ojBdt88TbLoSFzyqMuVA=
 github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw=
@@ -1720,7 +1653,6 @@ github.com/streadway/handy v0.0.0-20200128134331-0f66f006fb2e/go.mod h1:qNTQ5P5J
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
-github.com/stretchr/objx v0.3.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
@@ -1764,8 +1696,6 @@ github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
 github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
 github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=
 github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=
-github.com/timtadh/data-structures v0.5.3/go.mod h1:9R4XODhJ8JdWFEI8P/HJKqxuJctfBQw6fDibMQny2oU=
-github.com/timtadh/lexmachine v0.2.2/go.mod h1:GBJvD5OAfRn/gnp92zb9KTgHLB7akKyxmVivoYCcjQI=
 github.com/tjfoc/gmsm v1.3.2/go.mod h1:HaUcFuY0auTiaHB9MHFGCPx5IaLhTUd2atbCFBQXn9w=
 github.com/tjfoc/gmsm v1.4.1 h1:aMe1GlZb+0bLjn+cKTPEvvn9oUEBlJitaZiiBwsbgho=
 github.com/tjfoc/gmsm v1.4.1/go.mod h1:j4INPkHWMrhJb38G+J6W4Tw0AbuN8Thu3PbdVYhVcTE=
@@ -1782,13 +1712,9 @@ github.com/uber/jaeger-lib v2.4.1+incompatible h1:td4jdvLcExb4cBISKIpHuGoVXh+dVK
 github.com/uber/jaeger-lib v2.4.1+incompatible/go.mod h1:ComeNDZlWwrWnDv8aPp0Ba6+uUTzImX/AauajbLI56U=
 github.com/ucloud/ucloud-sdk-go v0.22.5 h1:GIltVwMDUqQj4iPL/emsZAMhEYWjLTwZqpOxdkdDrM8=
 github.com/ucloud/ucloud-sdk-go v0.22.5/go.mod h1:dyLmFHmUfgb4RZKYQP9IArlvQ2pxzFthfhwxRzOEPIw=
-github.com/urfave/cli v1.22.5 h1:lNq9sAHXK2qfdI8W+GRItjCEkI+2oR4d+MEHy1CKXoU=
-github.com/urfave/cli v1.22.5/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI=
 github.com/utahta/go-linenotify v0.5.0 h1:E1tJaB/XhqRY/iz203FD0MaHm10DjQPOq5/Mem2A3Gs=
 github.com/utahta/go-linenotify v0.5.0/go.mod h1:KsvBXil2wx+ByaCR0e+IZKTbp4pDesc7yjzRigLf6pE=
-github.com/valllabh/ocsf-schema-golang v1.0.3 h1:eR8k/3jP/OOqB8LRCtdJ4U+vlgd/gk5y3KMXoodrsrw=
-github.com/valllabh/ocsf-schema-golang v1.0.3/go.mod h1:sZ3as9xqm1SSK5feFWIR2CuGeGRhsM7TR1MbpBctzPk=
 github.com/volcengine/volc-sdk-golang v1.0.117 h1:ykFVSwsVq9qvIoWP9jeP+VKNAUjrblAdsZl46yVWiH8=
 github.com/volcengine/volc-sdk-golang v1.0.117/go.mod h1:ojXSFvj404o2UKnZR9k9LUUWIUU+9XtlRlzk2+UFc/M=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
@@ -1804,8 +1730,6 @@ github.com/xorm-io/core v0.7.4 h1:qIznlqqmYNEb03ewzRXCrNkbbxpkgc/44nVF8yoFV7Y=
 github.com/xorm-io/core v0.7.4/go.mod h1:GueyhafDnkB0KK0fXX/dEhr/P1EAGW0GLmoNDUEE1Mo=
 github.com/xorm-io/xorm v1.1.6 h1:s4fDpUXJx8Zr/PBovXNaadn+v1P3h/U3iV4OxAkWS8s=
 github.com/xorm-io/xorm v1.1.6/go.mod h1:7nsSUdmgLIcqHSSaKOzbVQiZtzIzbpGf1GGSYp6DD70=
-github.com/yosida95/uritemplate/v3 v3.0.2 h1:Ed3Oyj9yrmi9087+NczuL5BwkIc4wvTb5zIM+UJPGz4=
-github.com/yosida95/uritemplate/v3 v3.0.2/go.mod h1:ILOh0sOhIJR3+L/8afwt/kE++YT040gmv5BQTMR2HP4=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.30/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -1834,31 +1758,27 @@ go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
-go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/contrib/detectors/gcp v1.40.0 h1:Awaf8gmW99tZTOWqkLCOl6aw1/rxAWVlHsHIZ3fT2sA=
-go.opentelemetry.io/contrib/detectors/gcp v1.40.0/go.mod h1:99OY9ZCqyLkzJLTh5XhECpLRSxcZl+ZDKBEO+jMBFR4=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.65.0 h1:XmiuHzgJt067+a6kwyAzkhXooYVv3/TOw9cM2VfJgUM=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.65.0/go.mod h1:KDgtbWKTQs4bM+VPUr6WlL9m/WXcmkCcBlIzqxPGzmI=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 h1:7iP2uCb7sGddAr30RRS6xjKy7AZ2JtTOPA3oolgVSw8=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0/go.mod h1:c7hN3ddxs/z6q9xwvfLPk+UHlWRQyaeR1LdgfL/66l0=
-go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=
-go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g=
+go.opentelemetry.io/contrib/detectors/gcp v1.32.0 h1:P78qWqkLSShicHmAzfECaTgvslqHxblNE9j62Ws1NK8=
+go.opentelemetry.io/contrib/detectors/gcp v1.32.0/go.mod h1:TVqo0Sda4Cv8gCIixd7LuLwW4EylumVWfhjZJjDD4DU=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.57.0 h1:qtFISDHKolvIxzSs0gIaiPUPR0Cucb0F2coHC7ZLdps=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.57.0/go.mod h1:Y+Pop1Q6hCOnETWTW4NROK/q1hv50hM7yDaUTjG8lp8=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.57.0 h1:DheMAlT6POBP+gh8RUH19EOTnQIor5QE0uSRPtzCpSw=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.57.0/go.mod h1:wZcGmeVO9nzP67aYSLDqXNWK87EZWhi7JWj1v7ZXf94=
+go.opentelemetry.io/otel v1.32.0 h1:WnBN+Xjcteh0zdk01SVqV55d/m62NJLJdIyb4y/WO5U=
+go.opentelemetry.io/otel v1.32.0/go.mod h1:00DCVSB0RQcnzlwyTfqtxSm+DRr9hpYrHjNGiBHVQIg=
 go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.29.0 h1:WDdP9acbMYjbKIyJUhTvtzj601sVJOqgWdUxSdR/Ysc=
 go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.29.0/go.mod h1:BLbf7zbNIONBLPwvFnwNHGj4zge8uTCM/UPIVW1Mq2I=
-go.opentelemetry.io/otel/metric v1.40.0 h1:rcZe317KPftE2rstWIBitCdVp89A2HqjkxR3c11+p9g=
-go.opentelemetry.io/otel/metric v1.40.0/go.mod h1:ib/crwQH7N3r5kfiBZQbwrTge743UDc7DTFVZrrXnqc=
-go.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8=
-go.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE=
-go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw=
-go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg=
-go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw=
-go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA=
+go.opentelemetry.io/otel/metric v1.32.0 h1:xV2umtmNcThh2/a/aCP+h64Xx5wsj8qqnkYZktzNa0M=
+go.opentelemetry.io/otel/metric v1.32.0/go.mod h1:jH7CIbbK6SH2V2wE16W05BHCtIDzauciCRLoc/SyMv8=
+go.opentelemetry.io/otel/sdk v1.32.0 h1:RNxepc9vK59A8XsgZQouW8ue8Gkb4jpWtJm9ge5lEG4=
+go.opentelemetry.io/otel/sdk v1.32.0/go.mod h1:LqgegDBjKMmb2GC6/PrTnteJG39I8/vJCAP9LlJXEjU=
+go.opentelemetry.io/otel/sdk/metric v1.32.0 h1:rZvFnvmvawYb0alrYkjraqJq0Z4ZUJAiyYCU9snn1CU=
+go.opentelemetry.io/otel/sdk/metric v1.32.0/go.mod h1:PWeZlq0zt9YkYAp3gjKZ0eicRYvOh1Gd+X99x6GHpCQ=
+go.opentelemetry.io/otel/trace v1.32.0 h1:WIC9mYrXf8TmY/EXuULKc8hR17vE+Hjv2cssQDe03fM=
+go.opentelemetry.io/otel/trace v1.32.0/go.mod h1:+i4rkvCraA+tG6AzwloGaCtkx53Fa+L+V8e9a7YvhT8=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
 go.opentelemetry.io/proto/otlp v0.15.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U=
 go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U=
-go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4=
-go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
@@ -1907,7 +1827,6 @@ golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
-golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
 golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0=
 golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I=
@@ -1922,8 +1841,8 @@ golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v
 golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
-golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8=
-golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A=
+golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM=
+golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY=
 golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20181106170214-d68db9428509/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -1954,9 +1873,8 @@ golang.org/x/image v0.0.0-20210216034530-4410531fe030/go.mod h1:FeLwcggjj3mMvU+o
 golang.org/x/image v0.0.0-20210607152325-775e3b0c77b9/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM=
 golang.org/x/image v0.0.0-20210628002857-a66eb6448b8d/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM=
 golang.org/x/image v0.0.0-20211028202545-6944b10bf410/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM=
+golang.org/x/image v0.0.0-20220302094943-723b81ca9867 h1:TcHcE0vrmgzNH1v3ppjcMGbhG5+9fMuvOmUYwNEF4q4=
 golang.org/x/image v0.0.0-20220302094943-723b81ca9867/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM=
-golang.org/x/image v0.18.0 h1:jGzIakQa/ZXI1I0Fxvaa9W7yP25TqT6cHIHn+6CqvSQ=
-golang.org/x/image v0.18.0/go.mod h1:4yyo5vMFQjVjUcVk4jEQcU9MGy/rulF5WvUILseCM2E=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -1989,8 +1907,8 @@ golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
-golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
+golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
+golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
 golang.org/x/net v0.0.0-20171115151908-9dfe39835686/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -2078,8 +1996,8 @@ golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
 golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
-golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
-golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
+golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
+golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -2111,8 +2029,8 @@ golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw
 golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4=
 golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
 golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk=
-golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
-golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
+golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20171101214715-fd80eb99c8f6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -2135,8 +2053,8 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -2262,8 +2180,8 @@ golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
-golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
+golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -2287,8 +2205,8 @@ golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
-golang.org/x/term v0.39.0 h1:RclSuaJf32jOqZz74CkPA9qFuVTX7vhLlpfj/IGWlqY=
-golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww=
+golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg=
+golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -2313,8 +2231,8 @@ golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
-golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=
+golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4=
+golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -2397,8 +2315,8 @@ golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
-golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
+golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
+golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -2411,8 +2329,6 @@ gonum.org/v1/gonum v0.0.0-20180816165407-929014505bf4/go.mod h1:Y+Yx5eoAFn32cQvJ
 gonum.org/v1/gonum v0.8.2/go.mod h1:oe/vMfY3deqTw+1EZJhuvEW2iwGF1bW9wwu7XCu0+v0=
 gonum.org/v1/gonum v0.9.3/go.mod h1:TZumC3NeyVQskjXqmyWt4S3bINhy7B4eYwW69EbyX+0=
 gonum.org/v1/gonum v0.11.0/go.mod h1:fSG4YDCxxUZQJ7rKsQrj0gMOg00Il0Z96/qMA4bVQhA=
-gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
-gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
 gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw=
 gonum.org/v1/plot v0.0.0-20190515093506-e2840ee46a6b/go.mod h1:Wt8AAjI+ypCyYX3nZBvf6cAIx93T+c/OS2HFAYskSZc=
 gonum.org/v1/plot v0.9.0/go.mod h1:3Pcqqmp6RHvJI72kgb8fThyUnav364FOsdDo2aGW5lY=
@@ -2629,15 +2545,15 @@ google.golang.org/genproto/googleapis/api v0.0.0-20230525234020-1aefcd67740a/go.
 google.golang.org/genproto/googleapis/api v0.0.0-20230525234035-dd9d682886f9/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig=
 google.golang.org/genproto/googleapis/api v0.0.0-20230526203410-71b5a4ffd15e/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig=
 google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig=
-google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls=
-google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto=
+google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 h1:CkkIfIt50+lT6NHAVoRYEyAvQGFM7xEwXUUywFvEb3Q=
+google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576/go.mod h1:1R3kvZ1dtP3+4p4d3G8uJ8rFk/fWlScl38vanWACI08=
 google.golang.org/genproto/googleapis/bytestream v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:ylj+BE99M198VPbBh6A8d9n3w8fChvyLK3wwBOjXBFA=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234015-3fc162c6f38a/go.mod h1:xURIpW9ES5+/GZhnV6beoEtxQrnkRGIfP5VQG2tCBLc=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20230526203410-71b5a4ffd15e/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 h1:H86B94AW+VfJWDqFeEbBPhEtHzJwJfTbgE2lZa54ZAQ=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241223144023-3abc09e42ca8 h1:TqExAhdPaB60Ux47Cn0oLV07rGnxZzIsaRhQaqS666A=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241223144023-3abc09e42ca8/go.mod h1:lcTa1sDdWEIHMWlITnIczmw5w60CF9ffkb8Z+DVmmjA=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@@ -2679,9 +2595,11 @@ google.golang.org/grpc v1.52.0/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5v
 google.golang.org/grpc v1.53.0/go.mod h1:OnIrk0ipVdj4N5d9IUoFUx72/VlD7+jUsHwZgwSMQpw=
 google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g=
 google.golang.org/grpc v1.55.0/go.mod h1:iYEXKGkEBhg1PjZQvoYEVPTDkHo1/bjTnfwTeGONTY8=
-google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE=
-google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
+google.golang.org/grpc v1.68.0 h1:aHQeeJbo8zAkAa3pRzrVjZlbz6uSfeOXlJNQM0RAbz0=
+google.golang.org/grpc v1.68.0/go.mod h1:fmSPC5AsjSBCK54MyHRx48kpOti1/jRfOlwEWywNjWA=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
+google.golang.org/grpc/stats/opentelemetry v0.0.0-20241028142157-ada6787961b3 h1:hUfOButuEtpc0UvYiaYRbNwxVYr0mQQOWq6X8beJ9Gc=
+google.golang.org/grpc/stats/opentelemetry v0.0.0-20241028142157-ada6787961b3/go.mod h1:jzYlkSMbKypzuu6xoAEijsNVo9ZeDF1u/zCfFgsx7jg=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -2700,8 +2618,8 @@ google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqw
 google.golang.org/protobuf v1.29.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
-google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+google.golang.org/protobuf v1.36.1 h1:yBPeRvTftaleIgM3PZ/WBIZ7XM/eEYAaEyCwvyjq/gk=
+google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc h1:2gGKlE2+asNV9m7xrywl36YYNnBG5ZQ0r/BOOxqPpmk=
 gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc/go.mod h1:m7x9LTH6d71AHyAX77c9yqWCCa3UKHcVEj9y7hAtKDk=
@@ -2714,17 +2632,13 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EV
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/gcfg.v1 v1.2.3/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o=
-gopkg.in/ini.v1 v1.42.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.56.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.66.6/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
-gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
-gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
@@ -2831,7 +2745,6 @@ modernc.org/z v1.0.1-0.20210308123920-1f282aa71362/go.mod h1:8/SRk5C/HgiQWCgXdfp
 modernc.org/z v1.0.1/go.mod h1:8/SRk5C/HgiQWCgXdfpb+1RvhORdkz5sw72d3jjtyqA=
 modernc.org/z v1.5.1 h1:RTNHdsrOpeoSeOF4FbzTo8gBYByaJ5xT7NgZ9ZqRiJM=
 modernc.org/z v1.5.1/go.mod h1:eWFB510QWW5Th9YGZT81s+LwvaAs3Q2yr4sP0rmLkv8=
-rsc.io/binaryregexp v0.2.0 h1:HfqmD5MEmC0zvwBuF187nq9mdnXjXsSivRiXN7SmRkE=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
--- a/i18n/locales/de/data.json
+++ b/i18n/locales/de/data.json
@@ -109,6 +109,7 @@
    "Insufficient balance: new balance %v would be below credit limit %v": "Unzureichendes Guthaben: neues Guthaben %v wäre unter dem Kreditlimit %v",
    "Insufficient balance: new organization balance %v would be below credit limit %v": "Unzureichendes Guthaben: neues Organisationsguthaben %v wäre unter dem Kreditlimit %v",
    "Missing parameter": "Fehlender Parameter",
+    "Multiple captcha providers are not allowed in the same application: %s": "Multiple captcha providers are not allowed in the same application: %s",
    "Only admin user can specify user": "Nur Administrator kann Benutzer angeben",
    "Please login first": "Bitte zuerst einloggen",
    "The LDAP: %s does not exist": "Das LDAP: %s existiert nicht",
--- a/i18n/locales/en/data.json
+++ b/i18n/locales/en/data.json
@@ -109,6 +109,7 @@
    "Insufficient balance: new balance %v would be below credit limit %v": "Insufficient balance: new balance %v would be below credit limit %v",
    "Insufficient balance: new organization balance %v would be below credit limit %v": "Insufficient balance: new organization balance %v would be below credit limit %v",
    "Missing parameter": "Missing parameter",
+    "Multiple captcha providers are not allowed in the same application: %s": "Multiple captcha providers are not allowed in the same application: %s",
    "Only admin user can specify user": "Only admin user can specify user",
    "Please login first": "Please login first",
    "The LDAP: %s does not exist": "The LDAP: %s does not exist",
--- a/i18n/locales/es/data.json
+++ b/i18n/locales/es/data.json
@@ -109,6 +109,7 @@
    "Insufficient balance: new balance %v would be below credit limit %v": "Saldo insuficiente: el nuevo saldo %v estaría por debajo del límite de crédito %v",
    "Insufficient balance: new organization balance %v would be below credit limit %v": "Saldo insuficiente: el nuevo saldo de la organización %v estaría por debajo del límite de crédito %v",
    "Missing parameter": "Parámetro faltante",
+    "Multiple captcha providers are not allowed in the same application: %s": "Multiple captcha providers are not allowed in the same application: %s",
    "Only admin user can specify user": "Solo el usuario administrador puede especificar usuario",
    "Please login first": "Por favor, inicia sesión primero",
    "The LDAP: %s does not exist": "El LDAP: %s no existe",
--- a/i18n/locales/fr/data.json
+++ b/i18n/locales/fr/data.json
@@ -109,6 +109,7 @@
    "Insufficient balance: new balance %v would be below credit limit %v": "Solde insuffisant : le nouveau solde %v serait inférieur à la limite de crédit %v",
    "Insufficient balance: new organization balance %v would be below credit limit %v": "Solde insuffisant : le nouveau solde de l'organisation %v serait inférieur à la limite de crédit %v",
    "Missing parameter": "Paramètre manquant",
+    "Multiple captcha providers are not allowed in the same application: %s": "Multiple captcha providers are not allowed in the same application: %s",
    "Only admin user can specify user": "Seul un administrateur peut désigner un utilisateur",
    "Please login first": "Veuillez d'abord vous connecter",
    "The LDAP: %s does not exist": "Le LDAP : %s n'existe pas",
--- a/i18n/locales/ja/data.json
+++ b/i18n/locales/ja/data.json
@@ -109,6 +109,7 @@
    "Insufficient balance: new balance %v would be below credit limit %v": "残高不足：新しい残高 %v がクレジット制限 %v を下回ります",
    "Insufficient balance: new organization balance %v would be below credit limit %v": "残高不足：新しい組織残高 %v がクレジット制限 %v を下回ります",
    "Missing parameter": "不足しているパラメーター",
+    "Multiple captcha providers are not allowed in the same application: %s": "Multiple captcha providers are not allowed in the same application: %s",
    "Only admin user can specify user": "管理者ユーザーのみがユーザーを指定できます",
    "Please login first": "最初にログインしてください",
    "The LDAP: %s does not exist": "LDAP：%s は存在しません",
--- a/i18n/locales/pl/data.json
+++ b/i18n/locales/pl/data.json
@@ -109,6 +109,7 @@
    "Insufficient balance: new balance %v would be below credit limit %v": "Niewystarczające saldo: nowe saldo %v byłoby poniżej limitu kredytowego %v",
    "Insufficient balance: new organization balance %v would be below credit limit %v": "Niewystarczające saldo: nowe saldo organizacji %v byłoby poniżej limitu kredytowego %v",
    "Missing parameter": "Brakujący parametr",
+    "Multiple captcha providers are not allowed in the same application: %s": "Multiple captcha providers are not allowed in the same application: %s",
    "Only admin user can specify user": "Tylko administrator może wskazać użytkownika",
    "Please login first": "Najpierw się zaloguj",
    "The LDAP: %s does not exist": "LDAP: %s nie istnieje",
--- a/i18n/locales/pt/data.json
+++ b/i18n/locales/pt/data.json
@@ -109,6 +109,7 @@
    "Insufficient balance: new balance %v would be below credit limit %v": "Saldo insuficiente: o novo saldo %v estaria abaixo do limite de crédito %v",
    "Insufficient balance: new organization balance %v would be below credit limit %v": "Saldo insuficiente: o novo saldo da organização %v estaria abaixo do limite de crédito %v",
    "Missing parameter": "Parâmetro ausente",
+    "Multiple captcha providers are not allowed in the same application: %s": "Multiple captcha providers are not allowed in the same application: %s",
    "Only admin user can specify user": "Apenas um administrador pode especificar um usuário",
    "Please login first": "Por favor, faça login primeiro",
    "The LDAP: %s does not exist": "O LDAP: %s não existe",
--- a/i18n/locales/ru/data.json
+++ b/i18n/locales/ru/data.json
@@ -1,230 +0,0 @@
-{
-  "account": {
-    "Failed to add user": "Не удалось добавить пользователя",
-    "Get init score failed, error: %w": "Не удалось получить исходный балл, ошибка: %w",
-    "The application does not allow to sign up new account": "Приложение не позволяет зарегистрироваться новому аккаунту"
-  },
-  "auth": {
-    "Challenge method should be S256": "Метод проверки должен быть S256",
-    "DeviceCode Invalid": "Неверный код устройства",
-    "Failed to create user, user information is invalid: %s": "Не удалось создать пользователя, информация о пользователе недействительна: %s",
-    "Failed to login in: %s": "Не удалось войти в систему: %s",
-    "Invalid token": "Недействительный токен",
-    "State expected: %s, but got: %s": "Ожидался статус: %s, но получен: %s",
-    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account via %s, please use another way to sign up": "Аккаунт провайдера: %s и имя пользователя: %s (%s) не существует и не может быть зарегистрирован через %s, пожалуйста, используйте другой способ регистрации",
-    "The account for provider: %s and username: %s (%s) does not exist and is not allowed to sign up as new account, please contact your IT support": "Аккаунт для провайдера: %s и имя пользователя: %s (%s) не существует и не может быть зарегистрирован как новый аккаунт. Пожалуйста, обратитесь в службу поддержки IT",
-    "The account for provider: %s and username: %s (%s) is already linked to another account: %s (%s)": "Аккаунт поставщика: %s и имя пользователя: %s (%s) уже связаны с другим аккаунтом: %s (%s)",
-    "The application: %s does not exist": "Приложение: %s не существует",
-    "The application: %s has disabled users to signin": "Приложение: %s отключило вход пользователей",
-    "The group: %s does not exist": "Группа: %s не существует",
-    "The login method: login with LDAP is not enabled for the application": "Метод входа через LDAP отключен для этого приложения",
-    "The login method: login with SMS is not enabled for the application": "Метод входа через SMS отключен для этого приложения",
-    "The login method: login with email is not enabled for the application": "Метод входа через электронную почту отключен для этого приложения",
-    "The login method: login with face is not enabled for the application": "Метод входа через распознавание лица отключен для этого приложения",
-    "The login method: login with password is not enabled for the application": "Метод входа: вход с паролем не включен для приложения",
-    "The order: %s does not exist": "The order: %s does not exist",
-    "The organization: %s does not exist": "Организация: %s не существует",
-    "The organization: %s has disabled users to signin": "Организация: %s отключила вход пользователей",
-    "The plan: %s does not exist": "План: %s не существует",
-    "The pricing: %s does not exist": "Тариф: %s не существует",
-    "The pricing: %s does not have plan: %s": "Тариф: %s не имеет план: %s",
-    "The provider: %s does not exist": "Провайдер: %s не существует",
-    "The provider: %s is not enabled for the application": "Провайдер: %s не включен для приложения",
-    "Unauthorized operation": "Несанкционированная операция",
-    "Unknown authentication type (not password or provider), form = %s": "Неизвестный тип аутентификации (не пароль и не провайдер), форма = %s",
-    "User's tag: %s is not listed in the application's tags": "Тег пользователя: %s отсутствует в списке тегов приложения",
-    "UserCode Expired": "Срок действия кода пользователя истек",
-    "UserCode Invalid": "Неверный код пользователя",
-    "paid-user %s does not have active or pending subscription and the application: %s does not have default pricing": "Платный пользователь %s не имеет активной или ожидающей подписки, а приложение %s не имеет цены по умолчанию",
-    "the application for user %s is not found": "Приложение для пользователя %s не найдено",
-    "the organization: %s is not found": "Организация: %s не найдена"
-  },
-  "cas": {
-    "Service %s and %s do not match": "Сервисы %s и %s не совпадают"
-  },
-  "check": {
-    "%s does not meet the CIDR format requirements: %s": "%s не соответствует требованиям формата CIDR: %s",
-    "Affiliation cannot be blank": "Принадлежность не может быть пустым значением",
-    "CIDR for IP: %s should not be empty": "CIDR для IP: %s не должен быть пустым",
-    "Default code does not match the code's matching rules": "Код по умолчанию не соответствует правилам соответствия кода",
-    "DisplayName cannot be blank": "Имя отображения не может быть пустым",
-    "DisplayName is not valid real name": "DisplayName не является действительным именем",
-    "Email already exists": "Электронная почта уже существует",
-    "Email cannot be empty": "Электронная почта не может быть пустой",
-    "Email is invalid": "Адрес электронной почты недействительный",
-    "Empty username.": "Пустое имя пользователя.",
-    "Face data does not exist, cannot log in": "Данные лица отсутствуют, вход невозможен",
-    "Face data mismatch": "Несоответствие данных лица",
-    "Failed to parse client IP: %s": "Не удалось разобрать IP клиента: %s",
-    "FirstName cannot be blank": "Имя не может быть пустым",
-    "Guest users must upgrade their account by setting a username and password before they can sign in directly": "Guest users must upgrade their account by setting a username and password before they can sign in directly",
-    "Invitation code cannot be blank": "Код приглашения не может быть пустым",
-    "Invitation code exhausted": "Код приглашения исчерпан",
-    "Invitation code is invalid": "Код приглашения недействителен",
-    "Invitation code suspended": "Код приглашения приостановлен",
-    "LastName cannot be blank": "Фамилия не может быть пустой",
-    "Multiple accounts with same uid, please check your ldap server": "Множественные учетные записи с тем же UID. Пожалуйста, проверьте свой сервер LDAP",
-    "Organization does not exist": "Организация не существует",
-    "Password cannot be empty": "Пароль не может быть пустым",
-    "Phone already exists": "Телефон уже существует",
-    "Phone cannot be empty": "Телефон не может быть пустым",
-    "Phone number is invalid": "Номер телефона является недействительным",
-    "Please register using the email corresponding to the invitation code": "Пожалуйста, зарегистрируйтесь, используя электронную почту, соответствующую коду приглашения",
-    "Please register using the phone  corresponding to the invitation code": "Пожалуйста, зарегистрируйтесь, используя номер телефона, соответствующий коду приглашения",
-    "Please register using the username corresponding to the invitation code": "Пожалуйста, зарегистрируйтесь, используя имя пользователя, соответствующее коду приглашения",
-    "Session outdated, please login again": "Сессия устарела, пожалуйста, войдите снова",
-    "The invitation code has already been used": "Код приглашения уже использован",
-    "The password must contain at least one special character": "Пароль должен содержать хотя бы один специальный символ",
-    "The password must contain at least one uppercase letter, one lowercase letter and one digit": "Пароль должен содержать хотя бы одну заглавную букву, одну строчную букву и одну цифру",
-    "The password must have at least 6 characters": "Пароль должен содержать не менее 6 символов",
-    "The password must have at least 8 characters": "Пароль должен содержать не менее 8 символов",
-    "The password must not contain any repeated characters": "Пароль не должен содержать повторяющихся символов",
-    "The user has been deleted and cannot be used to sign in, please contact the administrator": "Пользователь был удален и не может быть использован для входа, пожалуйста, свяжитесь с администратором",
-    "The user is forbidden to sign in, please contact the administrator": "Пользователю запрещен вход, пожалуйста, обратитесь к администратору",
-    "The user: %s doesn't exist in LDAP server": "Пользователь: %s не существует на сервере LDAP",
-    "The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline.": "Имя пользователя может состоять только из буквенно-цифровых символов, нижних подчеркиваний или дефисов, не может содержать последовательные дефисы или подчеркивания, а также не может начинаться или заканчиваться на дефис или подчеркивание.",
-    "The value \"%s\" for account field \"%s\" doesn't match the account item regex": "The value \"%s\" for account field \"%s\" doesn't match the account item regex",
-    "The value \"%s\" for signup field \"%s\" doesn't match the signup item regex of the application \"%s\"": "The value \"%s\" for signup field \"%s\" doesn't match the signup item regex of the application \"%s\"",
-    "Username already exists": "Имя пользователя уже существует",
-    "Username cannot be an email address": "Имя пользователя не может быть адресом электронной почты",
-    "Username cannot contain white spaces": "Имя пользователя не может содержать пробелы",
-    "Username cannot start with a digit": "Имя пользователя не может начинаться с цифры",
-    "Username is too long (maximum is 255 characters).": "Имя пользователя слишком длинное (максимальная длина - 255 символов).",
-    "Username must have at least 2 characters": "Имя пользователя должно содержать не менее 2 символов",
-    "Username supports email format. Also The username may only contain alphanumeric characters, underlines or hyphens, cannot have consecutive hyphens or underlines, and cannot begin or end with a hyphen or underline. Also pay attention to the email format.": "Имя пользователя поддерживает формат электронной почты. Также имя пользователя может содержать только буквенно-цифровые символы, подчеркивания или дефисы, не может иметь последовательных дефисов или подчеркиваний и не может начинаться или заканчиваться дефисом или подчеркиванием. Также обратите внимание на формат электронной почты.",
-    "You have entered the wrong password or code too many times, please wait for %d minutes and try again": "Вы ввели неправильный пароль или код слишком много раз, пожалуйста, подождите %d минут и попробуйте снова",
-    "Your IP address: %s has been banned according to the configuration of: ": "Ваш IP-адрес: %s заблокирован согласно конфигурации: ",
-    "Your password has expired. Please reset your password by clicking \"Forgot password\"": "Срок действия вашего пароля истек. Пожалуйста, сбросьте пароль, нажав \"Забыли пароль\"",
-    "Your region is not allow to signup by phone": "Ваш регион не разрешает регистрацию по телефону",
-    "password or code is incorrect": "пароль или код неверны",
-    "password or code is incorrect, you have %s remaining chances": "Неправильный пароль или код, у вас осталось %s попыток",
-    "unsupported password type: %s": "неподдерживаемый тип пароля: %s"
-  },
-  "enforcer": {
-    "the adapter: %s is not found": "адаптер: %s не найден"
-  },
-  "general": {
-    "Failed to import groups": "Не удалось импортировать группы",
-    "Failed to import users": "Не удалось импортировать пользователей",
-    "Insufficient balance: new balance %v would be below credit limit %v": "Insufficient balance: new balance %v would be below credit limit %v",
-    "Insufficient balance: new organization balance %v would be below credit limit %v": "Insufficient balance: new organization balance %v would be below credit limit %v",
-    "Missing parameter": "Отсутствующий параметр",
-    "Only admin user can specify user": "Только администратор может указать пользователя",
-    "Please login first": "Пожалуйста, сначала войдите в систему",
-    "The LDAP: %s does not exist": "Группа LDAP: %s не существует",
-    "The organization: %s should have one application at least": "Организация: %s должна иметь хотя бы одно приложение",
-    "The syncer: %s does not exist": "The syncer: %s does not exist",
-    "The user: %s doesn't exist": "Пользователь %s не существует",
-    "The user: %s is not found": "The user: %s is not found",
-    "User is required for User category transaction": "User is required for User category transaction",
-    "Wrong userId": "Неверный идентификатор пользователя",
-    "don't support captchaProvider: ": "неподдерживаемый captchaProvider: ",
-    "this operation is not allowed in demo mode": "эта операция недоступна в демонстрационном режиме",
-    "this operation requires administrator to perform": "эта операция требует прав администратора"
-  },
-  "invitation": {
-    "Invitation %s does not exist": "Приглашение %s не существует"
-  },
-  "ldap": {
-    "Ldap server exist": "LDAP-сервер существует"
-  },
-  "link": {
-    "Please link first": "Пожалуйста, сначала установите ссылку",
-    "This application has no providers": "Это приложение не имеет провайдеров",
-    "This application has no providers of type": "Это приложение не имеет провайдеров данного типа",
-    "This provider can't be unlinked": "Этот провайдер не может быть отсоединен",
-    "You are not the global admin, you can't unlink other users": "Вы не являетесь глобальным администратором, вы не можете отсоединять других пользователей",
-    "You can't unlink yourself, you are not a member of any application": "Вы не можете отвязаться, так как вы не являетесь участником никакого приложения"
-  },
-  "organization": {
-    "Only admin can modify the %s.": "Только администратор может изменять %s.",
-    "The %s is immutable.": "%s неизменяемый.",
-    "Unknown modify rule %s.": "Неизвестное изменение правила %s.",
-    "adding a new user to the 'built-in' organization is currently disabled. Please note: all users in the 'built-in' organization are global administrators in Casdoor. Refer to the docs: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. If you still wish to create a user for the 'built-in' organization, go to the organization's settings page and enable the 'Has privilege consent' option.": "Добавление нового пользователя в организацию «built-in» (встроенная) в настоящее время отключено. Обратите внимание: все пользователи в организации «built-in» являются глобальными администраторами в Casdoor. См. документацию: https://casdoor.org/docs/basic/core-concepts#how-does-casdoor-manage-itself. Если вы все еще хотите создать пользователя для организации «built-in», перейдите на страницу настроек организации и включите опцию «Имеет согласие на привилегии»."
-  },
-  "permission": {
-    "The permission: \"%s\" doesn't exist": "The permission: \"%s\" doesn't exist"
-  },
-  "product": {
-    "Product list cannot be empty": "Product list cannot be empty"
-  },
-  "provider": {
-    "Failed to initialize ID Verification provider": "Failed to initialize ID Verification provider",
-    "Invalid application id": "Неверный идентификатор приложения",
-    "No ID Verification provider configured": "No ID Verification provider configured",
-    "Provider is not an ID Verification provider": "Provider is not an ID Verification provider",
-    "the provider: %s does not exist": "Провайдер: %s не существует"
-  },
-  "resource": {
-    "User is nil for tag: avatar": "Пользователь равен нулю для тега: аватар",
-    "Username or fullFilePath is empty: username = %s, fullFilePath = %s": "Имя пользователя или полный путь к файлу пусты: имя_пользователя = %s, полный_путь_к_файлу = %s"
-  },
-  "saml": {
-    "Application %s not found": "Приложение %s не найдено"
-  },
-  "saml_sp": {
-    "provider %s's category is not SAML": "Категория провайдера %s не является SAML"
-  },
-  "service": {
-    "Empty parameters for emailForm: %v": "Пустые параметры для emailForm: %v",
-    "Invalid Email receivers: %s": "Некорректные получатели электронной почты: %s",
-    "Invalid phone receivers: %s": "Некорректные получатели телефонных звонков: %s"
-  },
-  "session": {
-    "session id %s is the current session and cannot be deleted": "session id %s is the current session and cannot be deleted"
-  },
-  "storage": {
-    "The objectKey: %s is not allowed": "Объект «objectKey: %s» не разрешен",
-    "The provider type: %s is not supported": "Тип провайдера: %s не поддерживается"
-  },
-  "subscription": {
-    "Error": "Ошибка"
-  },
-  "ticket": {
-    "Ticket not found": "Ticket not found"
-  },
-  "token": {
-    "Grant_type: %s is not supported in this application": "Тип предоставления: %s не поддерживается в данном приложении",
-    "Invalid application or wrong clientSecret": "Недействительное приложение или неправильный clientSecret",
-    "Invalid client_id": "Недействительный идентификатор клиента",
-    "Redirect URI: %s doesn't exist in the allowed Redirect URI list": "URI перенаправления: %s не существует в списке разрешенных URI перенаправления",
-    "Token not found, invalid accessToken": "Токен не найден, недействительный accessToken"
-  },
-  "user": {
-    "Display name cannot be empty": "Отображаемое имя не может быть пустым",
-    "ID card information and real name are required": "ID card information and real name are required",
-    "Identity verification failed": "Identity verification failed",
-    "MFA email is enabled but email is empty": "MFA по электронной почте включен, но электронная почта не указана",
-    "MFA phone is enabled but phone number is empty": "MFA по телефону включен, но номер телефона не указан",
-    "New password cannot contain blank space.": "Новый пароль не может содержать пробелы.",
-    "No application found for user": "No application found for user",
-    "The new password must be different from your current password": "Новый пароль должен отличаться от текущего пароля",
-    "User is already verified": "Пользователь уже подтвержден",
-    "the user's owner and name should not be empty": "владелец и имя пользователя не должны быть пустыми"
-  },
-  "util": {
-    "No application is found for userId: %s": "Не найдено заявки для пользователя с идентификатором: %s",
-    "No provider for category: %s is found for application: %s": "Нет провайдера для категории: %s для приложения: %s",
-    "The provider: %s is not found": "Поставщик: %s не найден"
-  },
-  "verification": {
-    "Invalid captcha provider.": "Недействительный поставщик CAPTCHA.",
-    "Phone number is invalid in your region %s": "Номер телефона недействителен в вашем регионе %s",
-    "The forgot password feature is disabled": "The forgot password feature is disabled",
-    "The verification code has already been used!": "Код подтверждения уже использован!",
-    "The verification code has not been sent yet!": "Код подтверждения еще не был отправлен!",
-    "Turing test failed.": "Тест Тьюринга не удался.",
-    "Unable to get the email modify rule.": "Невозможно получить правило изменения электронной почты.",
-    "Unable to get the phone modify rule.": "Невозможно получить правило изменения телефона.",
-    "Unknown type": "Неизвестный тип",
-    "Wrong verification code!": "Неправильный код подтверждения!",
-    "You should verify your code in %d min!": "Вы должны проверить свой код через %d минут!",
-    "please add a SMS provider to the \"Providers\" list for the application: %s": "Пожалуйста, добавьте SMS-провайдера в список \"Провайдеры\" для приложения: %s",
-    "please add an Email provider to the \"Providers\" list for the application: %s": "пожалуйста, добавьте Email-провайдера в список \\\"Провайдеры\\\" для приложения: %s",
-    "the user does not exist, please sign up first": "Пользователь не существует, пожалуйста, сначала зарегистрируйтесь"
-  },
-  "webauthn": {
-    "Found no credentials for this user": "Учетные данные для этого пользователя не найдены",
-    "Please call WebAuthnSigninBegin first": "Пожалуйста, сначала вызовите WebAuthnSigninBegin"
-  }
-}
--- a/i18n/locales/tr/data.json
+++ b/i18n/locales/tr/data.json
@@ -109,6 +109,7 @@
    "Insufficient balance: new balance %v would be below credit limit %v": "Yetersiz bakiye: yeni bakiye %v kredi limitinin altında olacak %v",
    "Insufficient balance: new organization balance %v would be below credit limit %v": "Yetersiz bakiye: yeni organizasyon bakiyesi %v kredi limitinin altında olacak %v",
    "Missing parameter": "Eksik parametre",
+    "Multiple captcha providers are not allowed in the same application: %s": "Multiple captcha providers are not allowed in the same application: %s",
    "Only admin user can specify user": "Yalnızca yönetici kullanıcı kullanıcı belirleyebilir",
    "Please login first": "Lütfen önce giriş yapın",
    "The LDAP: %s does not exist": "LDAP: %s mevcut değil",
--- a/i18n/locales/uk/data.json
+++ b/i18n/locales/uk/data.json
@@ -109,6 +109,7 @@
    "Insufficient balance: new balance %v would be below credit limit %v": "Недостатній баланс: новий баланс %v буде нижче кредитного ліміту %v",
    "Insufficient balance: new organization balance %v would be below credit limit %v": "Недостатній баланс: новий баланс організації %v буде нижче кредитного ліміту %v",
    "Missing parameter": "Відсутній параметр",
+    "Multiple captcha providers are not allowed in the same application: %s": "Multiple captcha providers are not allowed in the same application: %s",
    "Only admin user can specify user": "Лише адміністратор може вказати користувача",
    "Please login first": "Спочатку увійдіть",
    "The LDAP: %s does not exist": "LDAP: %s не існує",
--- a/i18n/locales/vi/data.json
+++ b/i18n/locales/vi/data.json
@@ -109,6 +109,7 @@
    "Insufficient balance: new balance %v would be below credit limit %v": "Số dư không đủ: số dư mới %v sẽ thấp hơn giới hạn tín dụng %v",
    "Insufficient balance: new organization balance %v would be below credit limit %v": "Số dư không đủ: số dư tổ chức mới %v sẽ thấp hơn giới hạn tín dụng %v",
    "Missing parameter": "Thiếu tham số",
+    "Multiple captcha providers are not allowed in the same application: %s": "Multiple captcha providers are not allowed in the same application: %s",
    "Only admin user can specify user": "Chỉ người dùng quản trị mới có thể chỉ định người dùng",
    "Please login first": "Vui lòng đăng nhập trước",
    "The LDAP: %s does not exist": "LDAP: %s không tồn tại",
--- a/i18n/locales/zh/data.json
+++ b/i18n/locales/zh/data.json
@@ -109,6 +109,7 @@
    "Insufficient balance: new balance %v would be below credit limit %v": "余额不足：新余额 %v 将低于信用限额 %v",
    "Insufficient balance: new organization balance %v would be below credit limit %v": "余额不足：新组织余额 %v 将低于信用限额 %v",
    "Missing parameter": "缺少参数",
+    "Multiple captcha providers are not allowed in the same application: %s": "Multiple captcha providers are not allowed in the same application: %s",
    "Only admin user can specify user": "仅管理员用户可以指定用户",
    "Please login first": "请先登录",
    "The LDAP: %s does not exist": "LDAP: %s 不存在",
--- a/i18n/util.go
+++ b/i18n/util.go
@@ -98,22 +98,15 @@ func Translate(language string, errorText string) string {
 	if langMap[language] == nil {
 		file, err := f.ReadFile(fmt.Sprintf("locales/%s/data.json", language))
 		if err != nil {
-			originalLanguage := language
-			language = "en"
-			file, err = f.ReadFile(fmt.Sprintf("locales/%s/data.json", language))
-			if err != nil {
-				return fmt.Sprintf("Translate error: the language \"%s\" is not supported, err = %s", originalLanguage, err.Error())
-			}
+			return fmt.Sprintf("Translate error: the language \"%s\" is not supported, err = %s", language, err.Error())
 		}

-		if langMap[language] == nil {
-			data := I18nData{}
-			err = util.JsonToStruct(string(file), &data)
-			if err != nil {
-				panic(err)
-			}
-			langMap[language] = data
+		data := I18nData{}
+		err = util.JsonToStruct(string(file), &data)
+		if err != nil {
+			panic(err)
 		}
+		langMap[language] = data
 	}

 	res := langMap[language][tokens[0]][tokens[1]]
--- a/idp/adfs.go
+++ b/idp/adfs.go
@@ -17,7 +17,6 @@ package idp
 import (
 	"crypto/tls"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -103,7 +102,7 @@ func (idp *AdfsIdProvider) GetToken(code string) (*oauth2.Token, error) {
 		return nil, err
 	}
 	if pToken.ErrMsg != "" {
-		return nil, errors.New(pToken.ErrMsg)
+		return nil, fmt.Errorf(pToken.ErrMsg)
 	}

 	token := &oauth2.Token{
--- a/idp/alipay.go
+++ b/idp/alipay.go
@@ -264,31 +264,27 @@ func rsaSignWithRSA256(signContent string, privateKey string) (string, error) {

 // privateKey in database is a string, format it to PEM style
 func formatPrivateKey(privateKey string) string {
-	// Check if the key is already in PEM format
-	if strings.HasPrefix(privateKey, "-----BEGIN PRIVATE KEY-----") ||
-		strings.HasPrefix(privateKey, "-----BEGIN RSA PRIVATE KEY-----") {
-		// Key is already in PEM format, return as is
-		return privateKey
-	}
-
-	// Remove any whitespace from the key
-	privateKey = strings.ReplaceAll(privateKey, "\n", "")
-	privateKey = strings.ReplaceAll(privateKey, "\r", "")
-	privateKey = strings.ReplaceAll(privateKey, " ", "")
-
-	// Format the key with line breaks every 64 characters using strings.Builder
-	var builder strings.Builder
-	for i := 0; i < len(privateKey); i += 64 {
-		end := i + 64
-		if end > len(privateKey) {
-			end = len(privateKey)
-		}
-		builder.WriteString(privateKey[i:end])
-		if end < len(privateKey) {
-			builder.WriteString("\n")
+	// each line length is 64
+	preFmtPrivateKey := ""
+	for i := 0; ; {
+		if i+64 <= len(privateKey) {
+			preFmtPrivateKey = preFmtPrivateKey + privateKey[i:i+64] + "\n"
+			i += 64
+		} else {
+			preFmtPrivateKey = preFmtPrivateKey + privateKey[i:]
+			break
 		}
 	}
+	privateKey = strings.Trim(preFmtPrivateKey, "\n")

 	// add pkcs#8 BEGIN and END
-	return "-----BEGIN PRIVATE KEY-----\n" + builder.String() + "\n-----END PRIVATE KEY-----"
+	PemBegin := "-----BEGIN PRIVATE KEY-----\n"
+	PemEnd := "\n-----END PRIVATE KEY-----"
+	if !strings.HasPrefix(privateKey, PemBegin) {
+		privateKey = PemBegin + privateKey
+	}
+	if !strings.HasSuffix(privateKey, PemEnd) {
+		privateKey = privateKey + PemEnd
+	}
+	return privateKey
 }
--- a/idp/dingtalk.go
+++ b/idp/dingtalk.go
@@ -16,7 +16,6 @@ package idp

 import (
 	"encoding/json"
-	"errors"
 	"fmt"
 	"io"
 	"log"
@@ -159,7 +158,7 @@ func (idp *DingTalkIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, erro
 	}

 	if dtUserInfo.OpenId == "" || dtUserInfo.UnionId == "" {
-		return nil, errors.New(string(data))
+		return nil, fmt.Errorf(string(data))
 	}

 	countryCode, err := util.GetCountryCode(dtUserInfo.StateCode, dtUserInfo.Mobile)
@@ -268,7 +267,7 @@ func (idp *DingTalkIdProvider) getUserId(unionId string, accessToken string) (st
 	if data.ErrCode == 60121 {
 		return "", fmt.Errorf("该应用只允许本企业内部用户登录，您不属于该企业，无法登录")
 	} else if data.ErrCode != 0 {
-		return "", errors.New(data.ErrMessage)
+		return "", fmt.Errorf(data.ErrMessage)
 	}
 	return data.Result.UserId, nil
 }
@@ -295,7 +294,7 @@ func (idp *DingTalkIdProvider) getUserCorpEmail(userId string, accessToken strin
 		return "", "", "", err
 	}
 	if data.ErrMessage != "ok" {
-		return "", "", "", errors.New(data.ErrMessage)
+		return "", "", "", fmt.Errorf(data.ErrMessage)
 	}
 	return data.Result.Mobile, data.Result.Email, data.Result.UnionId, nil
 }
--- a/idp/wechat.go
+++ b/idp/wechat.go
@@ -19,7 +19,6 @@ import (
 	"crypto/sha1"
 	"encoding/hex"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -125,7 +124,7 @@ func (idp *WeChatIdProvider) GetToken(code string) (*oauth2.Token, error) {

 	// {"errcode":40163,"errmsg":"code been used, rid: 6206378a-793424c0-2e4091cc"}
 	if strings.Contains(buf.String(), "errcode") {
-		return nil, errors.New(buf.String())
+		return nil, fmt.Errorf(buf.String())
 	}

 	var wechatAccessToken WechatAccessToken
--- a/idp/wechat_mobile.go
+++ b/idp/wechat_mobile.go
@@ -17,7 +17,6 @@ package idp
 import (
 	"bytes"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -94,7 +93,7 @@ func (idp *WeChatMobileIdProvider) GetToken(code string) (*oauth2.Token, error)

 	// Check for error response
 	if bytes.Contains(buf.Bytes(), []byte("errcode")) {
-		return nil, errors.New(buf.String())
+		return nil, fmt.Errorf(buf.String())
 	}

 	var wechatAccessToken WechatAccessToken
--- a/init_data.json.template
+++ b/init_data.json.template
@@ -54,7 +54,6 @@
        "pt",
        "tr",
        "pl",
-        "ru",
        "uk"
      ],
      "masterPassword": "",
@@ -68,8 +67,6 @@
        {"name": "ID", "visible": true, "viewRule": "Public", "modifyRule": "Immutable"},
        {"name": "Name", "visible": true, "viewRule": "Public", "modifyRule": "Admin"},
        {"name": "Display name", "visible": true, "viewRule": "Public", "modifyRule": "Self"},
-        {"name": "First name", "visible": true, "viewRule": "Public", "modifyRule": "Self"},
-        {"name": "Last name", "visible": true, "viewRule": "Public", "modifyRule": "Self"},
        {"name": "Avatar", "visible": true, "viewRule": "Public", "modifyRule": "Self"},
        {"name": "User type", "visible": true, "viewRule": "Public", "modifyRule": "Admin"},
        {"name": "Password", "visible": true, "viewRule": "Self", "modifyRule": "Self"},
@@ -84,7 +81,6 @@
        {"name": "Title", "visible": true, "viewRule": "Public", "modifyRule": "Self"},
        {"name": "ID card type", "visible": true, "viewRule": "Public", "modifyRule": "Self"},
        {"name": "ID card", "visible": true, "viewRule": "Public", "modifyRule": "Self"},
-        {"name": "ID card info", "visible": true, "viewRule": "Self", "modifyRule": "Self"},
        {"name": "Real name", "visible": true, "viewRule": "Public", "modifyRule": "Self"},
        {"name": "ID verification", "visible": true, "viewRule": "Self", "modifyRule": "Self"},
        {"name": "Homepage", "visible": true, "viewRule": "Public", "modifyRule": "Self"},
@@ -105,7 +101,6 @@
        {"name": "Signup application", "visible": true, "viewRule": "Public", "modifyRule": "Admin"},
        {"name": "Register type", "visible": true, "viewRule": "Public", "modifyRule": "Admin"},
        {"name": "Register source", "visible": true, "viewRule": "Public", "modifyRule": "Admin"},
-        {"name": "API key", "visible": true, "viewRule": "Self", "modifyRule": "Self"},
        {"name": "Roles", "visible": true, "viewRule": "Public", "modifyRule": "Immutable"},
        {"name": "Permissions", "visible": true, "viewRule": "Public", "modifyRule": "Immutable"},
        {"name": "Groups", "visible": true, "viewRule": "Public", "modifyRule": "Admin"},
@@ -115,14 +110,9 @@
        {"name": "Is forbidden", "visible": true, "viewRule": "Admin", "modifyRule": "Admin"},
        {"name": "Is deleted", "visible": true, "viewRule": "Admin", "modifyRule": "Admin"},
        {"name": "Multi-factor authentication", "visible": true, "viewRule": "Self", "modifyRule": "Self"},
-        {"name": "MFA items", "visible": true, "viewRule": "Self", "modifyRule": "Self"},
        {"name": "WebAuthn credentials", "visible": true, "viewRule": "Self", "modifyRule": "Self"},
-        {"name": "Last change password time", "visible": true, "viewRule": "Admin", "modifyRule": "Admin"},
        {"name": "Managed accounts", "visible": true, "viewRule": "Self", "modifyRule": "Self"},
-        {"name": "Face ID", "visible": true, "viewRule": "Self", "modifyRule": "Self"},
-        {"name": "MFA accounts", "visible": true, "viewRule": "Self", "modifyRule": "Self"},
-        {"name": "Need update password", "visible": true, "viewRule": "Admin", "modifyRule": "Admin"},
-        {"name": "IP whitelist", "visible": true, "viewRule": "Admin", "modifyRule": "Admin"}
+        {"name": "MFA accounts", "visible": true, "viewRule": "Self", "modifyRule": "Self"}
      ]
    }
  ],
--- a/ip/ip.go
+++ b/ip/ip.go
@@ -1,43 +0,0 @@
-// Copyright 2024 The casbin Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package ip
-
-import (
-	"fmt"
-
-	"github.com/casdoor/casdoor/util"
-)
-
-func InitIpDb() {
-	err := Init("ip/17monipdb.dat")
-	if err != nil {
-		panic(err)
-	}
-}
-
-func IsAbroadIp(ip string) bool {
-	// If it's an intranet IP, it's not abroad
-	if util.IsIntranetIp(ip) {
-		return false
-	}
-
-	info, err := Find(ip)
-	if err != nil {
-		fmt.Printf("error: ip = %s, error = %s\n", ip, err.Error())
-		return false
-	}
-
-	return info.Country != "中国"
-}
--- a/ip/ip17mon.go
+++ b/ip/ip17mon.go
@@ -1,199 +0,0 @@
-// Copyright 2022 The casbin Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package ip
-
-import (
-	"bytes"
-	"encoding/binary"
-	"errors"
-	"io/ioutil"
-	"net"
-)
-
-const Null = "N/A"
-
-var (
-	ErrInvalidIp = errors.New("invalid ip format")
-	std          *Locator
-)
-
-// Init default locator with dataFile
-func Init(dataFile string) (err error) {
-	if std != nil {
-		return
-	}
-	std, err = NewLocator(dataFile)
-	return
-}
-
-// Init default locator with data
-func InitWithData(data []byte) {
-	if std != nil {
-		return
-	}
-	std = NewLocatorWithData(data)
-	return
-}
-
-// Find locationInfo by ip string
-// It will return err when ipstr is not a valid format
-func Find(ipstr string) (*LocationInfo, error) {
-	return std.Find(ipstr)
-}
-
-// Find locationInfo by uint32
-func FindByUint(ip uint32) *LocationInfo {
-	return std.FindByUint(ip)
-}
-
-//-----------------------------------------------------------------------------
-
-// New locator with dataFile
-func NewLocator(dataFile string) (loc *Locator, err error) {
-	data, err := ioutil.ReadFile(dataFile)
-	if err != nil {
-		return
-	}
-	loc = NewLocatorWithData(data)
-	return
-}
-
-// New locator with data
-func NewLocatorWithData(data []byte) (loc *Locator) {
-	loc = new(Locator)
-	loc.init(data)
-	return
-}
-
-type Locator struct {
-	textData   []byte
-	indexData1 []uint32
-	indexData2 []int
-	indexData3 []int
-	index      []int
-}
-
-type LocationInfo struct {
-	Country string
-	Region  string
-	City    string
-	Isp     string
-}
-
-// Find locationInfo by ip string
-// It will return err when ipstr is not a valid format
-func (loc *Locator) Find(ipstr string) (info *LocationInfo, err error) {
-	ip := net.ParseIP(ipstr).To4()
-	if ip == nil || ip.To4() == nil {
-		err = ErrInvalidIp
-		return
-	}
-	info = loc.FindByUint(binary.BigEndian.Uint32([]byte(ip)))
-	return
-}
-
-// Find locationInfo by uint32
-func (loc *Locator) FindByUint(ip uint32) (info *LocationInfo) {
-	end := len(loc.indexData1) - 1
-	if ip>>24 != 0xff {
-		end = loc.index[(ip>>24)+1]
-	}
-	idx := loc.findIndexOffset(ip, loc.index[ip>>24], end)
-	off := loc.indexData2[idx]
-	return newLocationInfo(loc.textData[off : off+loc.indexData3[idx]])
-}
-
-// binary search
-func (loc *Locator) findIndexOffset(ip uint32, start, end int) int {
-	for start < end {
-		mid := (start + end) / 2
-		if ip > loc.indexData1[mid] {
-			start = mid + 1
-		} else {
-			end = mid
-		}
-	}
-
-	if loc.indexData1[end] >= ip {
-		return end
-	}
-
-	return start
-}
-
-func (loc *Locator) init(data []byte) {
-	textoff := int(binary.BigEndian.Uint32(data[:4]))
-
-	loc.textData = data[textoff-1024:]
-
-	loc.index = make([]int, 256)
-	for i := 0; i < 256; i++ {
-		off := 4 + i*4
-		loc.index[i] = int(binary.LittleEndian.Uint32(data[off : off+4]))
-	}
-
-	nidx := (textoff - 4 - 1024 - 1024) / 8
-
-	loc.indexData1 = make([]uint32, nidx)
-	loc.indexData2 = make([]int, nidx)
-	loc.indexData3 = make([]int, nidx)
-
-	for i := 0; i < nidx; i++ {
-		off := 4 + 1024 + i*8
-		loc.indexData1[i] = binary.BigEndian.Uint32(data[off : off+4])
-		loc.indexData2[i] = int(uint32(data[off+4]) | uint32(data[off+5])<<8 | uint32(data[off+6])<<16)
-		loc.indexData3[i] = int(data[off+7])
-	}
-	return
-}
-
-func newLocationInfo(str []byte) *LocationInfo {
-	var info *LocationInfo
-
-	fields := bytes.Split(str, []byte("\t"))
-	switch len(fields) {
-	case 4:
-		// free version
-		info = &LocationInfo{
-			Country: string(fields[0]),
-			Region:  string(fields[1]),
-			City:    string(fields[2]),
-		}
-	case 5:
-		// pay version
-		info = &LocationInfo{
-			Country: string(fields[0]),
-			Region:  string(fields[1]),
-			City:    string(fields[2]),
-			Isp:     string(fields[4]),
-		}
-	default:
-		panic("unexpected ip info:" + string(str))
-	}
-
-	if len(info.Country) == 0 {
-		info.Country = Null
-	}
-	if len(info.Region) == 0 {
-		info.Region = Null
-	}
-	if len(info.City) == 0 {
-		info.City = Null
-	}
-	if len(info.Isp) == 0 {
-		info.Isp = Null
-	}
-	return info
-}
--- a/ldap/server.go
+++ b/ldap/server.go
@@ -203,101 +203,49 @@ func handleSearch(w ldap.ResponseWriter, m *ldap.Message) {
 		return
 	}

-	orgCache := make(map[string]*object.Organization)
-
 	for _, user := range users {
-		if _, ok := orgCache[user.Owner]; !ok {
-			org, err := object.GetOrganizationByUser(user)
-			if err != nil {
-				log.Printf("handleSearch: failed to get organization for user %s: %v", user.Name, err)
-			}
-			orgCache[user.Owner] = org
-		}
-		org := orgCache[user.Owner]
-
-		e := buildUserSearchEntry(user, string(r.BaseObject()), resolveRequestAttributes(r.Attributes()), org)
-		w.Write(e)
-	}
-	w.Write(res)
-}
-
-// resolveRequestAttributes expands the "*" wildcard to the full list of additional LDAP attributes.
-func resolveRequestAttributes(attrs message.AttributeSelection) []string {
-	result := make([]string, 0, len(attrs))
-	for _, attr := range attrs {
-		if string(attr) == "*" {
-			result = make([]string, 0, len(AdditionalLdapAttributes))
-			for _, a := range AdditionalLdapAttributes {
-				result = append(result, string(a))
-			}
-			return result
-		}
-		result = append(result, string(attr))
-	}
-	return result
-}
-
-// buildUserSearchEntry constructs an LDAP search result entry for the given user,
-// respecting the organization's LdapAttributes filter.
-func buildUserSearchEntry(user *object.User, baseDN string, attrs []string, org *object.Organization) message.SearchResultEntry {
-	dn := fmt.Sprintf("uid=%s,cn=%s,%s", user.Id, user.Name, baseDN)
-	e := ldap.NewSearchResultEntry(dn)
-	uidNumberStr := fmt.Sprintf("%v", hash(user.Name))
-	if IsLdapAttrAllowed(org, "uidNumber") {
+		dn := fmt.Sprintf("uid=%s,cn=%s,%s", user.Id, user.Name, string(r.BaseObject()))
+		e := ldap.NewSearchResultEntry(dn)
+		uidNumberStr := fmt.Sprintf("%v", hash(user.Name))
 		e.AddAttribute("uidNumber", message.AttributeValue(uidNumberStr))
-	}
-	if IsLdapAttrAllowed(org, "gidNumber") {
 		e.AddAttribute("gidNumber", message.AttributeValue(uidNumberStr))
-	}
-	if IsLdapAttrAllowed(org, "homeDirectory") {
 		e.AddAttribute("homeDirectory", message.AttributeValue("/home/"+user.Name))
-	}
-	if IsLdapAttrAllowed(org, "cn") {
 		e.AddAttribute("cn", message.AttributeValue(user.Name))
-	}
-	if IsLdapAttrAllowed(org, "uid") {
 		e.AddAttribute("uid", message.AttributeValue(user.Id))
-	}
-	if IsLdapAttrAllowed(org, "mail") {
 		e.AddAttribute("mail", message.AttributeValue(user.Email))
-	}
-	if IsLdapAttrAllowed(org, "mobile") {
 		e.AddAttribute("mobile", message.AttributeValue(user.Phone))
-	}
-	if IsLdapAttrAllowed(org, "sn") {
 		e.AddAttribute("sn", message.AttributeValue(user.LastName))
-	}
-	if IsLdapAttrAllowed(org, "givenName") {
 		e.AddAttribute("givenName", message.AttributeValue(user.FirstName))
-	}
-	// Add POSIX attributes for Linux machine login support
-	if IsLdapAttrAllowed(org, "loginShell") {
+		// Add POSIX attributes for Linux machine login support
 		e.AddAttribute("loginShell", getAttribute("loginShell", user))
-	}
-	if IsLdapAttrAllowed(org, "gecos") {
 		e.AddAttribute("gecos", getAttribute("gecos", user))
-	}
-	// Add SSH public key if available
-	if IsLdapAttrAllowed(org, "sshPublicKey") {
+		// Add SSH public key if available
 		sshKey := getAttribute("sshPublicKey", user)
 		if sshKey != "" {
 			e.AddAttribute("sshPublicKey", sshKey)
 		}
-	}
-	// Add objectClass for posixAccount
-	e.AddAttribute("objectClass", "posixAccount")
-	if IsLdapAttrAllowed(org, ldapMemberOfAttr) {
+		// Add objectClass for posixAccount
+		e.AddAttribute("objectClass", "posixAccount")
 		for _, group := range user.Groups {
 			e.AddAttribute(ldapMemberOfAttr, message.AttributeValue(group))
 		}
-	}
-	for _, attr := range attrs {
-		if !IsLdapAttrAllowed(org, attr) {
-			continue
+		attrs := r.Attributes()
+		for _, attr := range attrs {
+			if string(attr) == "*" {
+				attrs = AdditionalLdapAttributes
+				break
+			}
 		}
-		e.AddAttribute(message.AttributeDescription(attr), getAttribute(attr, user))
+		for _, attr := range attrs {
+			e.AddAttribute(message.AttributeDescription(attr), getAttribute(string(attr), user))
+			if string(attr) == "title" {
+				e.AddAttribute(message.AttributeDescription(attr), getAttribute("title", user))
+			}
+		}
+
+		w.Write(e)
 	}
-	return e
+	w.Write(res)
 }

 func handleRootSearch(w ldap.ResponseWriter, r *message.SearchRequest, res *message.SearchResultDone, m *ldap.Message) {
--- a/ldap/util.go
+++ b/ldap/util.go
@@ -198,20 +198,6 @@ func stringInSlice(value string, list []string) bool {
 	return false
 }

-// IsLdapAttrAllowed checks whether the given LDAP attribute is allowed for the organization.
-// An empty filter or a filter containing "All" means all attributes are allowed.
-func IsLdapAttrAllowed(org *object.Organization, attr string) bool {
-	if org == nil || len(org.LdapAttributes) == 0 {
-		return true
-	}
-	for _, f := range org.LdapAttributes {
-		if strings.EqualFold(f, "All") || strings.EqualFold(f, attr) {
-			return true
-		}
-	}
-	return false
-}
-
 func buildUserFilterCondition(filter interface{}) (builder.Cond, error) {
 	switch f := filter.(type) {
 	case message.FilterAnd:
--- a/log/agent_openclaw.go
+++ b/log/agent_openclaw.go
@@ -1,63 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package log
-
-import "fmt"
-
-// OtlpAdder persists a single OTLP record into the backing store.
-// Parameters: entryType ("trace"/"metrics"/"log"), message (JSON payload),
-// clientIp and userAgent from the originating HTTP request.
-// The unique entry name is generated by the implementation.
-type OtlpAdder func(entryType, message, clientIp, userAgent string) error
-
-// OpenClawProvider receives OpenTelemetry data pushed by an OpenClaw agent over
-// HTTP and persists each record as an Entry row via the OtlpAdder supplied at
-// construction time. It is passive (push-based via HTTP): Start/Stop are no-ops
-// and Write is not applicable.
-type OpenClawProvider struct {
-	providerName string
-	addOtlpEntry OtlpAdder
-}
-
-// NewOpenClawProvider creates an OpenClawProvider backed by addOtlpEntry.
-func NewOpenClawProvider(providerName string, addOtlpEntry OtlpAdder) *OpenClawProvider {
-	return &OpenClawProvider{providerName: providerName, addOtlpEntry: addOtlpEntry}
-}
-
-// Write is not applicable for an HTTP-push provider and always returns an error.
-func (p *OpenClawProvider) Write(_, _ string) error {
-	return fmt.Errorf("OpenClawProvider receives data over HTTP and does not accept Write calls")
-}
-
-// Start is a no-op; OpenClawProvider is passive and has no background goroutine.
-func (p *OpenClawProvider) Start(_ EntryAdder, _ func(error)) error { return nil }
-
-// Stop is a no-op.
-func (p *OpenClawProvider) Stop() error { return nil }
-
-// AddTrace persists an OTLP trace payload (already serialised to JSON).
-func (p *OpenClawProvider) AddTrace(message []byte, clientIp, userAgent string) error {
-	return p.addOtlpEntry("trace", string(message), clientIp, userAgent)
-}
-
-// AddMetrics persists an OTLP metrics payload (already serialised to JSON).
-func (p *OpenClawProvider) AddMetrics(message []byte, clientIp, userAgent string) error {
-	return p.addOtlpEntry("metrics", string(message), clientIp, userAgent)
-}
-
-// AddLogs persists an OTLP logs payload (already serialised to JSON).
-func (p *OpenClawProvider) AddLogs(message []byte, clientIp, userAgent string) error {
-	return p.addOtlpEntry("log", string(message), clientIp, userAgent)
-}
--- a/log/casdoor_permission.go
+++ b/log/casdoor_permission.go
@@ -1,47 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package log
-
-import (
-	"fmt"
-	"time"
-)
-
-// PermissionLogProvider records Casbin authorization decisions as Entry rows.
-// It is push-based: callers supply log lines via Write, which are immediately
-// persisted through the injected EntryAdder. Start and Stop are no-ops.
-type PermissionLogProvider struct {
-	providerName string
-	addEntry     EntryAdder
-}
-
-// NewPermissionLogProvider creates a PermissionLogProvider backed by addEntry.
-func NewPermissionLogProvider(providerName string, addEntry EntryAdder) *PermissionLogProvider {
-	return &PermissionLogProvider{providerName: providerName, addEntry: addEntry}
-}
-
-// Write stores one permission-log entry.
-// severity follows syslog conventions (e.g. info, warning, err).
-func (p *PermissionLogProvider) Write(severity string, message string) error {
-	createdTime := time.Now().UTC().Format(time.RFC3339)
-	return p.addEntry("built-in", createdTime, p.providerName, fmt.Sprintf("[%s] %s", severity, message))
-}
-
-// Start is a no-op for PermissionLogProvider; it received its EntryAdder at
-// construction time and does not require background collection.
-func (p *PermissionLogProvider) Start(_ EntryAdder, _ func(error)) error { return nil }
-
-// Stop is a no-op for PermissionLogProvider.
-func (p *PermissionLogProvider) Stop() error { return nil }
--- a/log/provider.go
+++ b/log/provider.go
@@ -1,75 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package log
-
-import (
-	"fmt"
-
-	"github.com/thanhpk/randstr"
-)
-
-// GenerateEntryName returns a cryptographically random 32-character hex string
-// suitable for use as an Entry.Name primary key.
-func GenerateEntryName() string {
-	return randstr.Hex(16)
-}
-
-// EntryAdder persists a collected log entry into the backing store.
-// Parameters map to the Entry table columns: owner, createdTime (RFC3339),
-// provider (the log provider name), and message. The unique entry name is
-// generated by the implementation, so callers do not need to supply one.
-// Defined here so it is shared by all LogProvider implementations without
-// creating import cycles with the object package.
-type EntryAdder func(owner, createdTime, provider, message string) error
-
-// LogProvider is the common interface for all log providers.
-//
-// Push-based providers (e.g. PermissionLogProvider) receive individual log
-// lines through Write and persist them immediately. Start and Stop are no-ops
-// for these providers.
-//
-// Pull-based providers (e.g. SystemLogProvider) actively collect logs from an
-// external source. Start begins a background collection goroutine that calls
-// addEntry for every new record; Stop halts collection. Write returns an error
-// for these providers as they are not designed to accept external input.
-type LogProvider interface {
-	// Write records a single log line. Used by push-based providers.
-	Write(severity string, message string) error
-	// Start begins background log collection with the given EntryAdder.
-	// For push-based providers this is a no-op (they received addEntry at
-	// construction time). onError is called from the background goroutine
-	// when collection stops with a fatal error; it may be nil.
-	Start(addEntry EntryAdder, onError func(error)) error
-	// Stop halts background collection and releases any OS resources.
-	Stop() error
-}
-
-// GetLogProvider returns a concrete log provider for the given type and connection settings.
-// The title parameter is used as the OS log tag for System Log.
-// Types that are not yet implemented return a non-nil error.
-func GetLogProvider(typ string, _ string, _ int, title string) (LogProvider, error) {
-	switch typ {
-	case "System Log":
-		tag := title
-		if tag == "" {
-			tag = "casdoor"
-		}
-		return NewSystemLogProvider(tag)
-	case "SELinux Log":
-		return NewSELinuxLogProvider()
-	default:
-		return nil, fmt.Errorf("unsupported log provider type: %s", typ)
-	}
-}
--- a/log/selinux_log.go
+++ b/log/selinux_log.go
@@ -1,66 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package log
-
-import (
-	"context"
-	"fmt"
-)
-
-// SELinuxLogProvider collects SELinux audit events (AVC denials and related
-// records) from the local system and stores each record as an Entry row via
-// the EntryAdder supplied to Start.
-//
-// It is pull-based: Write is not applicable and returns an error.
-// Start launches the background collector; Stop cancels it.
-// On platforms where SELinux is not supported, Start returns an error.
-type SELinuxLogProvider struct {
-	cancel context.CancelFunc
-}
-
-// NewSELinuxLogProvider creates a SELinuxLogProvider.
-// Call Start to begin collection.
-func NewSELinuxLogProvider() (*SELinuxLogProvider, error) {
-	return &SELinuxLogProvider{}, nil
-}
-
-// Write is not applicable for a pull-based collector and always returns an error.
-func (s *SELinuxLogProvider) Write(severity string, message string) error {
-	return fmt.Errorf("SELinuxLogProvider is a log collector and does not accept Write calls")
-}
-
-// Start launches a background goroutine that reads new SELinux audit records
-// and persists each one by calling addEntry. Returns immediately; collection
-// runs until Stop is called. If the goroutine encounters a fatal error,
-// onError is called with that error (onError may be nil).
-func (s *SELinuxLogProvider) Start(addEntry EntryAdder, onError func(error)) error {
-	ctx, cancel := context.WithCancel(context.Background())
-	s.cancel = cancel
-	go func() {
-		if err := collectSELinuxLogs(ctx, addEntry); err != nil && onError != nil {
-			onError(err)
-		}
-	}()
-	return nil
-}
-
-// Stop cancels background collection. It is safe to call multiple times.
-func (s *SELinuxLogProvider) Stop() error {
-	if s.cancel != nil {
-		s.cancel()
-		s.cancel = nil
-	}
-	return nil
-}
--- a/log/selinux_log_linux.go
+++ b/log/selinux_log_linux.go
@@ -1,140 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//go:build linux
-
-package log
-
-import (
-	"bufio"
-	"context"
-	"fmt"
-	"os"
-	"os/exec"
-	"regexp"
-	"strconv"
-	"strings"
-	"time"
-)
-
-const auditLogPath = "/var/log/audit/audit.log"
-
-// selinuxAuditTypes is the set of audit record types that are SELinux-related.
-var selinuxAuditTypes = map[string]bool{
-	"AVC":             true,
-	"USER_AVC":        true,
-	"SELINUX_ERR":     true,
-	"MAC_POLICY_LOAD": true,
-	"MAC_STATUS":      true,
-}
-
-// auditTimestampRe matches the msg=audit(seconds.millis:serial) field.
-var auditTimestampRe = regexp.MustCompile(`msg=audit\((\d+)\.\d+:\d+\)`)
-
-// CheckSELinuxAvailable returns nil if SELinux is active and the audit log is
-// readable on this system. Returns a descriptive error otherwise.
-func CheckSELinuxAvailable() error {
-	if _, err := os.Stat("/sys/fs/selinux/enforce"); os.IsNotExist(err) {
-		return fmt.Errorf("SELinux is not available or not mounted on this system")
-	}
-	if _, err := os.Stat(auditLogPath); os.IsNotExist(err) {
-		return fmt.Errorf("SELinux audit log not found at %s (is auditd running?)", auditLogPath)
-	}
-	return nil
-}
-
-// collectSELinuxLogs tails /var/log/audit/audit.log and persists each
-// SELinux-related audit record via addEntry until ctx is cancelled.
-func collectSELinuxLogs(ctx context.Context, addEntry EntryAdder) error {
-	if err := CheckSELinuxAvailable(); err != nil {
-		return fmt.Errorf("SELinuxLogProvider: %w", err)
-	}
-
-	cmd := exec.CommandContext(ctx, "tail", "-f", "-n", "0", auditLogPath)
-	stdout, err := cmd.StdoutPipe()
-	if err != nil {
-		return fmt.Errorf("SELinuxLogProvider: failed to open audit log pipe: %w", err)
-	}
-	if err := cmd.Start(); err != nil {
-		return fmt.Errorf("SELinuxLogProvider: failed to start tail: %w", err)
-	}
-
-	scanner := bufio.NewScanner(stdout)
-	for scanner.Scan() {
-		select {
-		case <-ctx.Done():
-			return nil
-		default:
-		}
-
-		line := scanner.Text()
-		if !isSELinuxAuditLine(line) {
-			continue
-		}
-
-		severity := selinuxSeverity(line)
-		createdTime := parseAuditTimestamp(line)
-		if err := addEntry("built-in", createdTime, "",
-			fmt.Sprintf("[%s] %s", severity, line)); err != nil {
-			return fmt.Errorf("SELinuxLogProvider: failed to persist audit entry: %w", err)
-		}
-	}
-
-	if err := scanner.Err(); err != nil {
-		if ctx.Err() != nil {
-			return nil
-		}
-		return fmt.Errorf("SELinuxLogProvider: audit log read error: %w", err)
-	}
-	return nil
-}
-
-// isSELinuxAuditLine reports whether the audit log line is an SELinux record.
-func isSELinuxAuditLine(line string) bool {
-	// Audit lines start with "type=<TYPE> "
-	const prefix = "type="
-	if !strings.HasPrefix(line, prefix) {
-		return false
-	}
-	end := strings.IndexByte(line[len(prefix):], ' ')
-	var typ string
-	if end < 0 {
-		typ = line[len(prefix):]
-	} else {
-		typ = line[len(prefix) : len(prefix)+end]
-	}
-	return selinuxAuditTypes[typ]
-}
-
-// selinuxSeverity maps SELinux audit record types to a syslog severity name.
-func selinuxSeverity(line string) string {
-	if strings.HasPrefix(line, "type=AVC") || strings.HasPrefix(line, "type=USER_AVC") || strings.HasPrefix(line, "type=SELINUX_ERR") {
-		return "warning"
-	}
-	return "info"
-}
-
-// parseAuditTimestamp extracts the Unix timestamp from an audit log line and
-// returns it as an RFC3339 string. Falls back to the current time on failure.
-func parseAuditTimestamp(line string) string {
-	m := auditTimestampRe.FindStringSubmatch(line)
-	if m == nil {
-		return time.Now().UTC().Format(time.RFC3339)
-	}
-	sec, err := strconv.ParseInt(m[1], 10, 64)
-	if err != nil {
-		return time.Now().UTC().Format(time.RFC3339)
-	}
-	return time.Unix(sec, 0).UTC().Format(time.RFC3339)
-}
--- a/log/selinux_log_unsupported.go
+++ b/log/selinux_log_unsupported.go
@@ -1,33 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//go:build !linux
-
-package log
-
-import (
-	"context"
-	"fmt"
-	"runtime"
-)
-
-// CheckSELinuxAvailable always returns an error on non-Linux platforms.
-func CheckSELinuxAvailable() error {
-	return fmt.Errorf("SELinux is not supported on %s", runtime.GOOS)
-}
-
-// collectSELinuxLogs is a no-op on non-Linux platforms.
-func collectSELinuxLogs(_ context.Context, _ EntryAdder) error {
-	return CheckSELinuxAvailable()
-}
--- a/log/system_log.go
+++ b/log/system_log.go
@@ -1,79 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package log
-
-import (
-	"context"
-	"fmt"
-)
-
-// platformCollector is an OS-specific log reader.
-// Implementations are in system_log_unix.go and system_log_windows.go.
-type platformCollector interface {
-	// collect blocks and streams new OS log records to addEntry until ctx is
-	// cancelled or a fatal error occurs. It must return promptly when
-	// ctx.Done() is closed. A non-nil error means collection stopped
-	// unexpectedly and should be reported to the operator.
-	collect(ctx context.Context, addEntry EntryAdder) error
-}
-
-// SystemLogProvider collects log records from the operating-system's native
-// logging facility (journald/syslog on Linux/Unix, Event Log on Windows) and
-// stores each record as an Entry row via the EntryAdder supplied to Start.
-//
-// It is pull-based: Write is not applicable and returns an error.
-// Start launches the background collector; Stop cancels it.
-type SystemLogProvider struct {
-	tag    string
-	cancel context.CancelFunc
-}
-
-// NewSystemLogProvider creates a SystemLogProvider that will identify itself
-// with the given tag when collecting OS log records.
-// Call Start to begin collection.
-func NewSystemLogProvider(tag string) (*SystemLogProvider, error) {
-	return &SystemLogProvider{tag: tag}, nil
-}
-
-// Write is not applicable for a pull-based collector and always returns an
-// error. Callers in the permission-log path should skip System Log providers.
-func (s *SystemLogProvider) Write(severity string, message string) error {
-	return fmt.Errorf("SystemLogProvider is a log collector and does not accept Write calls")
-}
-
-// Start launches a background goroutine that reads new OS log records and
-// persists each one by calling addEntry. It returns immediately; collection
-// runs until Stop is called. If the goroutine encounters a fatal error,
-// onError is called with that error (onError may be nil).
-func (s *SystemLogProvider) Start(addEntry EntryAdder, onError func(error)) error {
-	ctx, cancel := context.WithCancel(context.Background())
-	s.cancel = cancel
-	collector := newPlatformCollector(s.tag)
-	go func() {
-		if err := collector.collect(ctx, addEntry); err != nil && onError != nil {
-			onError(err)
-		}
-	}()
-	return nil
-}
-
-// Stop cancels background collection. It is safe to call multiple times.
-func (s *SystemLogProvider) Stop() error {
-	if s.cancel != nil {
-		s.cancel()
-		s.cancel = nil
-	}
-	return nil
-}
--- a/log/system_log_unix.go
+++ b/log/system_log_unix.go
@@ -1,121 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//go:build !windows
-
-package log
-
-import (
-	"bufio"
-	"context"
-	"encoding/json"
-	"fmt"
-	"os/exec"
-	"strconv"
-	"time"
-)
-
-type unixCollector struct {
-	tag string
-}
-
-func newPlatformCollector(tag string) platformCollector {
-	return &unixCollector{tag: tag}
-}
-
-// collect streams new journald records to addEntry until ctx is cancelled or
-// a fatal error occurs. It runs `journalctl -n 0 -f --output=json` so only
-// records that arrive after Start is called are collected (no backfill).
-// Returns nil when ctx is cancelled normally; returns a non-nil error if the
-// process could not be started or the output pipe broke unexpectedly.
-func (u *unixCollector) collect(ctx context.Context, addEntry EntryAdder) error {
-	cmd := exec.CommandContext(ctx, "journalctl", "-n", "0", "-f", "--output=json")
-	stdout, err := cmd.StdoutPipe()
-	if err != nil {
-		return fmt.Errorf("SystemLogProvider: failed to open journalctl stdout pipe: %w", err)
-	}
-	if err := cmd.Start(); err != nil {
-		return fmt.Errorf("SystemLogProvider: failed to start journalctl: %w", err)
-	}
-
-	scanner := bufio.NewScanner(stdout)
-	// journald JSON lines can be large; use a 1 MB buffer.
-	scanner.Buffer(make([]byte, 1024*1024), 1024*1024)
-
-	for scanner.Scan() {
-		select {
-		case <-ctx.Done():
-			return nil
-		default:
-		}
-
-		var fields map[string]interface{}
-		if err := json.Unmarshal(scanner.Bytes(), &fields); err != nil {
-			continue
-		}
-
-		severity := journalSeverity(fields)
-		message := journalMessage(fields)
-		createdTime := journalTimestamp(fields)
-		if err := addEntry("built-in", createdTime, u.tag,
-			fmt.Sprintf("[%s] %s", severity, message)); err != nil {
-			return fmt.Errorf("SystemLogProvider: failed to persist journal entry: %w", err)
-		}
-	}
-
-	if err := scanner.Err(); err != nil {
-		// A cancelled context causes the pipe to close; treat that as normal exit.
-		if ctx.Err() != nil {
-			return nil
-		}
-		return fmt.Errorf("SystemLogProvider: journalctl output error: %w", err)
-	}
-	return nil
-}
-
-// journalSeverity maps the journald PRIORITY field to a syslog severity name.
-// PRIORITY values: 0=emerg 1=alert 2=crit 3=err 4=warning 5=notice 6=info 7=debug
-func journalSeverity(fields map[string]interface{}) string {
-	mapping := map[string]string{
-		"0": "emerg", "1": "alert", "2": "crit", "3": "err",
-		"4": "warning", "5": "notice", "6": "info", "7": "debug",
-	}
-	if p, ok := fields["PRIORITY"].(string); ok {
-		if s, ok2 := mapping[p]; ok2 {
-			return s
-		}
-	}
-	return "info"
-}
-
-// journalMessage extracts the human-readable message from journald JSON.
-func journalMessage(fields map[string]interface{}) string {
-	if msg, ok := fields["MESSAGE"].(string); ok {
-		return msg
-	}
-	return ""
-}
-
-// journalTimestamp converts the journald __REALTIME_TIMESTAMP (microseconds
-// since Unix epoch) to an RFC3339 string.
-func journalTimestamp(fields map[string]interface{}) string {
-	if ts, ok := fields["__REALTIME_TIMESTAMP"].(string); ok {
-		usec, err := strconv.ParseInt(ts, 10, 64)
-		if err == nil {
-			t := time.Unix(usec/1_000_000, (usec%1_000_000)*1_000).UTC()
-			return t.Format(time.RFC3339)
-		}
-	}
-	return time.Now().UTC().Format(time.RFC3339)
-}
--- a/log/system_log_windows.go
+++ b/log/system_log_windows.go
@@ -1,180 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//go:build windows
-
-package log
-
-import (
-	"context"
-	"encoding/xml"
-	"fmt"
-	"io"
-	"os/exec"
-	"strings"
-	"time"
-)
-
-// Windows Event Log channels to collect from.
-var eventLogChannels = []string{"System", "Application"}
-
-type windowsCollector struct {
-	tag string
-}
-
-func newPlatformCollector(tag string) platformCollector {
-	return &windowsCollector{tag: tag}
-}
-
-// collect polls Windows Event Log channels every 5 seconds via wevtutil.exe
-// and persists new records to addEntry. Only events that arrive after Start
-// is called are collected; historical events are not backfilled.
-// Returns nil when ctx is cancelled normally.
-func (w *windowsCollector) collect(ctx context.Context, addEntry EntryAdder) error {
-	ticker := time.NewTicker(5 * time.Second)
-	defer ticker.Stop()
-
-	lastCheck := time.Now().UTC()
-
-	for {
-		select {
-		case <-ctx.Done():
-			return nil
-		case tick := <-ticker.C:
-			for _, channel := range eventLogChannels {
-				if err := w.queryChannel(ctx, channel, lastCheck, addEntry); err != nil {
-					return fmt.Errorf("SystemLogProvider: error querying channel %s: %w", channel, err)
-				}
-			}
-			lastCheck = tick.UTC()
-		}
-	}
-}
-
-// queryChannel runs wevtutil.exe to fetch events from channel that were
-// created after since, then stores each event via addEntry.
-// Returns a non-nil error if the wevtutil command fails or XML parsing fails.
-func (w *windowsCollector) queryChannel(ctx context.Context, channel string, since time.Time, addEntry EntryAdder) error {
-	sinceStr := since.Format("2006-01-02T15:04:05.000Z")
-	query := fmt.Sprintf("*[System[TimeCreated[@SystemTime>='%s']]]", sinceStr)
-
-	cmd := exec.CommandContext(ctx, "wevtutil.exe", "qe", channel,
-		"/f:RenderedXml", "/rd:false",
-		fmt.Sprintf("/q:%s", query),
-	)
-	out, err := cmd.Output()
-	if err != nil {
-		// A cancelled context is a normal shutdown, not an error.
-		if ctx.Err() != nil {
-			return nil
-		}
-		return fmt.Errorf("wevtutil.exe failed for channel %s: %w", channel, err)
-	}
-	if len(out) == 0 {
-		return nil
-	}
-
-	return w.parseAndPersistEvents(out, channel, addEntry)
-}
-
-// parseAndPersistEvents decodes wevtutil XML output and persists each Event
-// record via addEntry. wevtutil outputs one <Event> element per record;
-// the output is wrapped in a synthetic <Events> root so the decoder can
-// handle multiple records in one pass. Token()+DecodeElement() is used to
-// skip the wrapper element without triggering an XMLName mismatch error.
-func (w *windowsCollector) parseAndPersistEvents(out []byte, channel string, addEntry EntryAdder) error {
-	wrapped := "<Events>" + string(out) + "</Events>"
-	decoder := xml.NewDecoder(strings.NewReader(wrapped))
-
-	for {
-		token, err := decoder.Token()
-		if err != nil {
-			if err == io.EOF {
-				break
-			}
-			return fmt.Errorf("SystemLogProvider: failed to parse event XML (channel=%s): %w", channel, err)
-		}
-		se, ok := token.(xml.StartElement)
-		if !ok || se.Name.Local != "Event" {
-			continue
-		}
-
-		var event winEvent
-		if err := decoder.DecodeElement(&event, &se); err != nil {
-			return fmt.Errorf("SystemLogProvider: failed to decode event XML (channel=%s): %w", channel, err)
-		}
-
-		severity := winEventSeverity(event.System.Level)
-		message := strings.TrimSpace(event.RenderingInfo.Message)
-		if message == "" {
-			message = fmt.Sprintf("EventID=%d Source=%s", event.System.EventID, event.System.Provider.Name)
-		}
-		createdTime := winEventTimestamp(event.System.TimeCreated.SystemTime)
-		if err := addEntry("built-in", createdTime, w.tag,
-			fmt.Sprintf("[%s] [%s] %s", severity, channel, message)); err != nil {
-			return fmt.Errorf("SystemLogProvider: failed to persist event (channel=%s EventID=%d): %w",
-				channel, event.System.EventID, err)
-		}
-	}
-	return nil
-}
-
-// winEvent represents the subset of the Windows Event XML schema that we need.
-type winEvent struct {
-	XMLName xml.Name `xml:"Event"`
-	System  struct {
-		Provider struct {
-			Name string `xml:"Name,attr"`
-		} `xml:"Provider"`
-		EventID     int `xml:"EventID"`
-		Level       int `xml:"Level"`
-		TimeCreated struct {
-			SystemTime string `xml:"SystemTime,attr"`
-		} `xml:"TimeCreated"`
-	} `xml:"System"`
-	RenderingInfo struct {
-		Message string `xml:"Message"`
-	} `xml:"RenderingInfo"`
-}
-
-// winEventSeverity maps Windows Event Log Level values to syslog severity names.
-// Level: 1=Critical 2=Error 3=Warning 4=Information 5=Verbose
-func winEventSeverity(level int) string {
-	switch level {
-	case 1:
-		return "crit"
-	case 2:
-		return "err"
-	case 3:
-		return "warning"
-	case 5:
-		return "debug"
-	default: // 4=Information and anything else
-		return "info"
-	}
-}
-
-// winEventTimestamp parses a Windows Event SystemTime attribute string to RFC3339.
-func winEventTimestamp(s string) string {
-	// SystemTime is in the form "2024-01-15T10:30:00.000000000Z"
-	t, err := time.Parse(time.RFC3339Nano, s)
-	if err != nil {
-		// Try without nanoseconds
-		t, err = time.Parse("2006-01-02T15:04:05.000000000Z", s)
-		if err != nil {
-			return time.Now().UTC().Format(time.RFC3339)
-		}
-	}
-	return t.UTC().Format(time.RFC3339)
-}
--- a/main.go
+++ b/main.go
@@ -29,7 +29,6 @@ import (
 	"github.com/casdoor/casdoor/proxy"
 	"github.com/casdoor/casdoor/radius"
 	"github.com/casdoor/casdoor/routers"
-	"github.com/casdoor/casdoor/service"
 	"github.com/casdoor/casdoor/util"
 )

@@ -66,20 +65,14 @@ func main() {
 	}

 	object.InitDefaultStorageProvider()
-	object.InitLogProviders()
 	object.InitLdapAutoSynchronizer()
 	proxy.InitHttpClient()
 	authz.InitApi()
 	object.InitUserManager()
 	object.InitFromFile()
+	object.InitCasvisorConfig()
 	object.InitCleanupTokens()

-	object.InitSiteMap()
-	if len(object.SiteMap) != 0 {
-		object.InitRuleMap()
-		object.StartMonitorSitesLoop()
-	}
-
 	util.SafeGoroutine(func() { object.RunSyncUsersJob() })
 	util.SafeGoroutine(func() { controllers.InitCLIDownloader() })

@@ -90,7 +83,6 @@ func main() {
 	web.SetStaticPath("/swagger", "swagger")
 	web.SetStaticPath("/files", "files")
 	// https://studygolang.com/articles/2303
-	web.InsertFilter("*", web.BeforeStatic, routers.RequestBodyFilter)
 	web.InsertFilter("*", web.BeforeRouter, routers.StaticFilter)
 	web.InsertFilter("*", web.BeforeRouter, routers.AutoSigninFilter)
 	web.InsertFilter("*", web.BeforeRouter, routers.CorsFilter)
@@ -134,12 +126,5 @@ func main() {
 	go radius.StartRadiusServer()
 	go object.ClearThroughputPerSecond()

-	// Start webhook delivery worker
-	object.StartWebhookDeliveryWorker()
-
-	if len(object.SiteMap) != 0 {
-		service.Start()
-	}
-
 	web.Run(fmt.Sprintf(":%v", port))
 }
--- a/mcpself/application.go
+++ b/mcpself/application.go
@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-package mcpself
+package mcp

 import (
 	"fmt"
--- a/mcpself/auth.go
+++ b/mcpself/auth.go
@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-package mcpself
+package mcp

 import (
 	"strings"
--- a/mcpself/base.go
+++ b/mcpself/base.go
@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-package mcpself
+package mcp

 import (
 	"encoding/json"
--- a/mcpself/permission.go
+++ b/mcpself/permission.go
@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-package mcpself
+package mcp

 import (
 	"github.com/casdoor/casdoor/object"
--- a/mcp/util.go
+++ b/mcp/util.go
@@ -1,367 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package mcp
-
-import (
-	"context"
-	"encoding/binary"
-	"fmt"
-	"net"
-	"net/http"
-	"strconv"
-	"strings"
-	"time"
-
-	"github.com/casdoor/casdoor/util"
-	mcpsdk "github.com/modelcontextprotocol/go-sdk/mcp"
-	"golang.org/x/oauth2"
-)
-
-type InnerMcpServer struct {
-	Host string `json:"host"`
-	Port int    `json:"port"`
-	Path string `json:"path"`
-	Url  string `json:"url"`
-}
-
-func GetServerTools(owner, name, url, token string) ([]*mcpsdk.Tool, error) {
-	var session *mcpsdk.ClientSession
-	var err error
-
-	ctx, cancel := context.WithTimeout(context.Background(), time.Minute*10)
-	defer cancel()
-	client := mcpsdk.NewClient(&mcpsdk.Implementation{Name: util.GetId(owner, name), Version: "1.0.0"}, nil)
-
-	if strings.HasSuffix(url, "sse") {
-		if token != "" {
-			httpClient := oauth2.NewClient(ctx, oauth2.StaticTokenSource(&oauth2.Token{AccessToken: token}))
-			session, err = client.Connect(ctx, &mcpsdk.StreamableClientTransport{Endpoint: url, HTTPClient: httpClient}, nil)
-		} else {
-			session, err = client.Connect(ctx, &mcpsdk.StreamableClientTransport{Endpoint: url}, nil)
-		}
-	} else {
-		if token != "" {
-			httpClient := oauth2.NewClient(ctx, oauth2.StaticTokenSource(&oauth2.Token{AccessToken: token}))
-			session, err = client.Connect(ctx, &mcpsdk.StreamableClientTransport{Endpoint: url, HTTPClient: httpClient}, nil)
-		} else {
-			session, err = client.Connect(ctx, &mcpsdk.StreamableClientTransport{Endpoint: url}, nil)
-		}
-	}
-
-	if err != nil {
-		return nil, err
-	}
-	defer session.Close()
-
-	toolResult, err := session.ListTools(ctx, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	return toolResult.Tools, nil
-}
-
-func SanitizeScheme(scheme string) string {
-	scheme = strings.ToLower(strings.TrimSpace(scheme))
-	if scheme == "https" {
-		return "https"
-	}
-	return "http"
-}
-
-func SanitizeTimeout(timeoutMs int, defaultTimeoutMs int, maxTimeoutMs int) time.Duration {
-	if timeoutMs <= 0 {
-		timeoutMs = defaultTimeoutMs
-	}
-	if timeoutMs > maxTimeoutMs {
-		timeoutMs = maxTimeoutMs
-	}
-	return time.Duration(timeoutMs) * time.Millisecond
-}
-
-func SanitizeConcurrency(maxConcurrency int, defaultConcurrency int, maxAllowed int) int {
-	if maxConcurrency <= 0 {
-		maxConcurrency = defaultConcurrency
-	}
-	if maxConcurrency > maxAllowed {
-		maxConcurrency = maxAllowed
-	}
-	return maxConcurrency
-}
-
-func SanitizePorts(portInputs []string, defaultPorts []int) []int {
-	if len(portInputs) == 0 {
-		return append([]int{}, defaultPorts...)
-	}
-
-	portSet := map[int]struct{}{}
-	result := make([]int, 0, len(portInputs))
-	for _, portInput := range portInputs {
-		portInput = strings.TrimSpace(portInput)
-		if portInput == "" {
-			continue
-		}
-
-		if strings.Contains(portInput, "-") {
-			parts := strings.SplitN(portInput, "-", 2)
-			if len(parts) != 2 {
-				continue
-			}
-
-			start, err := strconv.Atoi(strings.TrimSpace(parts[0]))
-			if err != nil {
-				continue
-			}
-			end, err := strconv.Atoi(strings.TrimSpace(parts[1]))
-			if err != nil {
-				continue
-			}
-			if start > end {
-				continue
-			}
-
-			if start < 1 {
-				start = 1
-			}
-			if end > 65535 {
-				end = 65535
-			}
-			if start > end {
-				continue
-			}
-
-			for port := start; port <= end; port++ {
-				if _, ok := portSet[port]; ok {
-					continue
-				}
-				portSet[port] = struct{}{}
-				result = append(result, port)
-			}
-			continue
-		}
-
-		port, err := strconv.Atoi(portInput)
-		if err != nil {
-			continue
-		}
-		if port <= 0 || port > 65535 {
-			continue
-		}
-		if _, ok := portSet[port]; ok {
-			continue
-		}
-		portSet[port] = struct{}{}
-		result = append(result, port)
-	}
-	if len(result) == 0 {
-		return append([]int{}, defaultPorts...)
-	}
-	return result
-}
-
-func SanitizePaths(paths []string, defaultPaths []string) []string {
-	if len(paths) == 0 {
-		return append([]string{}, defaultPaths...)
-	}
-
-	pathSet := map[string]struct{}{}
-	result := make([]string, 0, len(paths))
-	for _, path := range paths {
-		path = strings.TrimSpace(path)
-		if path == "" {
-			continue
-		}
-		if !strings.HasPrefix(path, "/") {
-			path = "/" + path
-		}
-		if _, ok := pathSet[path]; ok {
-			continue
-		}
-		pathSet[path] = struct{}{}
-		result = append(result, path)
-	}
-	if len(result) == 0 {
-		return append([]string{}, defaultPaths...)
-	}
-	return result
-}
-
-func ParseScanTargets(targets []string, maxHosts int) ([]net.IP, error) {
-	hostSet := map[uint32]struct{}{}
-	hosts := make([]net.IP, 0)
-
-	addHost := func(ipv4 net.IP) error {
-		value := binary.BigEndian.Uint32(ipv4)
-		if _, ok := hostSet[value]; ok {
-			return nil
-		}
-		if len(hosts) >= maxHosts {
-			return fmt.Errorf("scan targets exceed max %d hosts", maxHosts)
-		}
-		hostSet[value] = struct{}{}
-		host := make(net.IP, net.IPv4len)
-		copy(host, ipv4)
-		hosts = append(hosts, host)
-		return nil
-	}
-
-	for _, target := range targets {
-		target = strings.TrimSpace(target)
-		if target == "" {
-			continue
-		}
-
-		if ip := net.ParseIP(target); ip != nil {
-			ipv4 := ip.To4()
-			if ipv4 == nil {
-				return nil, fmt.Errorf("only IPv4 is supported: %s", target)
-			}
-			if !util.IsIntranetIp(ipv4.String()) {
-				return nil, fmt.Errorf("target must be intranet: %s", target)
-			}
-			if err := addHost(ipv4); err != nil {
-				return nil, err
-			}
-			continue
-		}
-
-		cidrHosts, err := ParseCIDRHosts(target, maxHosts)
-		if err != nil {
-			return nil, err
-		}
-		for _, host := range cidrHosts {
-			if !util.IsIntranetIp(host.String()) {
-				return nil, fmt.Errorf("target must be intranet: %s", target)
-			}
-			if err = addHost(host.To4()); err != nil {
-				return nil, err
-			}
-		}
-	}
-
-	if len(hosts) == 0 {
-		return nil, fmt.Errorf("cidr is required")
-	}
-
-	return hosts, nil
-}
-
-func ParseCIDRHosts(cidr string, maxHosts int) ([]net.IP, error) {
-	baseIp, ipNet, err := net.ParseCIDR(cidr)
-	if err != nil {
-		return nil, err
-	}
-
-	ipv4 := baseIp.To4()
-	if ipv4 == nil {
-		return nil, fmt.Errorf("only IPv4 CIDR is supported")
-	}
-	if !util.IsIntranetIp(ipv4.String()) {
-		return nil, fmt.Errorf("cidr must be intranet: %s", cidr)
-	}
-
-	ones, bits := ipNet.Mask.Size()
-	hostBits := bits - ones
-	if hostBits < 0 {
-		return nil, fmt.Errorf("invalid cidr mask: %s", cidr)
-	}
-
-	if hostBits >= 63 {
-		return nil, fmt.Errorf("cidr range is too large")
-	}
-	total := uint64(1) << hostBits
-	if total > uint64(maxHosts)+2 {
-		return nil, fmt.Errorf("cidr range is too large, max %d hosts", maxHosts)
-	}
-
-	totalInt := int(total)
-	start := binary.BigEndian.Uint32(ipv4.Mask(ipNet.Mask))
-	end := start + uint32(total) - 1
-	hosts := make([]net.IP, 0, totalInt)
-	for value := start; value <= end; value++ {
-		if total > 2 && (value == start || value == end) {
-			continue
-		}
-
-		candidate := make(net.IP, net.IPv4len)
-		binary.BigEndian.PutUint32(candidate, value)
-		if ipNet.Contains(candidate) {
-			hosts = append(hosts, candidate)
-		}
-	}
-
-	if len(hosts) == 0 {
-		return nil, fmt.Errorf("cidr has no usable hosts: %s", cidr)
-	}
-
-	return hosts, nil
-}
-
-func ProbeHost(ctx context.Context, client *http.Client, scheme, host string, ports []int, paths []string, timeout time.Duration) (bool, []*InnerMcpServer) {
-	if !util.IsIntranetIp(host) {
-		return false, nil
-	}
-
-	dialer := &net.Dialer{Timeout: timeout}
-	isOnline := false
-	var servers []*InnerMcpServer
-
-	for _, port := range ports {
-		address := net.JoinHostPort(host, strconv.Itoa(port))
-		conn, err := dialer.DialContext(ctx, "tcp", address)
-		if err != nil {
-			continue
-		}
-		_ = conn.Close()
-		isOnline = true
-
-		for _, path := range paths {
-			server, ok := probeMcpInitialize(ctx, client, scheme, host, port, path)
-			if ok {
-				servers = append(servers, server)
-			}
-		}
-	}
-
-	return isOnline, servers
-}
-
-func probeMcpInitialize(ctx context.Context, client *http.Client, scheme, host string, port int, path string) (*InnerMcpServer, bool) {
-	fullUrl := fmt.Sprintf("%s://%s%s", scheme, net.JoinHostPort(host, strconv.Itoa(port)), path)
-
-	httpReq, err := http.NewRequestWithContext(ctx, http.MethodPost, fullUrl, nil)
-	if err != nil {
-		return nil, false
-	}
-
-	resp, err := client.Do(httpReq)
-	if err != nil {
-		return nil, false
-	}
-	defer func() {
-		_ = resp.Body.Close()
-	}()
-
-	if resp.StatusCode == http.StatusNotFound {
-		return nil, false
-	}
-
-	return &InnerMcpServer{
-		Host: host,
-		Port: port,
-		Path: path,
-		Url:  fullUrl,
-	}, true
-}
--- a/object/adapter.go
+++ b/object/adapter.go
@@ -41,7 +41,6 @@ type Adapter struct {
 	Database     string `xorm:"varchar(100)" json:"database"`

 	*xormadapter.Adapter `xorm:"-" json:"-"`
-	engine               *xorm.Engine
 }

 func GetAdapterCount(owner, field, value string) (int64, error) {
@@ -147,7 +146,7 @@ func (adapter *Adapter) GetId() string {
 }

 func (adapter *Adapter) InitAdapter() error {
-	if adapter.Adapter != nil && adapter.engine != nil {
+	if adapter.Adapter != nil {
 		return nil
 	}

@@ -161,9 +160,6 @@ func (adapter *Adapter) InitAdapter() error {
 		}
 	} else {
 		driverName = adapter.DatabaseType
-		if driverName == "sqlite3" {
-			driverName = "sqlite"
-		}
 		switch driverName {
 		case "mssql":
 			dataSourceName = fmt.Sprintf("sqlserver://%s:%s@%s:%d?database=%s", adapter.User,
@@ -177,7 +173,7 @@ func (adapter *Adapter) InitAdapter() error {
 		case "CockroachDB":
 			dataSourceName = fmt.Sprintf("user=%s password=%s host=%s port=%d sslmode=disable dbname=%s serial_normalization=virtual_sequence",
 				adapter.User, adapter.Password, adapter.Host, adapter.Port, adapter.Database)
-		case "sqlite":
+		case "sqlite3":
 			dataSourceName = fmt.Sprintf("file:%s", adapter.Host)
 		default:
 			return fmt.Errorf("unsupported database type: %s", adapter.DatabaseType)
@@ -203,15 +199,11 @@ func (adapter *Adapter) InitAdapter() error {

 	tableName := adapter.Table

-	xa, err := xormadapter.NewAdapterByEngineWithTableName(engine, tableName, "")
+	adapter.Adapter, err = xormadapter.NewAdapterByEngineWithTableName(engine, tableName, "")
 	if err != nil {
-		_ = engine.Close()
 		return err
 	}

-	adapter.engine = engine
-	adapter.Adapter = xa
-
 	return nil
 }

--- a/object/adapter_safe.go
+++ b/object/adapter_safe.go
@@ -1,138 +0,0 @@
-package object
-
-import (
-	xormadapter "github.com/casdoor/xorm-adapter/v3"
-	"github.com/xorm-io/xorm"
-)
-
-type SafeAdapter struct {
-	*xormadapter.Adapter
-	engine    *xorm.Engine
-	tableName string
-}
-
-func NewSafeAdapter(a *Adapter) *SafeAdapter {
-	if a == nil || a.Adapter == nil || a.engine == nil {
-		return nil
-	}
-
-	return &SafeAdapter{
-		Adapter:   a.Adapter,
-		engine:    a.engine,
-		tableName: a.Table,
-	}
-}
-
-func (a *SafeAdapter) RemovePolicy(sec string, ptype string, rule []string) error {
-	line := a.buildCasbinRule(ptype, rule)
-
-	session := a.engine.NewSession()
-	defer session.Close()
-
-	if a.tableName != "" {
-		session = session.Table(a.tableName)
-	}
-
-	_, err := session.
-		MustCols("ptype", "v0", "v1", "v2", "v3", "v4", "v5").
-		Delete(line)
-
-	return err
-}
-
-func (a *SafeAdapter) RemovePolicies(sec string, ptype string, rules [][]string) error {
-	_, err := a.engine.Transaction(func(tx *xorm.Session) (interface{}, error) {
-		for _, rule := range rules {
-			line := a.buildCasbinRule(ptype, rule)
-
-			var session *xorm.Session
-			if a.tableName != "" {
-				session = tx.Table(a.tableName)
-			} else {
-				session = tx
-			}
-
-			_, err := session.
-				MustCols("ptype", "v0", "v1", "v2", "v3", "v4", "v5").
-				Delete(line)
-			if err != nil {
-				return nil, err
-			}
-		}
-		return nil, nil
-	})
-	return err
-}
-
-func (a *SafeAdapter) UpdatePolicy(sec string, ptype string, oldRule []string, newRule []string) error {
-	oldLine := a.buildCasbinRule(ptype, oldRule)
-	newLine := a.buildCasbinRule(ptype, newRule)
-
-	session := a.engine.NewSession()
-	defer session.Close()
-
-	if a.tableName != "" {
-		session = session.Table(a.tableName)
-	}
-
-	_, err := session.
-		Where("ptype = ? AND v0 = ? AND v1 = ? AND v2 = ? AND v3 = ? AND v4 = ? AND v5 = ?",
-			oldLine.Ptype, oldLine.V0, oldLine.V1, oldLine.V2, oldLine.V3, oldLine.V4, oldLine.V5).
-		MustCols("ptype", "v0", "v1", "v2", "v3", "v4", "v5").
-		Update(newLine)
-
-	return err
-}
-
-func (a *SafeAdapter) UpdatePolicies(sec string, ptype string, oldRules [][]string, newRules [][]string) error {
-	_, err := a.engine.Transaction(func(tx *xorm.Session) (interface{}, error) {
-		for i, oldRule := range oldRules {
-			oldLine := a.buildCasbinRule(ptype, oldRule)
-			newLine := a.buildCasbinRule(ptype, newRules[i])
-
-			var session *xorm.Session
-			if a.tableName != "" {
-				session = tx.Table(a.tableName)
-			} else {
-				session = tx
-			}
-
-			_, err := session.
-				Where("ptype = ? AND v0 = ? AND v1 = ? AND v2 = ? AND v3 = ? AND v4 = ? AND v5 = ?",
-					oldLine.Ptype, oldLine.V0, oldLine.V1, oldLine.V2, oldLine.V3, oldLine.V4, oldLine.V5).
-				MustCols("ptype", "v0", "v1", "v2", "v3", "v4", "v5").
-				Update(newLine)
-			if err != nil {
-				return nil, err
-			}
-		}
-		return nil, nil
-	})
-	return err
-}
-
-func (a *SafeAdapter) buildCasbinRule(ptype string, rule []string) *xormadapter.CasbinRule {
-	line := xormadapter.CasbinRule{Ptype: ptype}
-
-	l := len(rule)
-	if l > 0 {
-		line.V0 = rule[0]
-	}
-	if l > 1 {
-		line.V1 = rule[1]
-	}
-	if l > 2 {
-		line.V2 = rule[2]
-	}
-	if l > 3 {
-		line.V3 = rule[3]
-	}
-	if l > 4 {
-		line.V4 = rule[4]
-	}
-	if l > 5 {
-		line.V5 = rule[5]
-	}
-
-	return &line
-}
--- a/object/agent.go
+++ b/object/agent.go
@@ -1,118 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package object
-
-import (
-	"fmt"
-
-	"github.com/casdoor/casdoor/util"
-	"github.com/xorm-io/core"
-)
-
-type Agent struct {
-	Owner       string `xorm:"varchar(100) notnull pk" json:"owner"`
-	Name        string `xorm:"varchar(100) notnull pk" json:"name"`
-	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
-	UpdatedTime string `xorm:"varchar(100)" json:"updatedTime"`
-	DisplayName string `xorm:"varchar(100)" json:"displayName"`
-
-	Url         string `xorm:"varchar(500)" json:"url"`
-	Token       string `xorm:"varchar(500)" json:"token"`
-	Application string `xorm:"varchar(100)" json:"application"`
-}
-
-func GetAgents(owner string) ([]*Agent, error) {
-	agents := []*Agent{}
-	err := ormer.Engine.Desc("created_time").Find(&agents, &Agent{Owner: owner})
-	if err != nil {
-		return nil, err
-	}
-
-	return agents, nil
-}
-
-func getAgent(owner string, name string) (*Agent, error) {
-	agent := Agent{Owner: owner, Name: name}
-	existed, err := ormer.Engine.Get(&agent)
-	if err != nil {
-		return nil, err
-	}
-
-	if existed {
-		return &agent, nil
-	}
-	return nil, nil
-}
-
-func GetAgent(id string) (*Agent, error) {
-	owner, name := util.GetOwnerAndNameFromIdNoCheck(id)
-	return getAgent(owner, name)
-}
-
-func UpdateAgent(id string, agent *Agent) (bool, error) {
-	owner, name := util.GetOwnerAndNameFromIdNoCheck(id)
-	if a, err := getAgent(owner, name); err != nil {
-		return false, err
-	} else if a == nil {
-		return false, nil
-	}
-
-	agent.UpdatedTime = util.GetCurrentTime()
-
-	_, err := ormer.Engine.ID(core.PK{owner, name}).AllCols().Update(agent)
-	if err != nil {
-		return false, err
-	}
-
-	return true, nil
-}
-
-func AddAgent(agent *Agent) (bool, error) {
-	affected, err := ormer.Engine.Insert(agent)
-	if err != nil {
-		return false, err
-	}
-
-	return affected != 0, nil
-}
-
-func DeleteAgent(agent *Agent) (bool, error) {
-	affected, err := ormer.Engine.ID(core.PK{agent.Owner, agent.Name}).Delete(&Agent{})
-	if err != nil {
-		return false, err
-	}
-
-	return affected != 0, nil
-}
-
-func (agent *Agent) GetId() string {
-	return fmt.Sprintf("%s/%s", agent.Owner, agent.Name)
-}
-
-func GetAgentCount(owner, field, value string) (int64, error) {
-	session := GetSession(owner, -1, -1, field, value, "", "")
-	return session.Count(&Agent{})
-}
-
-func GetPaginationAgents(owner string, offset, limit int, field, value, sortField, sortOrder string) ([]*Agent, error) {
-	agents := []*Agent{}
-	session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
-	err := session.Find(&agents)
-	if err != nil {
-		return agents, err
-	}
-
-	return agents, nil
-}
--- a/object/application.go
+++ b/object/application.go
@@ -15,8 +15,9 @@
 package object

 import (
-	"errors"
 	"fmt"
+	"regexp"
+	"strings"

 	"github.com/casdoor/casdoor/i18n"
 	"github.com/casdoor/casdoor/util"
@@ -94,7 +95,6 @@ type Application struct {
 	HeaderHtml                   string          `xorm:"mediumtext" json:"headerHtml"`
 	EnablePassword               bool            `json:"enablePassword"`
 	EnableSignUp                 bool            `json:"enableSignUp"`
-	EnableGuestSignin            bool            `json:"enableGuestSignin"`
 	DisableSignin                bool            `json:"disableSignin"`
 	EnableSigninSession          bool            `json:"enableSigninSession"`
 	EnableAutoSignin             bool            `json:"enableAutoSignin"`
@@ -125,7 +125,6 @@ type Application struct {

 	ClientId                string     `xorm:"varchar(100)" json:"clientId"`
 	ClientSecret            string     `xorm:"varchar(100)" json:"clientSecret"`
-	ClientCert              string     `xorm:"varchar(100)" json:"clientCert"`
 	RedirectUris            []string   `xorm:"varchar(1000)" json:"redirectUris"`
 	ForcedRedirectOrigin    string     `xorm:"varchar(100)" json:"forcedRedirectOrigin"`
 	TokenFormat             string     `xorm:"varchar(100)" json:"tokenFormat"`
@@ -156,16 +155,12 @@ type Application struct {
 	FailedSigninFrozenTime int `json:"failedSigninFrozenTime"`
 	CodeResendTimeout      int `json:"codeResendTimeout"`

-	CustomScopes []*ScopeDescription `xorm:"mediumtext" json:"customScopes"`
-
-	// Reverse proxy fields
+	// Reverse Proxy fields
 	Domain       string   `xorm:"varchar(100)" json:"domain"`
-	OtherDomains []string `xorm:"varchar(1000)" json:"otherDomains"`
+	OtherDomains []string `xorm:"mediumtext" json:"otherDomains"`
 	UpstreamHost string   `xorm:"varchar(100)" json:"upstreamHost"`
 	SslMode      string   `xorm:"varchar(100)" json:"sslMode"`
 	SslCert      string   `xorm:"varchar(100)" json:"sslCert"`
-
-	CertObj *Cert `xorm:"-"`
 }

 func GetApplicationCount(owner, field, value string) (int64, error) {
@@ -220,6 +215,192 @@ func GetPaginationOrganizationApplications(owner, organization string, offset, l
 	return applications, nil
 }

+func getProviderMap(owner string) (m map[string]*Provider, err error) {
+	providers, err := GetProviders(owner)
+	if err != nil {
+		return nil, err
+	}
+
+	m = map[string]*Provider{}
+	for _, provider := range providers {
+		m[provider.Name] = GetMaskedProvider(provider, true)
+	}
+
+	return m, err
+}
+
+func extendApplicationWithProviders(application *Application) (err error) {
+	m, err := getProviderMap(application.Organization)
+	if err != nil {
+		return err
+	}
+
+	for _, providerItem := range application.Providers {
+		if provider, ok := m[providerItem.Name]; ok {
+			providerItem.Provider = provider
+		}
+	}
+
+	return
+}
+
+func extendApplicationWithOrg(application *Application) (err error) {
+	organization, err := getOrganization(application.Owner, application.Organization)
+	application.OrganizationObj = organization
+	return
+}
+
+func extendApplicationWithSigninItems(application *Application) (err error) {
+	if len(application.SigninItems) == 0 {
+		signinItem := &SigninItem{
+			Name:        "Back button",
+			Visible:     true,
+			CustomCss:   ".back-button {\n      top: 65px;\n      left: 15px;\n      position: absolute;\n}\n.back-inner-button{}",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Languages",
+			Visible:     true,
+			CustomCss:   ".login-languages {\n    top: 55px;\n    right: 5px;\n    position: absolute;\n}",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Logo",
+			Visible:     true,
+			CustomCss:   ".login-logo-box {}",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Signin methods",
+			Visible:     true,
+			CustomCss:   ".signin-methods {}",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Username",
+			Visible:     true,
+			CustomCss:   ".login-username {}\n.login-username-input{}",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Password",
+			Visible:     true,
+			CustomCss:   ".login-password {}\n.login-password-input{}",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Verification code",
+			Visible:     true,
+			CustomCss:   ".verification-code {}\n.verification-code-input{}",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Agreement",
+			Visible:     true,
+			CustomCss:   ".login-agreement {}",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Forgot password?",
+			Visible:     true,
+			CustomCss:   ".login-forget-password {\n    display: inline-flex;\n    justify-content: space-between;\n    width: 320px;\n    margin-bottom: 25px;\n}",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Login button",
+			Visible:     true,
+			CustomCss:   ".login-button-box {\n    margin-bottom: 5px;\n}\n.login-button {\n    width: 100%;\n}",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Signup link",
+			Visible:     true,
+			CustomCss:   ".login-signup-link {\n    margin-bottom: 24px;\n    display: flex;\n    justify-content: end;\n}",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+		signinItem = &SigninItem{
+			Name:        "Providers",
+			Visible:     true,
+			CustomCss:   ".provider-img {\n      width: 30px;\n      margin: 5px;\n}\n.provider-big-img {\n      margin-bottom: 10px;\n}",
+			Placeholder: "",
+			Rule:        "None",
+		}
+		application.SigninItems = append(application.SigninItems, signinItem)
+	}
+	for idx, item := range application.SigninItems {
+		if item.Label != "" && item.CustomCss == "" {
+			application.SigninItems[idx].CustomCss = item.Label
+			application.SigninItems[idx].Label = ""
+		}
+	}
+	return
+}
+
+func extendApplicationWithSigninMethods(application *Application) (err error) {
+	if len(application.SigninMethods) == 0 {
+		if application.EnablePassword {
+			signinMethod := &SigninMethod{Name: "Password", DisplayName: "Password", Rule: "All"}
+			application.SigninMethods = append(application.SigninMethods, signinMethod)
+		}
+		if application.EnableCodeSignin {
+			signinMethod := &SigninMethod{Name: "Verification code", DisplayName: "Verification code", Rule: "All"}
+			application.SigninMethods = append(application.SigninMethods, signinMethod)
+		}
+		if application.EnableWebAuthn {
+			signinMethod := &SigninMethod{Name: "WebAuthn", DisplayName: "WebAuthn", Rule: "None"}
+			application.SigninMethods = append(application.SigninMethods, signinMethod)
+		}
+
+		signinMethod := &SigninMethod{Name: "Face ID", DisplayName: "Face ID", Rule: "None"}
+		application.SigninMethods = append(application.SigninMethods, signinMethod)
+	}
+
+	if len(application.SigninMethods) == 0 {
+		signinMethod := &SigninMethod{Name: "Password", DisplayName: "Password", Rule: "All"}
+		application.SigninMethods = append(application.SigninMethods, signinMethod)
+	}
+
+	return
+}
+
+func extendApplicationWithSignupItems(application *Application) (err error) {
+	if len(application.SignupItems) == 0 {
+		application.SignupItems = []*SignupItem{
+			{Name: "ID", Visible: false, Required: true, Prompted: false, Rule: "Random"},
+			{Name: "Username", Visible: true, Required: true, Prompted: false, Rule: "None"},
+			{Name: "Display name", Visible: true, Required: true, Prompted: false, Rule: "None"},
+			{Name: "Password", Visible: true, Required: true, Prompted: false, Rule: "None"},
+			{Name: "Confirm password", Visible: true, Required: true, Prompted: false, Rule: "None"},
+			{Name: "Email", Visible: true, Required: true, Prompted: false, Rule: "None"},
+			{Name: "Phone", Visible: true, Required: true, Prompted: false, Rule: "None"},
+			{Name: "Agreement", Visible: true, Required: true, Prompted: false, Rule: "None"},
+		}
+	}
+	return
+}
+
 func getApplication(owner string, name string) (*Application, error) {
 	if owner == "" || name == "" {
 		return nil, nil
@@ -372,6 +553,155 @@ func GetApplication(id string) (*Application, error) {
 	return getApplication(owner, name)
 }

+func GetMaskedApplication(application *Application, userId string) *Application {
+	if application == nil {
+		return nil
+	}
+
+	if application.TokenFields == nil {
+		application.TokenFields = []string{}
+	}
+
+	if application.FailedSigninLimit == 0 {
+		application.FailedSigninLimit = DefaultFailedSigninLimit
+	}
+	if application.FailedSigninFrozenTime == 0 {
+		application.FailedSigninFrozenTime = DefaultFailedSigninFrozenTime
+	}
+
+	isOrgUser := false
+	if userId != "" {
+		if isUserIdGlobalAdmin(userId) {
+			return application
+		}
+
+		user, err := GetUser(userId)
+		if err != nil {
+			panic(err)
+		}
+		if user != nil {
+			if user.IsApplicationAdmin(application) {
+				return application
+			}
+
+			if user.Owner == application.Organization {
+				isOrgUser = true
+			}
+		}
+	}
+
+	application.ClientSecret = "***"
+	application.Cert = "***"
+	application.EnablePassword = false
+	application.EnableSigninSession = false
+	application.EnableCodeSignin = false
+	application.EnableSamlCompress = false
+	application.EnableSamlC14n10 = false
+	application.EnableSamlPostBinding = false
+	application.DisableSamlAttributes = false
+	application.EnableWebAuthn = false
+	application.EnableLinkWithEmail = false
+	application.SamlReplyUrl = "***"
+
+	providerItems := []*ProviderItem{}
+	for _, providerItem := range application.Providers {
+		if providerItem.Provider != nil && (providerItem.Provider.Category == "OAuth" || providerItem.Provider.Category == "Web3" || providerItem.Provider.Category == "Captcha" || providerItem.Provider.Category == "SAML" || providerItem.Provider.Category == "Face ID") {
+			providerItems = append(providerItems, providerItem)
+		}
+	}
+	application.Providers = providerItems
+
+	application.GrantTypes = []string{}
+	application.RedirectUris = []string{}
+	application.TokenFormat = "***"
+	application.TokenFields = []string{}
+	application.ExpireInHours = -1
+	application.RefreshExpireInHours = -1
+	application.FailedSigninLimit = -1
+	application.FailedSigninFrozenTime = -1
+
+	if application.OrganizationObj != nil {
+		application.OrganizationObj.MasterPassword = "***"
+		application.OrganizationObj.DefaultPassword = "***"
+		application.OrganizationObj.MasterVerificationCode = "***"
+		application.OrganizationObj.PasswordType = "***"
+		application.OrganizationObj.PasswordSalt = "***"
+		application.OrganizationObj.InitScore = -1
+		application.OrganizationObj.EnableSoftDeletion = false
+
+		if !isOrgUser {
+			application.OrganizationObj.MfaItems = nil
+			if !application.OrganizationObj.IsProfilePublic {
+				application.OrganizationObj.AccountItems = nil
+			}
+		}
+	}
+
+	return application
+}
+
+func GetMaskedApplications(applications []*Application, userId string) []*Application {
+	if isUserIdGlobalAdmin(userId) {
+		return applications
+	}
+
+	for _, application := range applications {
+		application = GetMaskedApplication(application, userId)
+	}
+	return applications
+}
+
+func GetAllowedApplications(applications []*Application, userId string, lang string) ([]*Application, error) {
+	if userId == "" {
+		return nil, fmt.Errorf(i18n.Translate(lang, "auth:Unauthorized operation"))
+	}
+
+	if isUserIdGlobalAdmin(userId) {
+		return applications, nil
+	}
+
+	user, err := GetUser(userId)
+	if err != nil {
+		return nil, err
+	}
+	if user == nil {
+		return nil, fmt.Errorf(i18n.Translate(lang, "auth:Unauthorized operation"))
+	}
+
+	if user.IsAdmin {
+		return applications, nil
+	}
+
+	res := []*Application{}
+	for _, application := range applications {
+		var allowed bool
+		allowed, err = CheckLoginPermission(userId, application)
+		if err != nil {
+			return nil, err
+		}
+
+		if allowed {
+			res = append(res, application)
+		}
+	}
+	return res, nil
+}
+
+func checkMultipleCaptchaProviders(application *Application, lang string) error {
+	var captchaProviders []string
+	for _, providerItem := range application.Providers {
+		if providerItem.Provider != nil && providerItem.Provider.Category == "Captcha" {
+			captchaProviders = append(captchaProviders, providerItem.Name)
+		}
+	}
+
+	if len(captchaProviders) > 1 {
+		return fmt.Errorf(i18n.Translate(lang, "general:Multiple captcha providers are not allowed in the same application: %s"), strings.Join(captchaProviders, ", "))
+	}
+
+	return nil
+}
+
 func UpdateApplication(id string, application *Application, isGlobalAdmin bool, lang string) (bool, error) {
 	owner, name, err := util.GetOwnerAndNameFromIdWithError(id)
 	if err != nil {
@@ -383,7 +713,7 @@ func UpdateApplication(id string, application *Application, isGlobalAdmin bool,
 	}

 	if !isGlobalAdmin && oldApplication.Organization != application.Organization {
-		return false, errors.New(i18n.Translate(lang, "auth:Unauthorized operation"))
+		return false, fmt.Errorf(i18n.Translate(lang, "auth:Unauthorized operation"))
 	}

 	if name == "app-built-in" {
@@ -415,11 +745,6 @@ func UpdateApplication(id string, application *Application, isGlobalAdmin bool,
 		return false, err
 	}

-	err = validateCustomScopes(application.CustomScopes, lang)
-	if err != nil {
-		return false, err
-	}
-
 	for _, providerItem := range application.Providers {
 		providerItem.Provider = nil
 	}
@@ -475,11 +800,6 @@ func AddApplication(application *Application) (bool, error) {
 		return false, err
 	}

-	err = validateCustomScopes(application.CustomScopes, "en")
-	if err != nil {
-		return false, err
-	}
-
 	for _, providerItem := range application.Providers {
 		providerItem.Provider = nil
 	}
@@ -508,3 +828,205 @@ func DeleteApplication(application *Application) (bool, error) {

 	return deleteApplication(application)
 }
+
+func (application *Application) GetId() string {
+	return fmt.Sprintf("%s/%s", application.Owner, application.Name)
+}
+
+func (application *Application) IsRedirectUriValid(redirectUri string) bool {
+	isValid, err := util.IsValidOrigin(redirectUri)
+	if err != nil {
+		panic(err)
+	}
+	if isValid {
+		return true
+	}
+
+	for _, targetUri := range application.RedirectUris {
+		if targetUri == "" {
+			continue
+		}
+		targetUriRegex := regexp.MustCompile(targetUri)
+		if targetUriRegex.MatchString(redirectUri) || strings.Contains(redirectUri, targetUri) {
+			return true
+		}
+	}
+	return false
+}
+
+func (application *Application) IsPasswordEnabled() bool {
+	if len(application.SigninMethods) == 0 {
+		return application.EnablePassword
+	} else {
+		for _, signinMethod := range application.SigninMethods {
+			if signinMethod.Name == "Password" {
+				return true
+			}
+		}
+		return false
+	}
+}
+
+func (application *Application) IsPasswordWithLdapEnabled() bool {
+	if len(application.SigninMethods) == 0 {
+		return application.EnablePassword
+	} else {
+		for _, signinMethod := range application.SigninMethods {
+			if signinMethod.Name == "Password" && signinMethod.Rule == "All" {
+				return true
+			}
+		}
+		return false
+	}
+}
+
+func (application *Application) IsCodeSigninViaEmailEnabled() bool {
+	if len(application.SigninMethods) == 0 {
+		return application.EnableCodeSignin
+	} else {
+		for _, signinMethod := range application.SigninMethods {
+			if signinMethod.Name == "Verification code" && signinMethod.Rule != "Phone only" {
+				return true
+			}
+		}
+		return false
+	}
+}
+
+func (application *Application) IsCodeSigninViaSmsEnabled() bool {
+	if len(application.SigninMethods) == 0 {
+		return application.EnableCodeSignin
+	} else {
+		for _, signinMethod := range application.SigninMethods {
+			if signinMethod.Name == "Verification code" && signinMethod.Rule != "Email only" {
+				return true
+			}
+		}
+		return false
+	}
+}
+
+func (application *Application) IsLdapEnabled() bool {
+	if len(application.SigninMethods) > 0 {
+		for _, signinMethod := range application.SigninMethods {
+			if signinMethod.Name == "LDAP" {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func (application *Application) IsFaceIdEnabled() bool {
+	if len(application.SigninMethods) > 0 {
+		for _, signinMethod := range application.SigninMethods {
+			if signinMethod.Name == "Face ID" {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func IsOriginAllowed(origin string) (bool, error) {
+	applications, err := GetApplications("")
+	if err != nil {
+		return false, err
+	}
+
+	for _, application := range applications {
+		if application.IsRedirectUriValid(origin) {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+func getApplicationMap(organization string) (map[string]*Application, error) {
+	applicationMap := make(map[string]*Application)
+	applications, err := GetOrganizationApplications("admin", organization)
+	if err != nil {
+		return applicationMap, err
+	}
+
+	for _, application := range applications {
+		applicationMap[application.Name] = application
+	}
+
+	return applicationMap, nil
+}
+
+func ExtendManagedAccountsWithUser(user *User) (*User, error) {
+	if user.ManagedAccounts == nil || len(user.ManagedAccounts) == 0 {
+		return user, nil
+	}
+
+	applicationMap, err := getApplicationMap(user.Owner)
+	if err != nil {
+		return user, err
+	}
+
+	var managedAccounts []ManagedAccount
+	for _, managedAccount := range user.ManagedAccounts {
+		application := applicationMap[managedAccount.Application]
+		if application != nil {
+			managedAccount.SigninUrl = application.SigninUrl
+			managedAccounts = append(managedAccounts, managedAccount)
+		}
+	}
+	user.ManagedAccounts = managedAccounts
+
+	return user, nil
+}
+
+func applicationChangeTrigger(oldName string, newName string) error {
+	session := ormer.Engine.NewSession()
+	defer session.Close()
+
+	err := session.Begin()
+	if err != nil {
+		return err
+	}
+
+	organization := new(Organization)
+	organization.DefaultApplication = newName
+	_, err = session.Where("default_application=?", oldName).Update(organization)
+	if err != nil {
+		return err
+	}
+
+	user := new(User)
+	user.SignupApplication = newName
+	_, err = session.Where("signup_application=?", oldName).Update(user)
+	if err != nil {
+		return err
+	}
+
+	resource := new(Resource)
+	resource.Application = newName
+	_, err = session.Where("application=?", oldName).Update(resource)
+	if err != nil {
+		return err
+	}
+
+	var permissions []*Permission
+	err = ormer.Engine.Find(&permissions)
+	if err != nil {
+		return err
+	}
+	for i := 0; i < len(permissions); i++ {
+		permissionResoureces := permissions[i].Resources
+		for j := 0; j < len(permissionResoureces); j++ {
+			if permissionResoureces[j] == oldName {
+				permissionResoureces[j] = newName
+			}
+		}
+		permissions[i].Resources = permissionResoureces
+		_, err = session.Where("owner=?", permissions[i].Owner).Where("name=?", permissions[i].Name).Update(permissions[i])
+		if err != nil {
+			return err
+		}
+	}
+
+	return session.Commit()
+}
--- a/object/application_util.go
+++ b/object/application_util.go
@@ -1,615 +0,0 @@
-// Copyright 2021 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package object
-
-import (
-	"errors"
-	"fmt"
-	"net/url"
-	"regexp"
-	"strings"
-
-	"github.com/casdoor/casdoor/i18n"
-	"github.com/casdoor/casdoor/util"
-)
-
-func getProviderMap(owner string) (m map[string]*Provider, err error) {
-	providers, err := GetProviders(owner)
-	if err != nil {
-		return nil, err
-	}
-
-	m = map[string]*Provider{}
-	for _, provider := range providers {
-		m[provider.Name] = GetMaskedProvider(provider, true)
-	}
-
-	return m, err
-}
-
-func extendApplicationWithProviders(application *Application) (err error) {
-	m, err := getProviderMap(application.Organization)
-	if err != nil {
-		return err
-	}
-
-	for _, providerItem := range application.Providers {
-		if provider, ok := m[providerItem.Name]; ok {
-			providerItem.Provider = provider
-		}
-	}
-
-	return
-}
-
-func extendApplicationWithOrg(application *Application) (err error) {
-	organization, err := getOrganization(application.Owner, application.Organization)
-	application.OrganizationObj = organization
-	return
-}
-
-func extendApplicationWithSigninItems(application *Application) (err error) {
-	if len(application.SigninItems) == 0 {
-		signinItem := &SigninItem{
-			Name:        "Back button",
-			Visible:     true,
-			CustomCss:   ".back-button {\n      top: 65px;\n      left: 15px;\n      position: absolute;\n}\n.back-inner-button{}",
-			Placeholder: "",
-			Rule:        "None",
-		}
-		application.SigninItems = append(application.SigninItems, signinItem)
-		signinItem = &SigninItem{
-			Name:        "Languages",
-			Visible:     true,
-			CustomCss:   ".login-languages {\n    top: 55px;\n    right: 5px;\n    position: absolute;\n}",
-			Placeholder: "",
-			Rule:        "None",
-		}
-		application.SigninItems = append(application.SigninItems, signinItem)
-		signinItem = &SigninItem{
-			Name:        "Logo",
-			Visible:     true,
-			CustomCss:   ".login-logo-box {}",
-			Placeholder: "",
-			Rule:        "None",
-		}
-		application.SigninItems = append(application.SigninItems, signinItem)
-		signinItem = &SigninItem{
-			Name:        "Signin methods",
-			Visible:     true,
-			CustomCss:   ".signin-methods {}",
-			Placeholder: "",
-			Rule:        "None",
-		}
-		application.SigninItems = append(application.SigninItems, signinItem)
-		signinItem = &SigninItem{
-			Name:        "Username",
-			Visible:     true,
-			CustomCss:   ".login-username {}\n.login-username-input{}",
-			Placeholder: "",
-			Rule:        "None",
-		}
-		application.SigninItems = append(application.SigninItems, signinItem)
-		signinItem = &SigninItem{
-			Name:        "Password",
-			Visible:     true,
-			CustomCss:   ".login-password {}\n.login-password-input{}",
-			Placeholder: "",
-			Rule:        "None",
-		}
-		application.SigninItems = append(application.SigninItems, signinItem)
-		signinItem = &SigninItem{
-			Name:        "Verification code",
-			Visible:     true,
-			CustomCss:   ".verification-code {}\n.verification-code-input{}",
-			Placeholder: "",
-			Rule:        "None",
-		}
-		application.SigninItems = append(application.SigninItems, signinItem)
-		signinItem = &SigninItem{
-			Name:        "Agreement",
-			Visible:     true,
-			CustomCss:   ".login-agreement {}",
-			Placeholder: "",
-			Rule:        "None",
-		}
-		application.SigninItems = append(application.SigninItems, signinItem)
-		signinItem = &SigninItem{
-			Name:        "Forgot password?",
-			Visible:     true,
-			CustomCss:   ".login-forget-password {\n    display: inline-flex;\n    justify-content: space-between;\n    width: 320px;\n    margin-bottom: 25px;\n}",
-			Placeholder: "",
-			Rule:        "None",
-		}
-		application.SigninItems = append(application.SigninItems, signinItem)
-		signinItem = &SigninItem{
-			Name:        "Login button",
-			Visible:     true,
-			CustomCss:   ".login-button-box {\n    margin-bottom: 5px;\n}\n.login-button {\n    width: 100%;\n}",
-			Placeholder: "",
-			Rule:        "None",
-		}
-		application.SigninItems = append(application.SigninItems, signinItem)
-		signinItem = &SigninItem{
-			Name:        "Signup link",
-			Visible:     true,
-			CustomCss:   ".login-signup-link {\n    margin-bottom: 24px;\n    display: flex;\n    justify-content: end;\n}",
-			Placeholder: "",
-			Rule:        "None",
-		}
-		application.SigninItems = append(application.SigninItems, signinItem)
-		signinItem = &SigninItem{
-			Name:        "Providers",
-			Visible:     true,
-			CustomCss:   ".provider-img {\n      width: 30px;\n      margin: 5px;\n}\n.provider-big-img {\n      margin-bottom: 10px;\n}",
-			Placeholder: "",
-			Rule:        "None",
-		}
-		application.SigninItems = append(application.SigninItems, signinItem)
-	}
-	for idx, item := range application.SigninItems {
-		if item.Label != "" && item.CustomCss == "" {
-			application.SigninItems[idx].CustomCss = item.Label
-			application.SigninItems[idx].Label = ""
-		}
-	}
-	return
-}
-
-func extendApplicationWithSigninMethods(application *Application) (err error) {
-	if len(application.SigninMethods) == 0 {
-		if application.EnablePassword {
-			signinMethod := &SigninMethod{Name: "Password", DisplayName: "Password", Rule: "All"}
-			application.SigninMethods = append(application.SigninMethods, signinMethod)
-		}
-		if application.EnableCodeSignin {
-			signinMethod := &SigninMethod{Name: "Verification code", DisplayName: "Verification code", Rule: "All"}
-			application.SigninMethods = append(application.SigninMethods, signinMethod)
-		}
-		if application.EnableWebAuthn {
-			signinMethod := &SigninMethod{Name: "WebAuthn", DisplayName: "WebAuthn", Rule: "None"}
-			application.SigninMethods = append(application.SigninMethods, signinMethod)
-		}
-
-		signinMethod := &SigninMethod{Name: "Face ID", DisplayName: "Face ID", Rule: "None"}
-		application.SigninMethods = append(application.SigninMethods, signinMethod)
-	}
-
-	if len(application.SigninMethods) == 0 {
-		signinMethod := &SigninMethod{Name: "Password", DisplayName: "Password", Rule: "All"}
-		application.SigninMethods = append(application.SigninMethods, signinMethod)
-	}
-
-	return
-}
-
-func extendApplicationWithSignupItems(application *Application) (err error) {
-	if len(application.SignupItems) == 0 {
-		application.SignupItems = []*SignupItem{
-			{Name: "ID", Visible: false, Required: true, Prompted: false, Rule: "Random"},
-			{Name: "Username", Visible: true, Required: true, Prompted: false, Rule: "None"},
-			{Name: "Display name", Visible: true, Required: true, Prompted: false, Rule: "None"},
-			{Name: "Password", Visible: true, Required: true, Prompted: false, Rule: "None"},
-			{Name: "Confirm password", Visible: true, Required: true, Prompted: false, Rule: "None"},
-			{Name: "Email", Visible: true, Required: true, Prompted: false, Rule: "None"},
-			{Name: "Phone", Visible: true, Required: true, Prompted: false, Rule: "None"},
-			{Name: "Agreement", Visible: true, Required: true, Prompted: false, Rule: "None"},
-		}
-	}
-	return
-}
-
-func GetMaskedApplication(application *Application, userId string) *Application {
-	if application == nil {
-		return nil
-	}
-
-	if application.TokenFields == nil {
-		application.TokenFields = []string{}
-	}
-
-	if application.FailedSigninLimit == 0 {
-		application.FailedSigninLimit = DefaultFailedSigninLimit
-	}
-	if application.FailedSigninFrozenTime == 0 {
-		application.FailedSigninFrozenTime = DefaultFailedSigninFrozenTime
-	}
-
-	isOrgUser := false
-	if userId != "" {
-		if isUserIdGlobalAdmin(userId) {
-			return application
-		}
-
-		user, err := GetUser(userId)
-		if err != nil {
-			panic(err)
-		}
-		if user != nil {
-			if user.IsApplicationAdmin(application) {
-				return application
-			}
-
-			if user.Owner == application.Organization {
-				isOrgUser = true
-			}
-		}
-	}
-
-	application.ClientSecret = "***"
-	application.Cert = "***"
-	application.EnablePassword = false
-	application.EnableSigninSession = false
-	application.EnableCodeSignin = false
-	application.EnableSamlCompress = false
-	application.EnableSamlC14n10 = false
-	application.EnableSamlPostBinding = false
-	application.DisableSamlAttributes = false
-	application.EnableWebAuthn = false
-	application.EnableLinkWithEmail = false
-	application.SamlReplyUrl = "***"
-
-	providerItems := []*ProviderItem{}
-	for _, providerItem := range application.Providers {
-		if providerItem.Provider != nil && (providerItem.Provider.Category == "OAuth" || providerItem.Provider.Category == "Web3" || providerItem.Provider.Category == "Captcha" || providerItem.Provider.Category == "SAML" || providerItem.Provider.Category == "Face ID") {
-			providerItems = append(providerItems, providerItem)
-		}
-	}
-	application.Providers = providerItems
-
-	application.GrantTypes = []string{}
-	application.RedirectUris = []string{}
-	application.TokenFormat = "***"
-	application.TokenFields = []string{}
-	application.ExpireInHours = -1
-	application.RefreshExpireInHours = -1
-	application.FailedSigninLimit = -1
-	application.FailedSigninFrozenTime = -1
-
-	if application.OrganizationObj != nil {
-		application.OrganizationObj.MasterPassword = "***"
-		application.OrganizationObj.DefaultPassword = "***"
-		application.OrganizationObj.MasterVerificationCode = "***"
-		application.OrganizationObj.PasswordType = "***"
-		application.OrganizationObj.PasswordSalt = "***"
-		application.OrganizationObj.InitScore = -1
-		application.OrganizationObj.EnableSoftDeletion = false
-
-		if !isOrgUser {
-			application.OrganizationObj.MfaItems = nil
-			if !application.OrganizationObj.IsProfilePublic {
-				application.OrganizationObj.AccountItems = nil
-			}
-		}
-	}
-
-	return application
-}
-
-func GetMaskedApplications(applications []*Application, userId string) []*Application {
-	if isUserIdGlobalAdmin(userId) {
-		return applications
-	}
-
-	for _, application := range applications {
-		application = GetMaskedApplication(application, userId)
-	}
-	return applications
-}
-
-func GetAllowedApplications(applications []*Application, userId string, lang string) ([]*Application, error) {
-	if userId == "" {
-		return nil, errors.New(i18n.Translate(lang, "auth:Unauthorized operation"))
-	}
-
-	if isUserIdGlobalAdmin(userId) {
-		return applications, nil
-	}
-
-	user, err := GetUser(userId)
-	if err != nil {
-		return nil, err
-	}
-	if user == nil {
-		return nil, errors.New(i18n.Translate(lang, "auth:Unauthorized operation"))
-	}
-
-	if user.IsAdmin {
-		return applications, nil
-	}
-
-	res := []*Application{}
-	for _, application := range applications {
-		var allowed bool
-		allowed, err = CheckLoginPermission(userId, application)
-		if err != nil {
-			return nil, err
-		}
-
-		if allowed {
-			res = append(res, application)
-		}
-	}
-	return res, nil
-}
-
-func checkMultipleCaptchaProviders(application *Application, lang string) error {
-	var captchaProviders []string
-	for _, providerItem := range application.Providers {
-		if providerItem.Provider != nil && providerItem.Provider.Category == "Captcha" {
-			captchaProviders = append(captchaProviders, providerItem.Name)
-		}
-	}
-
-	if len(captchaProviders) > 1 {
-		return fmt.Errorf(i18n.Translate(lang, "general:Multiple captcha providers are not allowed in the same application: %s"), strings.Join(captchaProviders, ", "))
-	}
-
-	return nil
-}
-
-func (application *Application) GetId() string {
-	return fmt.Sprintf("%s/%s", application.Owner, application.Name)
-}
-
-func (application *Application) IsRedirectUriValid(redirectUri string) bool {
-	isValid, err := util.IsValidOrigin(redirectUri)
-	if err != nil {
-		panic(err)
-	}
-	if isValid {
-		return true
-	}
-
-	for _, targetUri := range application.RedirectUris {
-		if redirectUriMatchesPattern(redirectUri, targetUri) {
-			return true
-		}
-	}
-	return false
-}
-
-func redirectUriMatchesPattern(redirectUri, targetUri string) bool {
-	if targetUri == "" {
-		return false
-	}
-	if redirectUri == targetUri {
-		return true
-	}
-
-	redirectUriObj, err := url.Parse(redirectUri)
-	if err != nil || redirectUriObj.Host == "" {
-		return false
-	}
-
-	targetUriObj, err := url.Parse(targetUri)
-	if err == nil && targetUriObj.Host != "" {
-		return redirectUriMatchesTarget(redirectUriObj, targetUriObj)
-	}
-
-	withScheme, parseErr := url.Parse("https://" + targetUri)
-	if parseErr == nil && withScheme.Host != "" {
-		redirectHost := redirectUriObj.Hostname()
-		targetHost := withScheme.Hostname()
-		var hostMatches bool
-		if strings.HasPrefix(targetHost, ".") {
-			hostMatches = strings.HasSuffix(redirectHost, targetHost)
-		} else {
-			hostMatches = redirectHost == targetHost || strings.HasSuffix(redirectHost, "."+targetHost)
-		}
-		schemeOk := redirectUriObj.Scheme == "http" || redirectUriObj.Scheme == "https"
-		pathMatches := withScheme.Path == "" || withScheme.Path == "/" || redirectUriObj.Path == withScheme.Path
-		return schemeOk && hostMatches && pathMatches
-	}
-
-	anchoredPattern := "^(?:" + targetUri + ")$"
-	targetUriRegex, err := regexp.Compile(anchoredPattern)
-	return err == nil && targetUriRegex.MatchString(redirectUri)
-}
-
-func redirectUriMatchesTarget(redirectUri, targetUri *url.URL) bool {
-	if redirectUri.Scheme != targetUri.Scheme {
-		return false
-	}
-	if redirectUri.Port() != targetUri.Port() {
-		return false
-	}
-	redirectHost := redirectUri.Hostname()
-	targetHost := targetUri.Hostname()
-	if redirectHost != targetHost && !strings.HasSuffix(redirectHost, "."+targetHost) {
-		return false
-	}
-	if redirectUri.Path != targetUri.Path {
-		return false
-	}
-	return true
-}
-
-func (application *Application) IsPasswordEnabled() bool {
-	if len(application.SigninMethods) == 0 {
-		return application.EnablePassword
-	} else {
-		for _, signinMethod := range application.SigninMethods {
-			if signinMethod.Name == "Password" {
-				return true
-			}
-		}
-		return false
-	}
-}
-
-func (application *Application) IsPasswordWithLdapEnabled() bool {
-	if len(application.SigninMethods) == 0 {
-		return application.EnablePassword
-	} else {
-		for _, signinMethod := range application.SigninMethods {
-			if signinMethod.Name == "Password" && signinMethod.Rule == "All" {
-				return true
-			}
-		}
-		return false
-	}
-}
-
-func (application *Application) IsCodeSigninViaEmailEnabled() bool {
-	if len(application.SigninMethods) == 0 {
-		return application.EnableCodeSignin
-	} else {
-		for _, signinMethod := range application.SigninMethods {
-			if signinMethod.Name == "Verification code" && signinMethod.Rule != "Phone only" {
-				return true
-			}
-		}
-		return false
-	}
-}
-
-func (application *Application) IsCodeSigninViaSmsEnabled() bool {
-	if len(application.SigninMethods) == 0 {
-		return application.EnableCodeSignin
-	} else {
-		for _, signinMethod := range application.SigninMethods {
-			if signinMethod.Name == "Verification code" && signinMethod.Rule != "Email only" {
-				return true
-			}
-		}
-		return false
-	}
-}
-
-func (application *Application) IsLdapEnabled() bool {
-	if len(application.SigninMethods) > 0 {
-		for _, signinMethod := range application.SigninMethods {
-			if signinMethod.Name == "LDAP" {
-				return true
-			}
-		}
-	}
-	return false
-}
-
-func (application *Application) IsFaceIdEnabled() bool {
-	if len(application.SigninMethods) > 0 {
-		for _, signinMethod := range application.SigninMethods {
-			if signinMethod.Name == "Face ID" {
-				return true
-			}
-		}
-	}
-	return false
-}
-
-func IsOriginAllowed(origin string) (bool, error) {
-	applications, err := GetApplications("")
-	if err != nil {
-		return false, err
-	}
-
-	for _, application := range applications {
-		if application.IsRedirectUriValid(origin) {
-			return true, nil
-		}
-	}
-	return false, nil
-}
-
-func getApplicationMap(organization string) (map[string]*Application, error) {
-	applicationMap := make(map[string]*Application)
-	applications, err := GetOrganizationApplications("admin", organization)
-	if err != nil {
-		return applicationMap, err
-	}
-
-	for _, application := range applications {
-		applicationMap[application.Name] = application
-	}
-
-	return applicationMap, nil
-}
-
-func ExtendManagedAccountsWithUser(user *User) (*User, error) {
-	if user.ManagedAccounts == nil || len(user.ManagedAccounts) == 0 {
-		return user, nil
-	}
-
-	applicationMap, err := getApplicationMap(user.Owner)
-	if err != nil {
-		return user, err
-	}
-
-	var managedAccounts []ManagedAccount
-	for _, managedAccount := range user.ManagedAccounts {
-		application := applicationMap[managedAccount.Application]
-		if application != nil {
-			managedAccount.SigninUrl = application.SigninUrl
-			managedAccounts = append(managedAccounts, managedAccount)
-		}
-	}
-	user.ManagedAccounts = managedAccounts
-
-	return user, nil
-}
-
-func applicationChangeTrigger(oldName string, newName string) error {
-	session := ormer.Engine.NewSession()
-	defer session.Close()
-
-	err := session.Begin()
-	if err != nil {
-		return err
-	}
-
-	organization := new(Organization)
-	organization.DefaultApplication = newName
-	_, err = session.Where("default_application=?", oldName).Update(organization)
-	if err != nil {
-		return err
-	}
-
-	user := new(User)
-	user.SignupApplication = newName
-	_, err = session.Where("signup_application=?", oldName).Update(user)
-	if err != nil {
-		return err
-	}
-
-	resource := new(Resource)
-	resource.Application = newName
-	_, err = session.Where("application=?", oldName).Update(resource)
-	if err != nil {
-		return err
-	}
-
-	var permissions []*Permission
-	err = ormer.Engine.Find(&permissions)
-	if err != nil {
-		return err
-	}
-	for i := 0; i < len(permissions); i++ {
-		permissionResoureces := permissions[i].Resources
-		for j := 0; j < len(permissionResoureces); j++ {
-			if permissionResoureces[j] == oldName {
-				permissionResoureces[j] = newName
-			}
-		}
-		permissions[i].Resources = permissionResoureces
-		_, err = session.Where("owner=?", permissions[i].Owner).Where("name=?", permissions[i].Name).Update(permissions[i])
-		if err != nil {
-			return err
-		}
-	}
-
-	return session.Commit()
-}
--- a/object/application_util_test.go
+++ b/object/application_util_test.go
@@ -1,79 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package object
-
-import "testing"
-
-func TestRedirectUriMatchesPattern(t *testing.T) {
-	tests := []struct {
-		redirectUri string
-		targetUri   string
-		want        bool
-	}{
-		// Exact match
-		{"https://login.example.com/callback", "https://login.example.com/callback", true},
-
-		// Full URL pattern: exact host
-		{"https://login.example.com/callback", "https://login.example.com/callback", true},
-		{"https://login.example.com/other", "https://login.example.com/callback", false},
-
-		// Full URL pattern: subdomain of configured host
-		{"https://def.abc.com/callback", "abc.com", true},
-		{"https://def.abc.com/callback", ".abc.com", true},
-		{"https://def.abc.com/callback", ".abc.com/", true},
-		{"https://deep.app.example.com/callback", "https://example.com/callback", true},
-
-		// Full URL pattern: unrelated host must not match
-		{"https://evil.com/callback", "https://example.com/callback", false},
-		// Suffix collision: evilexample.com must not match example.com
-		{"https://evilexample.com/callback", "https://example.com/callback", false},
-
-		// Full URL pattern: scheme mismatch
-		{"http://app.example.com/callback", "https://example.com/callback", false},
-
-		// Full URL pattern: path mismatch
-		{"https://app.example.com/other", "https://example.com/callback", false},
-
-		// Scheme-less pattern: exact host
-		{"https://login.example.com/callback", "login.example.com/callback", true},
-		{"http://login.example.com/callback", "login.example.com/callback", true},
-
-		// Scheme-less pattern: subdomain of configured host
-		{"https://app.login.example.com/callback", "login.example.com/callback", true},
-
-		// Scheme-less pattern: unrelated host must not match
-		{"https://evil.com/callback", "login.example.com/callback", false},
-
-		// Scheme-less pattern: query-string injection must not match
-		{"https://evil.com/?r=https://login.example.com/callback", "login.example.com/callback", false},
-		{"https://evil.com/page?redirect=https://login.example.com/callback", "login.example.com/callback", false},
-
-		// Scheme-less pattern: path mismatch
-		{"https://login.example.com/other", "login.example.com/callback", false},
-
-		// Scheme-less pattern: non-http scheme must not match
-		{"ftp://login.example.com/callback", "login.example.com/callback", false},
-
-		// Empty target
-		{"https://login.example.com/callback", "", false},
-	}
-
-	for _, tt := range tests {
-		got := redirectUriMatchesPattern(tt.redirectUri, tt.targetUri)
-		if got != tt.want {
-			t.Errorf("redirectUriMatchesPattern(%q, %q) = %v, want %v", tt.redirectUri, tt.targetUri, got, tt.want)
-		}
-	}
-}
--- a/object/cert.go
+++ b/object/cert.go
@@ -16,12 +16,9 @@ package object

 import (
 	"fmt"
-	"time"

-	"github.com/casdoor/casdoor/certificate"
 	"github.com/casdoor/casdoor/util"
 	"github.com/xorm-io/core"
-	"golang.org/x/net/publicsuffix"
 )

 type Cert struct {
@@ -36,13 +33,6 @@ type Cert struct {
 	BitSize         int    `json:"bitSize"`
 	ExpireInYears   int    `json:"expireInYears"`

-	ExpireTime       string `xorm:"varchar(100)" json:"expireTime"`
-	DomainExpireTime string `xorm:"varchar(100)" json:"domainExpireTime"`
-	Provider         string `xorm:"varchar(100)" json:"provider"`
-	Account          string `xorm:"varchar(100)" json:"account"`
-	AccessKey        string `xorm:"varchar(100)" json:"accessKey"`
-	AccessSecret     string `xorm:"varchar(100)" json:"accessSecret"`
-
 	Certificate string `xorm:"mediumtext" json:"certificate"`
 	PrivateKey  string `xorm:"mediumtext" json:"privateKey"`
 }
@@ -234,20 +224,6 @@ func (p *Cert) populateContent() error {
 		return nil
 	}

-	if p.Type == "SSL" {
-		if p.Certificate != "" {
-			expireTime, err := util.GetCertExpireTime(p.Certificate)
-			if err != nil {
-				return err
-			}
-
-			p.ExpireTime = expireTime
-		} else {
-			p.ExpireTime = ""
-		}
-		return nil
-	}
-
 	if len(p.CryptoAlgorithm) < 3 {
 		err := fmt.Errorf("populateContent() error, unsupported crypto algorithm: %s", p.CryptoAlgorithm)
 		return err
@@ -282,42 +258,6 @@ func (p *Cert) populateContent() error {
 	return nil
 }

-func RenewCert(cert *Cert) (bool, error) {
-	useProxy := false
-	if cert.Provider == "GoDaddy" {
-		useProxy = true
-	}
-
-	client, err := GetAcmeClient(useProxy)
-	if err != nil {
-		return false, err
-	}
-
-	var certStr, privateKey string
-	if cert.Provider == "Aliyun" {
-		certStr, privateKey, err = certificate.ObtainCertificateAli(client, cert.Name, cert.AccessKey, cert.AccessSecret)
-	} else if cert.Provider == "GoDaddy" {
-		certStr, privateKey, err = certificate.ObtainCertificateGoDaddy(client, cert.Name, cert.AccessKey, cert.AccessSecret)
-	} else {
-		return false, fmt.Errorf("unknown provider: %s", cert.Provider)
-	}
-
-	if err != nil {
-		return false, err
-	}
-
-	expireTime, err := util.GetCertExpireTime(certStr)
-	if err != nil {
-		return false, err
-	}
-
-	cert.ExpireTime = expireTime
-	cert.Certificate = certStr
-	cert.PrivateKey = privateKey
-
-	return UpdateCert(cert.GetId(), cert)
-}
-
 func getCertByApplication(application *Application) (*Cert, error) {
 	if application.Cert != "" {
 		return getCertByName(application.Cert)
@@ -348,64 +288,3 @@ func certChangeTrigger(oldName string, newName string) error {

 	return session.Commit()
 }
-
-func getBaseDomain(domain string) (string, error) {
-	// abc.com -> abc.com
-	// abc.com.it -> abc.com.it
-	// subdomain.abc.io -> abc.io
-	// subdomain.abc.org.us -> abc.org.us
-	return publicsuffix.EffectiveTLDPlusOne(domain)
-}
-
-func GetCertByDomain(domain string) (*Cert, error) {
-	if domain == "" {
-		return nil, fmt.Errorf("GetCertByDomain() error: domain should not be empty")
-	}
-
-	cert, ok := certMap[domain]
-	if ok {
-		return cert, nil
-	}
-
-	baseDomain, err := getBaseDomain(domain)
-	if err != nil {
-		return nil, err
-	}
-
-	cert, ok = certMap[baseDomain]
-	if ok {
-		return cert, nil
-	}
-
-	return nil, nil
-}
-
-func getCertMap() (map[string]*Cert, error) {
-	certs, err := GetGlobalCerts()
-	if err != nil {
-		return nil, err
-	}
-
-	res := map[string]*Cert{}
-	for _, cert := range certs {
-		res[cert.Name] = cert
-	}
-	return res, nil
-}
-
-func (p *Cert) isCertNearExpire() (bool, error) {
-	if p.ExpireTime == "" {
-		return true, nil
-	}
-
-	expireTime, err := time.Parse(time.RFC3339, p.ExpireTime)
-	if err != nil {
-		return false, err
-	}
-
-	now := time.Now()
-	duration := expireTime.Sub(now)
-	res := duration <= 7*24*time.Hour
-
-	return res, nil
-}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
copilot-swe-agent[bot]	22d287f7a8	Use hardcoded labels instead of i18n translations for reverse proxy fields Co-authored-by: mserico <140243407+mserico@users.noreply.github.com>	2026-02-15 17:57:27 +00:00
copilot-swe-agent[bot]	4e1c56e3cd	Co-authored-by: mserico <140243407+mserico@users.noreply.github.com>	2026-02-15 17:42:41 +00:00
copilot-swe-agent[bot]	f48eccae98	Fix duplicate i18n keys by renaming to Proxy domain and Proxy SSL mode Co-authored-by: mserico <140243407+mserico@users.noreply.github.com>	2026-02-15 17:42:03 +00:00
copilot-swe-agent[bot]	b4049e6cf4	Fix code review issues: use mediumtext for OtherDomains and remove redundant HTTP SSL mode Co-authored-by: mserico <140243407+mserico@users.noreply.github.com>	2026-02-15 17:29:44 +00:00
copilot-swe-agent[bot]	91c17b4092	Initialize otherDomains array to prevent UI errors Co-authored-by: mserico <140243407+mserico@users.noreply.github.com>	2026-02-15 17:26:37 +00:00
copilot-swe-agent[bot]	2cac433b9f	Add reverse proxy fields to Application model and frontend Co-authored-by: mserico <140243407+mserico@users.noreply.github.com>	2026-02-15 17:25:37 +00:00
copilot-swe-agent[bot]	ac21a6b3c9	Initial plan	2026-02-15 17:23:02 +00:00