perf(playground): improve chat markdown rendering

- refine assistant and user message surfaces so chat content matches the app UI. - normalize markdown typography, tables, images, lists, blockquotes, and details rendering. - add indentation cues for collapsible reasoning and source sections.
feat(playground): add chat history clearing
2026-06-01 00:30:06 +08:00 · 2026-05-31 14:23:50 +08:00 · 2026-05-30 19:13:50 +08:00 · 2026-05-30 19:07:53 +08:00 · 2026-05-30 18:46:07 +08:00 · 2026-05-30 18:42:24 +08:00
383 changed files with 20450 additions and 11421 deletions
@@ -35,3 +35,4 @@ data/
 .test
 token_estimator_test.go
 skills-lock.json
+.playwright-mcp
@@ -37,7 +37,7 @@ func checkWriter(writer io.Writer) stringWriter {
 // W3C Working Draft 29 October 2009
 // http://www.w3.org/TR/2009/WD-eventsource-20091029/

-var contentType = []string{"text/event-stream"}
+var writeContentType = []string{"text/event-stream"}
 var noCache = []string{"no-cache"}

 var fieldReplacer = strings.NewReplacer(
@@ -79,7 +79,7 @@ func (r CustomEvent) WriteContentType(w http.ResponseWriter) {
 	r.Mutex.Lock()
 	defer r.Mutex.Unlock()
 	header := w.Header()
-	header["Content-Type"] = contentType
+	header["Content-Type"] = writeContentType

 	if _, exist := header["Cache-Control"]; !exist {
 		header["Cache-Control"] = noCache
@@ -110,11 +110,29 @@ func UnmarshalBodyReusable(c *gin.Context, v any) error {
 	if err != nil {
 		return err
 	}
+	contentType := c.Request.Header.Get("Content-Type")
+
+	// disk-backed JSON: stream-decode directly from the file to avoid
+	// materializing the entire payload back into a transient []byte
+	// (diskStorage.Bytes() would ReadFull the whole file into the heap).
+	if storage.IsDisk() && strings.HasPrefix(contentType, "application/json") {
+		if _, seekErr := storage.Seek(0, io.SeekStart); seekErr != nil {
+			return seekErr
+		}
+		if err := DecodeJson(storage, v); err != nil {
+			return err
+		}
+		if _, seekErr := storage.Seek(0, io.SeekStart); seekErr != nil {
+			return seekErr
+		}
+		c.Request.Body = io.NopCloser(storage)
+		return nil
+	}
+
 	requestBody, err := storage.Bytes()
 	if err != nil {
 		return err
 	}
-	contentType := c.Request.Header.Get("Content-Type")
 	if strings.HasPrefix(contentType, "application/json") {
 		err = Unmarshal(requestBody, v)
 	} else if strings.Contains(contentType, gin.MIMEPOSTForm) {
@@ -3,6 +3,7 @@ package common
 import (
 	"encoding/base64"
 	"encoding/json"
+	"fmt"
 	"net/url"
 	"regexp"
 	"strconv"
@@ -20,6 +21,16 @@ var (
 	maskApiKeyPattern = regexp.MustCompile(`(['"]?)api_key:([^\s'"]+)(['"]?)`)
 )

+const LocalLogContentLimit = 2048
+
+// LocalLogPreview limits log-only content unless debug logging is enabled.
+func LocalLogPreview(content string) string {
+	if DebugEnabled || len(content) <= LocalLogContentLimit {
+		return content
+	}
+	return fmt.Sprintf("%s... [truncated, original_length=%d, limit=%d]", content[:LocalLogContentLimit], len(content), LocalLogContentLimit)
+}
+
 func GetStringIfEmpty(str string, defaultValue string) string {
 	if str == "" {
 		return defaultValue
@@ -57,7 +57,24 @@ func normalizeChannelTestEndpoint(channel *model.Channel, modelName, endpointTyp
 	return normalized
 }

-func testChannel(channel *model.Channel, testModel string, endpointType string, isStream bool) testResult {
+func resolveChannelTestUserID(c *gin.Context) (int, error) {
+	if c != nil {
+		if userID := c.GetInt("id"); userID > 0 {
+			return userID, nil
+		}
+	}
+
+	var rootUser model.User
+	if err := model.DB.Select("id").Where("role = ?", common.RoleRootUser).First(&rootUser).Error; err != nil {
+		return 0, fmt.Errorf("failed to resolve channel test user: %w", err)
+	}
+	if rootUser.Id == 0 {
+		return 0, errors.New("failed to resolve channel test user")
+	}
+	return rootUser.Id, nil
+}
+
+func testChannel(channel *model.Channel, testUserID int, testModel string, endpointType string, isStream bool) testResult {
 	tik := time.Now()
 	var unsupportedTestChannelTypes = []int{
 		constant.ChannelTypeMidjourney,
@@ -143,7 +160,7 @@ func testChannel(channel *model.Channel, testModel string, endpointType string,
 		Header: make(http.Header),
 	}

-	cache, err := model.GetUserCache(1)
+	cache, err := model.GetUserCache(testUserID)
 	if err != nil {
 		return testResult{
 			localErr:    err,
@@ -151,13 +168,13 @@ func testChannel(channel *model.Channel, testModel string, endpointType string,
 		}
 	}
 	cache.WriteContext(c)
-	c.Set("id", 1)
+	c.Set("id", testUserID)

 	//c.Request.Header.Set("Authorization", "Bearer "+channel.Key)
 	c.Request.Header.Set("Content-Type", "application/json")
 	c.Set("channel", channel.Type)
 	c.Set("base_url", channel.GetBaseURL())
-	group, _ := model.GetUserGroup(1, false)
+	group, _ := model.GetUserGroup(testUserID, false)
 	c.Set("group", group)

 	newAPIError := middleware.SetupContextForSelectedChannel(c, channel, testModel)
@@ -484,7 +501,7 @@ func testChannel(channel *model.Channel, testModel string, endpointType string,
 	milliseconds := tok.Sub(tik).Milliseconds()
 	consumedTime := float64(milliseconds) / 1000.0
 	other := buildTestLogOther(c, info, priceData, usage, tieredResult)
-	model.RecordConsumeLog(c, 1, model.RecordConsumeLogParams{
+	model.RecordConsumeLog(c, testUserID, model.RecordConsumeLogParams{
 		ChannelId:        channel.Id,
 		PromptTokens:     usage.PromptTokens,
 		CompletionTokens: usage.CompletionTokens,
@@ -834,8 +851,13 @@ func TestChannel(c *gin.Context) {
 	testModel := c.Query("model")
 	endpointType := c.Query("endpoint_type")
 	isStream, _ := strconv.ParseBool(c.Query("stream"))
+	testUserID, err := resolveChannelTestUserID(c)
+	if err != nil {
+		common.ApiError(c, err)
+		return
+	}
 	tik := time.Now()
-	result := testChannel(channel, testModel, endpointType, isStream)
+	result := testChannel(channel, testUserID, testModel, endpointType, isStream)
 	if result.localErr != nil {
 		resp := gin.H{
 			"success": false,
@@ -872,6 +894,10 @@ var testAllChannelsLock sync.Mutex
 var testAllChannelsRunning bool = false

 func testAllChannels(notify bool) error {
+	testUserID, err := resolveChannelTestUserID(nil)
+	if err != nil {
+		return err
+	}

 	testAllChannelsLock.Lock()
 	if testAllChannelsRunning {
@@ -902,7 +928,7 @@ func testAllChannels(notify bool) error {
 			}
 			isChannelEnabled := channel.Status == common.ChannelStatusEnabled
 			tik := time.Now()
-			result := testChannel(channel, "", "", shouldUseStreamForAutomaticChannelTest(channel))
+			result := testChannel(channel, testUserID, "", "", shouldUseStreamForAutomaticChannelTest(channel))
 			tok := time.Now()
 			milliseconds := tok.Sub(tik).Milliseconds()

@@ -1218,7 +1218,7 @@ func CopyChannel(c *gin.Context) {
 	}

 	// insert
-	if err := model.BatchInsertChannels([]model.Channel{clone}); err != nil {
+	if err := clone.Insert(); err != nil {
 		common.SysError("failed to clone channel: " + err.Error())
 		c.JSON(http.StatusOK, gin.H{"success": false, "message": "复制渠道失败，请稍后重试"})
 		return
@@ -69,3 +69,14 @@ func TestBuildTestLogOtherInjectsTieredInfo(t *testing.T) {
 	require.Equal(t, "base", other["matched_tier"])
 	require.NotEmpty(t, other["expr_b64"])
 }
+
+func TestResolveChannelTestUserIDUsesRequestUser(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	ctx, _ := gin.CreateTestContext(httptest.NewRecorder())
+	ctx.Set("id", 2)
+
+	userID, err := resolveChannelTestUserID(ctx)
+
+	require.NoError(t, err)
+	require.Equal(t, 2, userID)
+}
@@ -88,6 +88,7 @@ func GetStatus(c *gin.Context) {
 		"demo_site_enabled":             operation_setting.DemoSiteEnabled,
 		"self_use_mode_enabled":         operation_setting.SelfUseModeEnabled,
 		"register_enabled":              common.RegisterEnabled,
+		"password_login_enabled":        common.PasswordLoginEnabled,
 		"password_register_enabled":     common.PasswordRegisterEnabled,
 		"default_use_auto_group":        setting.DefaultUseAutoGroup,

@@ -3,6 +3,7 @@ package controller
 import (
 	"fmt"
 	"net/http"
+	"strings"
 	"time"

 	"github.com/QuantumNous/new-api/common"
@@ -109,9 +110,102 @@ func init() {
 	})
 }

-func ListModels(c *gin.Context, modelType int) {
-	userOpenAiModels := make([]dto.OpenAIModels, 0)
+func channelOwnerName(channelType int) string {
+	apiType, success := common.ChannelType2APIType(channelType)
+	if !success {
+		return strings.ToLower(constant.GetChannelTypeName(channelType))
+	}
+	adaptor := relay.GetAdaptor(apiType)
+	if adaptor == nil {
+		return strings.ToLower(constant.GetChannelTypeName(channelType))
+	}
+	adaptor.Init(&relaycommon.RelayInfo{ChannelMeta: &relaycommon.ChannelMeta{
+		ChannelType: channelType,
+	}})
+	if name := strings.TrimSpace(adaptor.GetChannelName()); name != "" {
+		return name
+	}
+	return strings.ToLower(constant.GetChannelTypeName(channelType))
+}

+func getPreferredModelOwners(modelNames []string, groups []string) map[string]string {
+	channelTypes, err := model.GetPreferredModelOwnerChannelTypes(modelNames, groups)
+	if err != nil {
+		common.SysLog(fmt.Sprintf("GetPreferredModelOwnerChannelTypes error: %v", err))
+		return map[string]string{}
+	}
+
+	ownerByChannelType := make(map[int]string)
+	owners := make(map[string]string, len(channelTypes))
+	for modelName, channelType := range channelTypes {
+		owner, ok := ownerByChannelType[channelType]
+		if !ok {
+			owner = channelOwnerName(channelType)
+			ownerByChannelType[channelType] = owner
+		}
+		if owner != "" {
+			owners[modelName] = owner
+		}
+	}
+	return owners
+}
+
+func buildOpenAIModel(modelName string, ownerByModel map[string]string) dto.OpenAIModels {
+	var oaiModel dto.OpenAIModels
+	if staticModel, ok := openAIModelsMap[modelName]; ok {
+		oaiModel = staticModel
+	} else {
+		oaiModel = dto.OpenAIModels{
+			Id:      modelName,
+			Object:  "model",
+			Created: 1626777600,
+			OwnedBy: "custom",
+		}
+	}
+	if owner, ok := ownerByModel[modelName]; ok && owner != "" {
+		oaiModel.OwnedBy = owner
+	}
+	oaiModel.SupportedEndpointTypes = model.GetModelSupportEndpointTypes(modelName)
+	return oaiModel
+}
+
+type modelListGroups struct {
+	userGroup   string
+	tokenGroup  string
+	ownerGroups []string
+}
+
+func getModelListGroups(c *gin.Context) (modelListGroups, error) {
+	tokenGroup := common.GetContextKeyString(c, constant.ContextKeyTokenGroup)
+	userGroup := common.GetContextKeyString(c, constant.ContextKeyUserGroup)
+	if userGroup == "" && (tokenGroup == "" || tokenGroup == "auto") {
+		var err error
+		userGroup, err = model.GetUserGroup(c.GetInt("id"), false)
+		if err != nil {
+			return modelListGroups{}, err
+		}
+	}
+
+	if tokenGroup == "auto" {
+		return modelListGroups{
+			userGroup:   userGroup,
+			tokenGroup:  tokenGroup,
+			ownerGroups: service.GetUserAutoGroup(userGroup),
+		}, nil
+	}
+
+	group := userGroup
+	if tokenGroup != "" {
+		group = tokenGroup
+	}
+	return modelListGroups{
+		userGroup:   userGroup,
+		tokenGroup:  tokenGroup,
+		ownerGroups: []string{group},
+	}, nil
+}
+
+func ListModels(c *gin.Context, modelType int) {
 	acceptUnsetRatioModel := operation_setting.SelfUseModeEnabled
 	if !acceptUnsetRatioModel {
 		userId := c.GetInt("id")
@@ -123,6 +217,16 @@ func ListModels(c *gin.Context, modelType int) {
 		}
 	}

+	userModelNames := make([]string, 0)
+	groups, err := getModelListGroups(c)
+	if err != nil {
+		c.JSON(http.StatusOK, gin.H{
+			"success": false,
+			"message": "get user group failed",
+		})
+		return
+	}
+	ownerGroups := groups.ownerGroups
 	modelLimitEnable := common.GetContextKeyBool(c, constant.ContextKeyTokenModelLimitEnabled)
 	if modelLimitEnable {
 		s, ok := common.GetContextKey(c, constant.ContextKeyTokenModelLimit)
@@ -138,37 +242,12 @@ func ListModels(c *gin.Context, modelType int) {
 					continue
 				}
 			}
-			if oaiModel, ok := openAIModelsMap[allowModel]; ok {
-				oaiModel.SupportedEndpointTypes = model.GetModelSupportEndpointTypes(allowModel)
-				userOpenAiModels = append(userOpenAiModels, oaiModel)
-			} else {
-				userOpenAiModels = append(userOpenAiModels, dto.OpenAIModels{
-					Id:                     allowModel,
-					Object:                 "model",
-					Created:                1626777600,
-					OwnedBy:                "custom",
-					SupportedEndpointTypes: model.GetModelSupportEndpointTypes(allowModel),
-				})
-			}
+			userModelNames = append(userModelNames, allowModel)
 		}
 	} else {
-		userId := c.GetInt("id")
-		userGroup, err := model.GetUserGroup(userId, false)
-		if err != nil {
-			c.JSON(http.StatusOK, gin.H{
-				"success": false,
-				"message": "get user group failed",
-			})
-			return
-		}
-		group := userGroup
-		tokenGroup := common.GetContextKeyString(c, constant.ContextKeyTokenGroup)
-		if tokenGroup != "" {
-			group = tokenGroup
-		}
 		var models []string
-		if tokenGroup == "auto" {
-			for _, autoGroup := range service.GetUserAutoGroup(userGroup) {
+		if groups.tokenGroup == "auto" {
+			for _, autoGroup := range ownerGroups {
 				groupModels := model.GetGroupEnabledModels(autoGroup)
 				for _, g := range groupModels {
 					if !common.StringsContains(models, g) {
@@ -177,7 +256,7 @@ func ListModels(c *gin.Context, modelType int) {
 				}
 			}
 		} else {
-			models = model.GetGroupEnabledModels(group)
+			models = model.GetGroupEnabledModels(ownerGroups[0])
 		}
 		for _, modelName := range models {
 			if !acceptUnsetRatioModel {
@@ -185,21 +264,19 @@ func ListModels(c *gin.Context, modelType int) {
 					continue
 				}
 			}
-			if oaiModel, ok := openAIModelsMap[modelName]; ok {
-				oaiModel.SupportedEndpointTypes = model.GetModelSupportEndpointTypes(modelName)
-				userOpenAiModels = append(userOpenAiModels, oaiModel)
-			} else {
-				userOpenAiModels = append(userOpenAiModels, dto.OpenAIModels{
-					Id:                     modelName,
-					Object:                 "model",
-					Created:                1626777600,
-					OwnedBy:                "custom",
-					SupportedEndpointTypes: model.GetModelSupportEndpointTypes(modelName),
-				})
-			}
+			userModelNames = append(userModelNames, modelName)
 		}
 	}

+	ownerByModel := map[string]string{}
+	if len(ownerGroups) > 0 {
+		ownerByModel = getPreferredModelOwners(userModelNames, ownerGroups)
+	}
+	userOpenAiModels := make([]dto.OpenAIModels, 0, len(userModelNames))
+	for _, modelName := range userModelNames {
+		userOpenAiModels = append(userOpenAiModels, buildOpenAIModel(modelName, ownerByModel))
+	}
+
 	switch modelType {
 	case constant.ChannelTypeAnthropic:
 		useranthropicModels := make([]dto.AnthropicModel, len(userOpenAiModels))
@@ -0,0 +1,85 @@
+package controller
+
+import (
+	"net/http/httptest"
+	"testing"
+
+	"github.com/QuantumNous/new-api/common"
+	"github.com/QuantumNous/new-api/constant"
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/require"
+)
+
+func TestChannelOwnerNameUsesAdaptorChannelName(t *testing.T) {
+	tests := []struct {
+		name        string
+		channelType int
+		expected    string
+	}{
+		{
+			name:        "openai",
+			channelType: constant.ChannelTypeOpenAI,
+			expected:    "openai",
+		},
+		{
+			name:        "codex",
+			channelType: constant.ChannelTypeCodex,
+			expected:    "codex",
+		},
+		{
+			name:        "openrouter",
+			channelType: constant.ChannelTypeOpenRouter,
+			expected:    "openrouter",
+		},
+		{
+			name:        "azure fallback",
+			channelType: constant.ChannelTypeAzure,
+			expected:    "azure",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			require.Equal(t, tt.expected, channelOwnerName(tt.channelType))
+		})
+	}
+}
+
+func TestBuildOpenAIModelOverridesOwnedBy(t *testing.T) {
+	modelItem := buildOpenAIModel("gpt-5.4", map[string]string{"gpt-5.4": "openai"})
+	require.Equal(t, "gpt-5.4", modelItem.Id)
+	require.Equal(t, "openai", modelItem.OwnedBy)
+}
+
+func TestBuildOpenAIModelFallsBackToCustomForUnknownModels(t *testing.T) {
+	modelItem := buildOpenAIModel("custom-test-model", nil)
+	require.Equal(t, "custom-test-model", modelItem.Id)
+	require.Equal(t, "custom", modelItem.OwnedBy)
+}
+
+func TestGetModelListGroupsUsesUserGroupWhenTokenGroupIsEmpty(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	ctx, _ := gin.CreateTestContext(httptest.NewRecorder())
+	common.SetContextKey(ctx, constant.ContextKeyUserGroup, "default")
+
+	groups, err := getModelListGroups(ctx)
+	require.NoError(t, err)
+
+	require.Equal(t, "default", groups.userGroup)
+	require.Empty(t, groups.tokenGroup)
+	require.Equal(t, []string{"default"}, groups.ownerGroups)
+}
+
+func TestGetModelListGroupsUsesExplicitTokenGroup(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	ctx, _ := gin.CreateTestContext(httptest.NewRecorder())
+	common.SetContextKey(ctx, constant.ContextKeyUserGroup, "default")
+	common.SetContextKey(ctx, constant.ContextKeyTokenGroup, "vip")
+
+	groups, err := getModelListGroups(ctx)
+	require.NoError(t, err)
+
+	require.Equal(t, "default", groups.userGroup)
+	require.Equal(t, "vip", groups.tokenGroup)
+	require.Equal(t, []string{"vip"}, groups.ownerGroups)
+}
@@ -42,15 +42,6 @@ func isPositiveOptionValue(value string) bool {
 	return err == nil && floatValue > 0
 }

-func isVisiblePublicKeyOption(key string) bool {
-	switch key {
-	case "WaffoPancakeWebhookPublicKey", "WaffoPancakeWebhookTestKey":
-		return true
-	default:
-		return false
-	}
-}
-
 func collectModelNamesFromOptionValue(raw string, modelNames map[string]struct{}) {
 	if strings.TrimSpace(raw) == "" {
 		return
@@ -95,7 +86,7 @@ func GetOptions(c *gin.Context) {
 			strings.HasSuffix(k, "Key") ||
 			strings.HasSuffix(k, "secret") ||
 			strings.HasSuffix(k, "api_key")
-		if isSensitiveKey && !isVisiblePublicKeyOption(k) {
+		if isSensitiveKey {
 			continue
 		}
 		options = append(options, &model.Option{
@@ -77,24 +77,15 @@ func isWaffoPancakeTopUpEnabled() bool {
 	if !isPaymentComplianceConfirmed() {
 		return false
 	}
-	if !setting.WaffoPancakeEnabled {
-		return false
-	}
-
-	return isWaffoPancakeWebhookConfigured() &&
-		strings.TrimSpace(setting.WaffoPancakeMerchantID) != "" &&
+	// Presence-of-credentials = enabled. Webhook public keys ship inside
+	// the SDK; mode (test/prod) is read from each event.
+	return strings.TrimSpace(setting.WaffoPancakeMerchantID) != "" &&
 		strings.TrimSpace(setting.WaffoPancakePrivateKey) != "" &&
-		strings.TrimSpace(setting.WaffoPancakeStoreID) != "" &&
 		strings.TrimSpace(setting.WaffoPancakeProductID) != ""
 }

 func isWaffoPancakeWebhookConfigured() bool {
-	currentWebhookKey := strings.TrimSpace(setting.WaffoPancakeWebhookPublicKey)
-	if setting.WaffoPancakeSandbox {
-		currentWebhookKey = strings.TrimSpace(setting.WaffoPancakeWebhookTestKey)
-	}
-
-	return currentWebhookKey != ""
+	return isWaffoPancakeTopUpEnabled()
 }

 func isWaffoPancakeWebhookEnabled() bool {
@@ -114,47 +114,32 @@ func TestWaffoWebhookEnabledRequiresTopUpAndWebhookConfig(t *testing.T) {

 func TestWaffoPancakeWebhookEnabledRequiresTopUpAndWebhookConfig(t *testing.T) {
 	confirmPaymentComplianceForTest(t)
-	originalEnabled := setting.WaffoPancakeEnabled
-	originalSandbox := setting.WaffoPancakeSandbox
 	originalMerchantID := setting.WaffoPancakeMerchantID
 	originalPrivateKey := setting.WaffoPancakePrivateKey
-	originalWebhookPublicKey := setting.WaffoPancakeWebhookPublicKey
-	originalWebhookTestKey := setting.WaffoPancakeWebhookTestKey
-	originalStoreID := setting.WaffoPancakeStoreID
 	originalProductID := setting.WaffoPancakeProductID
 	t.Cleanup(func() {
-		setting.WaffoPancakeEnabled = originalEnabled
-		setting.WaffoPancakeSandbox = originalSandbox
 		setting.WaffoPancakeMerchantID = originalMerchantID
 		setting.WaffoPancakePrivateKey = originalPrivateKey
-		setting.WaffoPancakeWebhookPublicKey = originalWebhookPublicKey
-		setting.WaffoPancakeWebhookTestKey = originalWebhookTestKey
-		setting.WaffoPancakeStoreID = originalStoreID
 		setting.WaffoPancakeProductID = originalProductID
 	})

-	setting.WaffoPancakeEnabled = true
-	setting.WaffoPancakeSandbox = false
-	setting.WaffoPancakeMerchantID = "merchant"
+	// Presence of all three credentials enables the gateway. Webhook public
+	// keys are bundled in the SDK and there is no separate Enabled toggle —
+	// clear any of the three fields to disable.
+	setting.WaffoPancakeMerchantID = ""
 	setting.WaffoPancakePrivateKey = "private"
-	setting.WaffoPancakeStoreID = "store"
 	setting.WaffoPancakeProductID = "product"
-	setting.WaffoPancakeWebhookPublicKey = ""
 	require.False(t, isWaffoPancakeWebhookEnabled())

-	setting.WaffoPancakeWebhookPublicKey = "public"
+	setting.WaffoPancakeMerchantID = "merchant"
 	require.True(t, isWaffoPancakeWebhookEnabled())

-	setting.WaffoPancakeEnabled = false
+	setting.WaffoPancakeProductID = ""
 	require.False(t, isWaffoPancakeWebhookEnabled())

-	setting.WaffoPancakeEnabled = true
-	setting.WaffoPancakeSandbox = true
-	setting.WaffoPancakeWebhookTestKey = ""
+	setting.WaffoPancakeProductID = "product"
+	setting.WaffoPancakePrivateKey = ""
 	require.False(t, isWaffoPancakeWebhookEnabled())
-
-	setting.WaffoPancakeWebhookTestKey = "test_public"
-	require.True(t, isWaffoPancakeWebhookEnabled())
 }

 func TestEpayWebhookEnabledRequiresTopUpAndWebhookConfig(t *testing.T) {
@@ -8,6 +8,7 @@ import (
 	"github.com/QuantumNous/new-api/setting/ratio_setting"

 	"github.com/gin-gonic/gin"
+	"github.com/samber/lo"
 )

 func GetPerfMetricsSummary(c *gin.Context) {
@@ -18,7 +19,8 @@ func GetPerfMetricsSummary(c *gin.Context) {
 		}
 	}

-	result, err := perfmetrics.QuerySummaryAll(hours)
+	activeGroups := append(lo.Keys(ratio_setting.GetGroupRatioCopy()), "auto")
+	result, err := perfmetrics.QuerySummaryAll(hours, activeGroups)
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{
 			"success": false,
@@ -72,12 +74,9 @@ func GetPerfMetrics(c *gin.Context) {
 }

 func filterActiveGroups(groups []perfmetrics.GroupResult) []perfmetrics.GroupResult {
-	activeGroups := ratio_setting.GetGroupRatioCopy()
-	filtered := make([]perfmetrics.GroupResult, 0, len(groups))
-	for _, g := range groups {
-		if _, ok := activeGroups[g.Group]; ok || g.Group == "auto" {
-			filtered = append(filtered, g)
-		}
-	}
-	return filtered
+	activeRatios := ratio_setting.GetGroupRatioCopy()
+	return lo.Filter(groups, func(g perfmetrics.GroupResult, _ int) bool {
+		_, ok := activeRatios[g.Group]
+		return ok || g.Group == "auto"
+	})
 }
@@ -88,7 +88,7 @@ func Relay(c *gin.Context, relayFormat types.RelayFormat) {

 	defer func() {
 		if newAPIError != nil {
-			logger.LogError(c, fmt.Sprintf("relay error: %s", newAPIError.Error()))
+			logger.LogError(c, fmt.Sprintf("relay error: %s", common.LocalLogPreview(newAPIError.Error())))
 			newAPIError.SetMessage(common.MessageWithRequestId(newAPIError.Error(), requestId))
 			switch relayFormat {
 			case types.RelayFormatOpenAIRealtime:
@@ -354,7 +354,7 @@ func shouldRetry(c *gin.Context, openaiErr *types.NewAPIError, retryTimes int) b
 }

 func processChannelError(c *gin.Context, channelError types.ChannelError, err *types.NewAPIError) {
-	logger.LogError(c, fmt.Sprintf("channel error (channel #%d, status code: %d): %s", channelError.ChannelId, err.StatusCode, err.Error()))
+	logger.LogError(c, fmt.Sprintf("channel error (channel #%d, status code: %d): %s", channelError.ChannelId, err.StatusCode, common.LocalLogPreview(err.Error())))
 	// 不要使用context获取渠道信息，异步处理时可能会出现渠道信息不一致的情况
 	// do not use context to get channel info, there may be inconsistent channel info when processing asynchronously
 	if service.ShouldDisableChannel(err) && channelError.AutoBan {
@@ -22,6 +22,10 @@ type BillingPreferenceRequest struct {
 	BillingPreference string `json:"billing_preference"`
 }

+type SubscriptionBalancePayRequest struct {
+	PlanId int `json:"plan_id"`
+}
+
 // ---- User APIs ----

 func GetSubscriptionPlans(c *gin.Context) {
@@ -92,6 +96,25 @@ func UpdateSubscriptionPreference(c *gin.Context) {
 	common.ApiSuccess(c, gin.H{"billing_preference": pref})
 }

+func SubscriptionRequestBalancePay(c *gin.Context) {
+	if !requirePaymentCompliance(c) {
+		return
+	}
+
+	userId := c.GetInt("id")
+	var req SubscriptionBalancePayRequest
+	if err := c.ShouldBindJSON(&req); err != nil || req.PlanId <= 0 {
+		common.ApiErrorMsg(c, "参数错误")
+		return
+	}
+
+	if err := model.PurchaseSubscriptionWithBalance(userId, req.PlanId); err != nil {
+		common.ApiError(c, err)
+		return
+	}
+	common.ApiSuccess(c, nil)
+}
+
 // ---- Admin APIs ----

 func AdminListSubscriptionPlans(c *gin.Context) {
@@ -248,6 +271,7 @@ func AdminUpdateSubscriptionPlan(c *gin.Context) {
 			"sort_order":                 req.Plan.SortOrder,
 			"stripe_price_id":            req.Plan.StripePriceId,
 			"creem_product_id":           req.Plan.CreemProductId,
+			"waffo_pancake_product_id":   req.Plan.WaffoPancakeProductId,
 			"max_purchase_per_user":      req.Plan.MaxPurchasePerUser,
 			"total_amount":               req.Plan.TotalAmount,
 			"upgrade_group":              req.Plan.UpgradeGroup,
@@ -0,0 +1,130 @@
+package controller
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/QuantumNous/new-api/common"
+	"github.com/QuantumNous/new-api/logger"
+	"github.com/QuantumNous/new-api/model"
+	"github.com/QuantumNous/new-api/service"
+	"github.com/QuantumNous/new-api/setting"
+	"github.com/gin-gonic/gin"
+	"github.com/shopspring/decimal"
+	"github.com/thanhpk/randstr"
+)
+
+type SubscriptionWaffoPancakePayRequest struct {
+	PlanId int `json:"plan_id"`
+}
+
+func SubscriptionRequestWaffoPancakePay(c *gin.Context) {
+	if !requirePaymentCompliance(c) {
+		return
+	}
+
+	var req SubscriptionWaffoPancakePayRequest
+	if err := c.ShouldBindJSON(&req); err != nil || req.PlanId <= 0 {
+		common.ApiErrorMsg(c, "参数错误")
+		return
+	}
+
+	plan, err := model.GetSubscriptionPlanById(req.PlanId)
+	if err != nil {
+		common.ApiError(c, err)
+		return
+	}
+	if !plan.Enabled {
+		common.ApiErrorMsg(c, "套餐未启用")
+		return
+	}
+	if strings.TrimSpace(plan.WaffoPancakeProductId) == "" {
+		common.ApiErrorMsg(c, "该套餐未配置 WaffoPancakeProductId")
+		return
+	}
+	// Plan targets its own Pancake product, so we only require credentials
+	// here — not the gateway-level WaffoPancakeProductID.
+	if strings.TrimSpace(setting.WaffoPancakeMerchantID) == "" ||
+		strings.TrimSpace(setting.WaffoPancakePrivateKey) == "" {
+		common.ApiErrorMsg(c, "Waffo Pancake 未配置或密钥无效")
+		return
+	}
+
+	userId := c.GetInt("id")
+	user, err := model.GetUserById(userId, false)
+	if err != nil {
+		common.ApiError(c, err)
+		return
+	}
+	if user == nil {
+		common.ApiErrorMsg(c, "用户不存在")
+		return
+	}
+
+	if plan.MaxPurchasePerUser > 0 {
+		count, err := model.CountUserSubscriptionsByPlan(userId, plan.Id)
+		if err != nil {
+			common.ApiError(c, err)
+			return
+		}
+		if count >= int64(plan.MaxPurchasePerUser) {
+			common.ApiErrorMsg(c, "已达到该套餐购买上限")
+			return
+		}
+	}
+
+	// WAFFO_PANCAKE_SUB- prefix (vs. wallet's WAFFO_PANCAKE-) drives webhook
+	// dispatch in WaffoPancakeWebhook.
+	tradeNo := fmt.Sprintf("WAFFO_PANCAKE_SUB-%d-%d-%s", userId, time.Now().UnixMilli(), randstr.String(6))
+
+	order := &model.SubscriptionOrder{
+		UserId:          userId,
+		PlanId:          plan.Id,
+		Money:           plan.PriceAmount,
+		TradeNo:         tradeNo,
+		PaymentMethod:   model.PaymentMethodWaffoPancake,
+		PaymentProvider: model.PaymentProviderWaffoPancake,
+		CreateTime:      time.Now().Unix(),
+		Status:          common.TopUpStatusPending,
+	}
+	if err := order.Insert(); err != nil {
+		logger.LogError(c.Request.Context(), fmt.Sprintf("Waffo Pancake 订阅订单创建失败 user_id=%d plan_id=%d trade_no=%s error=%q", userId, plan.Id, tradeNo, err.Error()))
+		c.JSON(http.StatusOK, gin.H{"message": "error", "data": "创建订单失败"})
+		return
+	}
+
+	expiresInSeconds := 45 * 60
+	session, err := service.CreateWaffoPancakeCheckoutSession(c.Request.Context(), &service.WaffoPancakeCreateSessionParams{
+		ProductID:     plan.WaffoPancakeProductId,
+		BuyerIdentity: service.WaffoPancakeBuyerIdentityFromUserID(user.Id),
+		PriceSnapshot: &service.WaffoPancakePriceSnapshot{
+			Amount:      decimal.NewFromFloat(plan.PriceAmount).StringFixed(2),
+			TaxCategory: "saas",
+		},
+		BuyerEmail:              getWaffoPancakeBuyerEmail(user),
+		ExpiresInSeconds:        &expiresInSeconds,
+		OrderMerchantExternalID: tradeNo,
+	})
+	if err != nil {
+		logger.LogError(c.Request.Context(), fmt.Sprintf("Waffo Pancake 订阅结账会话创建失败 user_id=%d plan_id=%d trade_no=%s error=%q", userId, plan.Id, tradeNo, err.Error()))
+		order.Status = common.TopUpStatusFailed
+		_ = order.Update()
+		c.JSON(http.StatusOK, gin.H{"message": "error", "data": "拉起支付失败"})
+		return
+	}
+	logger.LogInfo(c.Request.Context(), fmt.Sprintf("Waffo Pancake 订阅订单创建成功 user_id=%d plan_id=%d trade_no=%s session_id=%s money=%.2f", userId, plan.Id, tradeNo, session.SessionID, plan.PriceAmount))
+
+	c.JSON(http.StatusOK, gin.H{
+		"message": "success",
+		"data": gin.H{
+			"checkout_url":     session.CheckoutURL,
+			"session_id":       session.SessionID,
+			"expires_at":       session.ExpiresAt,
+			"order_id":         tradeNo,
+			"token":            session.Token,
+			"token_expires_at": session.TokenExpiresAt,
+		},
+	})
+}
@@ -52,6 +52,27 @@ func GetTopUpInfo(c *gin.Context) {
 		}
 	}

+	// Waffo Pancake displayed above the legacy Waffo gateway.
+	enableWaffoPancake := isWaffoPancakeTopUpEnabled()
+	if enableWaffoPancake {
+		hasWaffoPancake := false
+		for _, method := range payMethods {
+			if method["type"] == model.PaymentMethodWaffoPancake {
+				hasWaffoPancake = true
+				break
+			}
+		}
+
+		if !hasWaffoPancake {
+			payMethods = append(payMethods, map[string]string{
+				"name":      "Waffo Pancake",
+				"type":      model.PaymentMethodWaffoPancake,
+				"color":     "rgba(var(--semi-orange-5), 1)",
+				"min_topup": strconv.Itoa(setting.WaffoPancakeMinTopUp),
+			})
+		}
+	}
+
 	// 如果启用了 Waffo 支付，添加到支付方法列表
 	enableWaffo := isWaffoTopUpEnabled()
 	if enableWaffo {
@@ -74,26 +95,6 @@ func GetTopUpInfo(c *gin.Context) {
 		}
 	}

-	enableWaffoPancake := isWaffoPancakeTopUpEnabled()
-	if enableWaffoPancake {
-		hasWaffoPancake := false
-		for _, method := range payMethods {
-			if method["type"] == model.PaymentMethodWaffoPancake {
-				hasWaffoPancake = true
-				break
-			}
-		}
-
-		if !hasWaffoPancake {
-			payMethods = append(payMethods, map[string]string{
-				"name":      "Waffo Pancake",
-				"type":      model.PaymentMethodWaffoPancake,
-				"color":     "rgba(var(--semi-orange-5), 1)",
-				"min_topup": strconv.Itoa(setting.WaffoPancakeMinTopUp),
-			})
-		}
-	}
-
 	data := gin.H{
 		"enable_online_topup":              isEpayTopUpEnabled(),
 		"enable_stripe_topup":              isStripeTopUpEnabled(),
@@ -96,33 +96,257 @@ func getWaffoPancakeBuyerEmail(user *model.User) string {
 	if user != nil && strings.TrimSpace(user.Email) != "" {
 		return user.Email
 	}
-	if user != nil {
-		return fmt.Sprintf("%d@new-api.local", user.Id)
-	}
 	return ""
 }

-func getWaffoPancakeReturnURL() string {
-	if strings.TrimSpace(setting.WaffoPancakeReturnURL) != "" {
-		return setting.WaffoPancakeReturnURL
+// The admin config endpoints below accept typed-but-not-yet-saved creds in
+// the body and fall back to persisted creds when the body is blank (see
+// resolveWaffoPancakeAdminCreds). Only SaveWaffoPancake writes to OptionMap.
+
+type waffoPancakeCredsRequest struct {
+	MerchantID string `json:"merchant_id"`
+	PrivateKey string `json:"private_key"`
+}
+
+type saveWaffoPancakeRequest struct {
+	MerchantID string `json:"merchant_id"`
+	PrivateKey string `json:"private_key"`
+	ReturnURL  string `json:"return_url"`
+	StoreID    string `json:"store_id"`
+	ProductID  string `json:"product_id"`
+}
+
+type createWaffoPancakePairRequest struct {
+	MerchantID string `json:"merchant_id"`
+	PrivateKey string `json:"private_key"`
+	ReturnURL  string `json:"return_url"`
+}
+
+// SaveWaffoPancake atomically persists all five operator-controlled fields.
+// Catalog / pair endpoints are transient — only this one writes the OptionMap.
+func SaveWaffoPancake(c *gin.Context) {
+	var req saveWaffoPancakeRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusOK, gin.H{"message": "error", "data": "参数错误"})
+		return
 	}
-	return paymentReturnPath("/console/topup?show_history=true")
+	if err := service.SaveWaffoPancakeConfig(
+		c.Request.Context(),
+		req.MerchantID,
+		req.PrivateKey,
+		req.ReturnURL,
+		req.StoreID,
+		req.ProductID,
+	); err != nil {
+		logger.LogError(c.Request.Context(), fmt.Sprintf(
+			"Waffo Pancake 保存配置失败 store_id=%q product_id=%q error=%q",
+			req.StoreID, req.ProductID, err.Error(),
+		))
+		c.JSON(http.StatusOK, gin.H{"message": "error", "data": "保存配置失败"})
+		return
+	}
+	c.JSON(http.StatusOK, gin.H{
+		"message": "success",
+		"data": gin.H{
+			"product_id": setting.WaffoPancakeProductID,
+			"store_id":   setting.WaffoPancakeStoreID,
+		},
+	})
+}
+
+// resolveWaffoPancakeAdminCreds prefers body creds (typed-but-not-yet-saved
+// values, for verification) and falls back to persisted creds when the body
+// is blank (so returning admins don't have to re-paste the private key,
+// which is stripped from GET /api/option/).
+func resolveWaffoPancakeAdminCreds(bodyMerchantID, bodyPrivateKey string) (string, string) {
+	m := strings.TrimSpace(bodyMerchantID)
+	k := strings.TrimSpace(bodyPrivateKey)
+	if m == "" && k == "" {
+		return setting.WaffoPancakeMerchantID, setting.WaffoPancakePrivateKey
+	}
+	return m, k
+}
+
+// CreateWaffoPancakePair mints a Store + OnetimeProduct pair in one round-
+// trip. Surfaces an orphan-store flag when the product half fails so the
+// frontend can preselect / retry without losing context.
+func CreateWaffoPancakePair(c *gin.Context) {
+	var req createWaffoPancakePairRequest
+	if c.Request.ContentLength > 0 {
+		if err := c.ShouldBindJSON(&req); err != nil {
+			c.JSON(http.StatusOK, gin.H{"message": "error", "data": "参数错误"})
+			return
+		}
+	}
+	merchantID, privateKey := resolveWaffoPancakeAdminCreds(req.MerchantID, req.PrivateKey)
+	if merchantID == "" || privateKey == "" {
+		c.JSON(http.StatusOK, gin.H{"message": "error", "data": "Waffo Pancake 凭证未配置"})
+		return
+	}
+	result, err := service.CreateWaffoPancakePrimaryPair(
+		c.Request.Context(), merchantID, privateKey, req.ReturnURL,
+	)
+	if err != nil {
+		orphan := result != nil && result.OrphanStore
+		logger.LogError(c.Request.Context(), fmt.Sprintf(
+			"Waffo Pancake 创建店铺与产品失败 orphan_store=%t store_id=%q error=%q",
+			orphan, func() string {
+				if result == nil {
+					return ""
+				}
+				return result.StoreID
+			}(), err.Error(),
+		))
+		data := gin.H{"error": err.Error()}
+		if orphan {
+			data["store_id"] = result.StoreID
+			data["store_name"] = result.StoreName
+			data["orphan_store"] = true
+		}
+		c.JSON(http.StatusOK, gin.H{"message": "error", "data": data})
+		return
+	}
+	c.JSON(http.StatusOK, gin.H{
+		"message": "success",
+		"data": gin.H{
+			"store_id":     result.StoreID,
+			"store_name":   result.StoreName,
+			"product_id":   result.ProductID,
+			"product_name": result.ProductName,
+		},
+	})
+}
+
+// ListWaffoPancakeCatalog returns the merchant's Stores + OnetimeProducts.
+// Doubles as a credential probe (a successful 200 proves the resolved creds
+// authenticate). See resolveWaffoPancakeAdminCreds for credential resolution.
+func ListWaffoPancakeCatalog(c *gin.Context) {
+	var req waffoPancakeCredsRequest
+	// An empty body means "use persisted creds"; only fail on malformed JSON.
+	if c.Request.ContentLength > 0 {
+		if err := c.ShouldBindJSON(&req); err != nil {
+			c.JSON(http.StatusOK, gin.H{"message": "error", "data": "参数错误"})
+			return
+		}
+	}
+	merchantID, privateKey := resolveWaffoPancakeAdminCreds(req.MerchantID, req.PrivateKey)
+	if merchantID == "" || privateKey == "" {
+		c.JSON(http.StatusOK, gin.H{"message": "error", "data": "Waffo Pancake 凭证未配置"})
+		return
+	}
+	catalog, err := service.ListWaffoPancakeCatalog(c.Request.Context(), merchantID, privateKey)
+	if err != nil {
+		logger.LogError(c.Request.Context(), fmt.Sprintf(
+			"Waffo Pancake 拉取店铺与产品目录失败 error=%q", err.Error(),
+		))
+		c.JSON(http.StatusOK, gin.H{"message": "error", "data": "拉取目录失败"})
+		return
+	}
+	c.JSON(http.StatusOK, gin.H{"message": "success", "data": catalog})
+}
+
+type createWaffoPancakeSubscriptionProductRequest struct {
+	Name   string `json:"name"`
+	Amount string `json:"amount"`
+}
+
+// CreateWaffoPancakeSubscriptionProduct mints an OnetimeProduct (not
+// SubscriptionProduct — see service.CreateWaffoPancakeProductForPlan)
+// sized to a plan's `name` + `amount`, using persisted Pancake credentials
+// + StoreID. Reads from the form, not the plan row, so newly-typed unsaved
+// plans can mint a product too.
+func CreateWaffoPancakeSubscriptionProduct(c *gin.Context) {
+	var req createWaffoPancakeSubscriptionProductRequest
+	if c.Request.ContentLength > 0 {
+		if err := c.ShouldBindJSON(&req); err != nil {
+			c.JSON(http.StatusOK, gin.H{"message": "error", "data": "参数错误"})
+			return
+		}
+	}
+	if strings.TrimSpace(req.Name) == "" {
+		c.JSON(http.StatusOK, gin.H{"message": "error", "data": "套餐名称不能为空"})
+		return
+	}
+	if strings.TrimSpace(req.Amount) == "" {
+		c.JSON(http.StatusOK, gin.H{"message": "error", "data": "套餐价格不能为空"})
+		return
+	}
+	merchantID, privateKey := resolveWaffoPancakeAdminCreds("", "")
+	storeID := strings.TrimSpace(setting.WaffoPancakeStoreID)
+	if merchantID == "" || privateKey == "" || storeID == "" {
+		c.JSON(http.StatusOK, gin.H{"message": "error", "data": "Waffo Pancake 未完成配置，请先在支付设置中完成网关绑定"})
+		return
+	}
+	productID, err := service.CreateWaffoPancakeProductForPlan(
+		c.Request.Context(),
+		merchantID,
+		privateKey,
+		storeID,
+		req.Name,
+		req.Amount,
+		setting.WaffoPancakeReturnURL,
+	)
+	if err != nil {
+		logger.LogError(c.Request.Context(), fmt.Sprintf(
+			"Waffo Pancake 创建套餐产品失败 store_id=%q name=%q amount=%q error=%q",
+			storeID, req.Name, req.Amount, err.Error(),
+		))
+		c.JSON(http.StatusOK, gin.H{"message": "error", "data": "创建套餐产品失败"})
+		return
+	}
+	c.JSON(http.StatusOK, gin.H{
+		"message": "success",
+		"data": gin.H{
+			"product_id":   productID,
+			"product_name": req.Name,
+			"store_id":     storeID,
+		},
+	})
+}
+
+// ListWaffoPancakeSubscriptionProductOptions returns the OnetimeProducts
+// in the saved Pancake store, for the subscription-plan dropdown. The name
+// reflects new-api's plan concept; under the hood it's still OnetimeProducts.
+func ListWaffoPancakeSubscriptionProductOptions(c *gin.Context) {
+	merchantID, privateKey := resolveWaffoPancakeAdminCreds("", "")
+	storeID := strings.TrimSpace(setting.WaffoPancakeStoreID)
+	if merchantID == "" || privateKey == "" || storeID == "" {
+		c.JSON(http.StatusOK, gin.H{"message": "error", "data": "Waffo Pancake 未完成配置，请先在支付设置中完成网关绑定"})
+		return
+	}
+	catalog, err := service.ListWaffoPancakeCatalog(c.Request.Context(), merchantID, privateKey)
+	if err != nil {
+		logger.LogError(c.Request.Context(), fmt.Sprintf(
+			"Waffo Pancake 拉取订阅产品列表失败 store_id=%q error=%q", storeID, err.Error(),
+		))
+		c.JSON(http.StatusOK, gin.H{"message": "error", "data": "拉取产品列表失败"})
+		return
+	}
+	products := []service.WaffoPancakeCatalogProduct{}
+	for _, store := range catalog.Stores {
+		if store.ID == storeID {
+			products = store.OnetimeProducts
+			break
+		}
+	}
+	c.JSON(http.StatusOK, gin.H{
+		"message": "success",
+		"data": gin.H{
+			"store_id": storeID,
+			"products": products,
+		},
+	})
+}
+
+func getWaffoPancakeBuyerIdentity(user *model.User) string {
+	if user == nil {
+		return ""
+	}
+	return service.WaffoPancakeBuyerIdentityFromUserID(user.Id)
 }

 func RequestWaffoPancakePay(c *gin.Context) {
-	if !setting.WaffoPancakeEnabled {
-		c.JSON(http.StatusOK, gin.H{"message": "error", "data": "Waffo Pancake 支付未启用"})
-		return
-	}
-	currentWebhookKey := setting.WaffoPancakeWebhookPublicKey
-	if setting.WaffoPancakeSandbox {
-		currentWebhookKey = setting.WaffoPancakeWebhookTestKey
-	}
-	if strings.TrimSpace(setting.WaffoPancakeMerchantID) == "" ||
-		strings.TrimSpace(setting.WaffoPancakePrivateKey) == "" ||
-		strings.TrimSpace(currentWebhookKey) == "" ||
-		strings.TrimSpace(setting.WaffoPancakeStoreID) == "" ||
-		strings.TrimSpace(setting.WaffoPancakeProductID) == "" {
+	if !isWaffoPancakeTopUpEnabled() {
 		c.JSON(http.StatusOK, gin.H{"message": "error", "data": "Waffo Pancake 配置不完整"})
 		return
 	}
@@ -175,18 +399,15 @@ func RequestWaffoPancakePay(c *gin.Context) {

 	expiresInSeconds := 45 * 60
 	session, err := service.CreateWaffoPancakeCheckoutSession(c.Request.Context(), &service.WaffoPancakeCreateSessionParams{
-		StoreID:     setting.WaffoPancakeStoreID,
-		ProductID:   setting.WaffoPancakeProductID,
-		ProductType: "onetime",
-		Currency:    strings.ToUpper(strings.TrimSpace(setting.WaffoPancakeCurrency)),
+		ProductID:     setting.WaffoPancakeProductID,
+		BuyerIdentity: getWaffoPancakeBuyerIdentity(user),
 		PriceSnapshot: &service.WaffoPancakePriceSnapshot{
 			Amount:      formatWaffoPancakeAmount(payMoney),
-			TaxIncluded: false,
 			TaxCategory: "saas",
 		},
-		BuyerEmail:       getWaffoPancakeBuyerEmail(user),
-		SuccessURL:       getWaffoPancakeReturnURL(),
-		ExpiresInSeconds: &expiresInSeconds,
+		BuyerEmail:              getWaffoPancakeBuyerEmail(user),
+		ExpiresInSeconds:        &expiresInSeconds,
+		OrderMerchantExternalID: tradeNo,
 	})
 	if err != nil {
 		logger.LogError(c.Request.Context(), fmt.Sprintf("Waffo Pancake 创建结账会话失败 user_id=%d trade_no=%s error=%q", id, tradeNo, err.Error()))
@@ -200,10 +421,12 @@ func RequestWaffoPancakePay(c *gin.Context) {
 	c.JSON(http.StatusOK, gin.H{
 		"message": "success",
 		"data": gin.H{
-			"checkout_url": session.CheckoutURL,
-			"session_id":   session.SessionID,
-			"expires_at":   session.ExpiresAt,
-			"order_id":     tradeNo,
+			"checkout_url":     session.CheckoutURL,
+			"session_id":       session.SessionID,
+			"expires_at":       session.ExpiresAt,
+			"order_id":         tradeNo,
+			"token":            session.Token,
+			"token_expires_at": session.TokenExpiresAt,
 		},
 	})
 }
@@ -215,6 +438,19 @@ func WaffoPancakeWebhook(c *gin.Context) {
 		return
 	}

+	// :env splits test vs prod traffic at the routing layer — operator
+	// registers each URL in the matching webhook slot in Pancake's dashboard.
+	// We then enforce event.mode == expectedEnv to catch mis-registrations.
+	expectedEnv := strings.TrimSpace(c.Param("env"))
+	if expectedEnv != "test" && expectedEnv != "prod" {
+		logger.LogWarn(c.Request.Context(), fmt.Sprintf(
+			"Waffo Pancake webhook 路径环境段无效 env=%q path=%q client_ip=%s",
+			expectedEnv, c.Request.RequestURI, c.ClientIP(),
+		))
+		c.String(http.StatusNotFound, "unknown env")
+		return
+	}
+
 	bodyBytes, err := io.ReadAll(c.Request.Body)
 	if err != nil {
 		logger.LogError(c.Request.Context(), fmt.Sprintf("Waffo Pancake webhook 读取请求体失败 path=%q client_ip=%s error=%q", c.Request.RequestURI, c.ClientIP(), err.Error()))
@@ -232,15 +468,57 @@ func WaffoPancakeWebhook(c *gin.Context) {
 		return
 	}

+	if !strings.EqualFold(strings.TrimSpace(event.Mode), expectedEnv) {
+		logger.LogError(c.Request.Context(), fmt.Sprintf(
+			"Waffo Pancake webhook 环境不匹配 expected=%q actual_mode=%q event_id=%s order_id=%s client_ip=%s",
+			expectedEnv, event.Mode, event.ID, event.Data.OrderID, c.ClientIP(),
+		))
+		c.String(http.StatusOK, "OK")
+		return
+	}
+
 	logger.LogInfo(c.Request.Context(), fmt.Sprintf("Waffo Pancake webhook 验签成功 event_type=%s event_id=%s order_id=%s client_ip=%s", event.NormalizedEventType(), event.ID, event.Data.OrderID, c.ClientIP()))
 	if event.NormalizedEventType() != "order.completed" {
 		c.String(http.StatusOK, "OK")
 		return
 	}

+	// Dispatch by trade_no prefix. OrderMerchantExternalID = our trade_no;
+	// OrderID is Pancake's internal ORD_* (logs only).
+	rawTradeNo := strings.TrimSpace(event.Data.OrderMerchantExternalID)
+	isSubscription := strings.HasPrefix(rawTradeNo, "WAFFO_PANCAKE_SUB-")
+
+	if isSubscription {
+		tradeNo, err := service.ResolveWaffoPancakeSubscriptionTradeNo(event)
+		if err != nil {
+			logger.LogError(c.Request.Context(), fmt.Sprintf(
+				"Waffo Pancake webhook 订阅订单解析失败 event_id=%s order_id=%s buyer_identity=%q client_ip=%s error=%q",
+				event.ID, event.Data.OrderID, event.Data.MerchantProvidedBuyerIdentity, c.ClientIP(), err.Error(),
+			))
+			c.String(http.StatusOK, "OK")
+			return
+		}
+		LockOrder(tradeNo)
+		defer UnlockOrder(tradeNo)
+		if err := model.CompleteSubscriptionOrder(tradeNo, string(bodyBytes), model.PaymentProviderWaffoPancake, ""); err != nil {
+			logger.LogError(c.Request.Context(), fmt.Sprintf("Waffo Pancake 订阅完成失败 trade_no=%s event_id=%s order_id=%s client_ip=%s error=%q", tradeNo, event.ID, event.Data.OrderID, c.ClientIP(), err.Error()))
+			c.String(http.StatusInternalServerError, "retry")
+			return
+		}
+		logger.LogInfo(c.Request.Context(), fmt.Sprintf("Waffo Pancake 订阅完成 trade_no=%s event_id=%s order_id=%s client_ip=%s", tradeNo, event.ID, event.Data.OrderID, c.ClientIP()))
+		c.String(http.StatusOK, "OK")
+		return
+	}
+
 	tradeNo, err := service.ResolveWaffoPancakeTradeNo(event)
 	if err != nil {
-		logger.LogWarn(c.Request.Context(), fmt.Sprintf("Waffo Pancake webhook 订单号映射失败 event_id=%s order_id=%s error=%q", event.ID, event.Data.OrderID, err.Error()))
+		// LogError (not LogWarn): covers order-not-found and buyer-identity
+		// mismatch — both warrant human attention. 200 OK so Waffo doesn't
+		// retry a permanently-unresolvable webhook.
+		logger.LogError(c.Request.Context(), fmt.Sprintf(
+			"Waffo Pancake webhook 订单解析失败 event_id=%s order_id=%s buyer_identity=%q client_ip=%s error=%q",
+			event.ID, event.Data.OrderID, event.Data.MerchantProvidedBuyerIdentity, c.ClientIP(), err.Error(),
+		))
 		c.String(http.StatusOK, "OK")
 		return
 	}
@@ -251,8 +251,20 @@ func GetAllUsers(c *gin.Context) {
 func SearchUsers(c *gin.Context) {
 	keyword := c.Query("keyword")
 	group := c.Query("group")
+	var role *int
+	if roleStr := c.Query("role"); roleStr != "" {
+		if parsed, err := strconv.Atoi(roleStr); err == nil {
+			role = &parsed
+		}
+	}
+	var status *int
+	if statusStr := c.Query("status"); statusStr != "" {
+		if parsed, err := strconv.Atoi(statusStr); err == nil {
+			status = &parsed
+		}
+	}
 	pageInfo := common.GetPageQuery(c)
-	users, total, err := model.SearchUsers(keyword, group, pageInfo.GetStartIdx(), pageInfo.GetPageSize())
+	users, total, err := model.SearchUsers(keyword, group, role, status, pageInfo.GetStartIdx(), pageInfo.GetPageSize())
 	if err != nil {
 		common.ApiError(c, err)
 		return
@@ -60,6 +60,8 @@ require (
 	gorm.io/gorm v1.25.2
 )

+require github.com/waffo-com/waffo-pancake-sdk-go v0.3.1
+
 require (
 	github.com/DmitriyVTitov/size v1.5.0 // indirect
 	github.com/anknown/darts v0.0.0-20151216065714-83ff685239e6 // indirect
@@ -308,6 +308,12 @@ github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65E
 github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
 github.com/waffo-com/waffo-go v1.3.1 h1:NCYD3oQ59DTJj1bwS5T/659LI4h8PuAIW4Qj/w7fKPw=
 github.com/waffo-com/waffo-go v1.3.1/go.mod h1:IaXVYq6mmYtrLFFsLxPslNwuIZx0mIadWWjhe+eWb0g=
+github.com/waffo-com/waffo-pancake-sdk-go v0.1.1 h1:YOI7+3zTBlTB7Ou6+ZXnJV2JvW/ag9d7CwE/TxH3Hls=
+github.com/waffo-com/waffo-pancake-sdk-go v0.1.1/go.mod h1:5MBCGH/nqRRA5sHO/lQB/96r4BTAqy8QpWxn53m9htI=
+github.com/waffo-com/waffo-pancake-sdk-go v0.2.0 h1:cCSgccM66p7feTtgRqUUGT50tYQOhahsoPXavd+ib1U=
+github.com/waffo-com/waffo-pancake-sdk-go v0.2.0/go.mod h1:5MBCGH/nqRRA5sHO/lQB/96r4BTAqy8QpWxn53m9htI=
+github.com/waffo-com/waffo-pancake-sdk-go v0.3.1 h1:ngQSN/oVB35xTwFPLfg++bxPC+SptcF145Mb6c62YCc=
+github.com/waffo-com/waffo-pancake-sdk-go v0.3.1/go.mod h1:OB2MyFIQaefoPO0FV3J+yu9sDP8RVFQ+sbFsXqGuObc=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU=
@@ -3,6 +3,7 @@ package middleware
 import (
 	"errors"
 	"fmt"
+	"io"
 	"net/http"
 	"slices"
 	"strconv"
@@ -20,6 +21,7 @@ import (
 	"github.com/QuantumNous/new-api/types"

 	"github.com/gin-gonic/gin"
+	"github.com/tidwall/gjson"
 )

 type ModelRequest struct {
@@ -170,6 +172,14 @@ func Distribute() func(c *gin.Context) {
 // - application/x-www-form-urlencoded
 // - multipart/form-data
 func getModelFromRequest(c *gin.Context) (*ModelRequest, error) {
+	if strings.HasPrefix(c.Request.Header.Get("Content-Type"), "application/json") {
+		modelRequest, err := getModelFromJSONBody(c)
+		if err != nil {
+			return nil, errors.New(i18n.T(c, i18n.MsgDistributorInvalidRequest, map[string]any{"Error": err.Error()}))
+		}
+		return modelRequest, nil
+	}
+
 	var modelRequest ModelRequest
 	err := common.UnmarshalBodyReusable(c, &modelRequest)
 	if err != nil {
@@ -178,6 +188,50 @@ func getModelFromRequest(c *gin.Context) (*ModelRequest, error) {
 	return &modelRequest, nil
 }

+func getModelFromJSONBody(c *gin.Context) (*ModelRequest, error) {
+	storage, err := common.GetBodyStorage(c)
+	if err != nil {
+		return nil, err
+	}
+	requestBody, err := storage.Bytes()
+	if err != nil {
+		return nil, err
+	}
+	if !gjson.ValidBytes(requestBody) {
+		return nil, errors.New("invalid JSON request body")
+	}
+
+	values := gjson.GetManyBytes(requestBody, "model", "group")
+	model, err := getJSONStringValue(values[0], "model")
+	if err != nil {
+		return nil, err
+	}
+	group, err := getJSONStringValue(values[1], "group")
+	if err != nil {
+		return nil, err
+	}
+
+	if _, seekErr := storage.Seek(0, io.SeekStart); seekErr != nil {
+		return nil, seekErr
+	}
+	c.Request.Body = io.NopCloser(storage)
+
+	return &ModelRequest{
+		Model: model,
+		Group: group,
+	}, nil
+}
+
+func getJSONStringValue(result gjson.Result, field string) (string, error) {
+	if !result.Exists() || result.Type == gjson.Null {
+		return "", nil
+	}
+	if result.Type != gjson.String {
+		return "", fmt.Errorf("field %s must be a string", field)
+	}
+	return result.String(), nil
+}
+
 func getModelRequest(c *gin.Context) (*ModelRequest, bool, error) {
 	var modelRequest ModelRequest
 	shouldSelectChannel := true
@@ -643,13 +643,25 @@ func handlerMultiKeyUpdate(channel *Channel, usingKey string, status int, reason
 	if len(keys) == 0 {
 		channel.Status = status
 	} else {
-		var keyIndex int
+		keyIndex := -1
 		for i, key := range keys {
 			if key == usingKey {
 				keyIndex = i
 				break
 			}
 		}
+		if keyIndex < 0 {
+			if usingKey != "" {
+				common.SysLog(fmt.Sprintf("failed to update multi-key status: channel_id=%d, using key not found", channel.Id))
+				return
+			}
+			channel.Status = status
+			info := channel.GetOtherInfo()
+			info["status_reason"] = reason
+			info["status_time"] = common.GetTimestamp()
+			channel.SetOtherInfo(info)
+			return
+		}
 		if channel.ChannelInfo.MultiKeyStatusList == nil {
 			channel.ChannelInfo.MultiKeyStatusList = make(map[int]int)
 		}
@@ -666,16 +678,31 @@ func handlerMultiKeyUpdate(channel *Channel, usingKey string, status int, reason
 			channel.ChannelInfo.MultiKeyDisabledReason[keyIndex] = reason
 			channel.ChannelInfo.MultiKeyDisabledTime[keyIndex] = common.GetTimestamp()
 		}
-		if len(channel.ChannelInfo.MultiKeyStatusList) >= channel.ChannelInfo.MultiKeySize {
+		if !hasEnabledMultiKey(keys, channel.ChannelInfo.MultiKeyStatusList) {
 			channel.Status = common.ChannelStatusAutoDisabled
 			info := channel.GetOtherInfo()
 			info["status_reason"] = "All keys are disabled"
 			info["status_time"] = common.GetTimestamp()
 			channel.SetOtherInfo(info)
+		} else if status == common.ChannelStatusEnabled {
+			channel.Status = common.ChannelStatusEnabled
 		}
 	}
 }

+func hasEnabledMultiKey(keys []string, statusList map[int]int) bool {
+	for i := range keys {
+		if statusList == nil {
+			return true
+		}
+		status, ok := statusList[i]
+		if !ok || status == common.ChannelStatusEnabled {
+			return true
+		}
+	}
+	return false
+}
+
 func UpdateChannelStatus(channelId int, usingKey string, status int, reason string) bool {
 	if common.MemoryCacheEnabled {
 		channelStatusLock.Lock()
@@ -687,11 +714,15 @@ func UpdateChannelStatus(channelId int, usingKey string, status int, reason stri
 		}
 		if channelCache.ChannelInfo.IsMultiKey {
 			// Use per-channel lock to prevent concurrent map read/write with GetNextEnabledKey
+			beforeStatus := channelCache.Status
 			pollingLock := GetChannelPollingLock(channelId)
 			pollingLock.Lock()
 			// 如果是多Key模式，更新缓存中的状态
 			handlerMultiKeyUpdate(channelCache, usingKey, status, reason)
 			pollingLock.Unlock()
+			if beforeStatus != channelCache.Status {
+				CacheUpdateChannelStatus(channelId, channelCache.Status)
+			}
 			//CacheUpdateChannel(channelCache)
 			//return true
 		} else {
@@ -17,25 +17,39 @@ import (
 	"gorm.io/gorm"
 )

+func applyExplicitLogTextFilter(tx *gorm.DB, column string, value string) (*gorm.DB, error) {
+	if value == "" {
+		return tx, nil
+	}
+	if strings.Contains(value, "%") {
+		pattern, err := sanitizeLikePattern(value)
+		if err != nil {
+			return nil, err
+		}
+		return tx.Where(column+" LIKE ? ESCAPE '!'", pattern), nil
+	}
+	return tx.Where(column+" = ?", value), nil
+}
+
 type Log struct {
-	Id               int    `json:"id" gorm:"index:idx_created_at_id,priority:1;index:idx_user_id_id,priority:2"`
-	UserId           int    `json:"user_id" gorm:"index;index:idx_user_id_id,priority:1"`
-	CreatedAt        int64  `json:"created_at" gorm:"bigint;index:idx_created_at_id,priority:2;index:idx_created_at_type"`
-	Type             int    `json:"type" gorm:"index:idx_created_at_type"`
-	Content          string `json:"content"`
-	Username         string `json:"username" gorm:"index;index:index_username_model_name,priority:2;default:''"`
-	TokenName        string `json:"token_name" gorm:"index;default:''"`
-	ModelName        string `json:"model_name" gorm:"index;index:index_username_model_name,priority:1;default:''"`
-	Quota            int    `json:"quota" gorm:"default:0"`
-	PromptTokens     int    `json:"prompt_tokens" gorm:"default:0"`
-	CompletionTokens int    `json:"completion_tokens" gorm:"default:0"`
-	UseTime          int    `json:"use_time" gorm:"default:0"`
-	IsStream         bool   `json:"is_stream"`
-	ChannelId        int    `json:"channel" gorm:"index"`
-	ChannelName      string `json:"channel_name" gorm:"->"`
-	TokenId          int    `json:"token_id" gorm:"default:0;index"`
-	Group            string `json:"group" gorm:"index"`
-	Ip               string `json:"ip" gorm:"index;default:''"`
+	Id                int    `json:"id" gorm:"index:idx_created_at_id,priority:1;index:idx_user_id_id,priority:2"`
+	UserId            int    `json:"user_id" gorm:"index;index:idx_user_id_id,priority:1"`
+	CreatedAt         int64  `json:"created_at" gorm:"bigint;index:idx_created_at_id,priority:2;index:idx_created_at_type"`
+	Type              int    `json:"type" gorm:"index:idx_created_at_type"`
+	Content           string `json:"content"`
+	Username          string `json:"username" gorm:"index;index:index_username_model_name,priority:2;default:''"`
+	TokenName         string `json:"token_name" gorm:"index;default:''"`
+	ModelName         string `json:"model_name" gorm:"index;index:index_username_model_name,priority:1;default:''"`
+	Quota             int    `json:"quota" gorm:"default:0"`
+	PromptTokens      int    `json:"prompt_tokens" gorm:"default:0"`
+	CompletionTokens  int    `json:"completion_tokens" gorm:"default:0"`
+	UseTime           int    `json:"use_time" gorm:"default:0"`
+	IsStream          bool   `json:"is_stream"`
+	ChannelId         int    `json:"channel" gorm:"index"`
+	ChannelName       string `json:"channel_name" gorm:"->"`
+	TokenId           int    `json:"token_id" gorm:"default:0;index"`
+	Group             string `json:"group" gorm:"index"`
+	Ip                string `json:"ip" gorm:"index;default:''"`
 	RequestId         string `json:"request_id,omitempty" gorm:"type:varchar(64);index:idx_logs_request_id;default:''"`
 	UpstreamRequestId string `json:"upstream_request_id,omitempty" gorm:"type:varchar(128);index:idx_logs_upstream_request_id;default:''"`
 	Other             string `json:"other"`
@@ -146,7 +160,7 @@ func RecordTopupLog(userId int, content string, callerIp string, paymentMethod s

 func RecordErrorLog(c *gin.Context, userId int, channelId int, modelName string, tokenName string, content string, tokenId int, useTimeSeconds int,
 	isStream bool, group string, other map[string]interface{}) {
-	logger.LogInfo(c, fmt.Sprintf("record error log: userId=%d, channelId=%d, modelName=%s, tokenName=%s, content=%s", userId, channelId, modelName, tokenName, content))
+	logger.LogInfo(c, fmt.Sprintf("record error log: userId=%d, channelId=%d, modelName=%s, tokenName=%s, content=%s", userId, channelId, modelName, tokenName, common.LocalLogPreview(content)))
 	username := c.GetString("username")
 	requestId := c.GetString(common.RequestIdKey)
 	upstreamRequestId := c.GetString(common.UpstreamRequestIdKey)
@@ -309,9 +323,15 @@ func GetAllLogs(logType int, startTimestamp int64, endTimestamp int64, modelName
 		tx = LOG_DB.Where("logs.type = ?", logType)
 	}

-	tx = applyLogContainsFilter(tx, "logs.model_name", modelName)
-	tx = applyLogContainsFilter(tx, "logs.username", username)
-	tx = applyLogContainsFilter(tx, "logs.token_name", tokenName)
+	if tx, err = applyExplicitLogTextFilter(tx, "logs.model_name", modelName); err != nil {
+		return nil, 0, err
+	}
+	if tx, err = applyExplicitLogTextFilter(tx, "logs.username", username); err != nil {
+		return nil, 0, err
+	}
+	if tokenName != "" {
+		tx = tx.Where("logs.token_name = ?", tokenName)
+	}
 	if requestId != "" {
 		tx = tx.Where("logs.request_id = ?", requestId)
 	}
@@ -392,8 +412,12 @@ func GetUserLogs(userId int, logType int, startTimestamp int64, endTimestamp int
 		tx = LOG_DB.Where("logs.user_id = ? and logs.type = ?", userId, logType)
 	}

-	tx = applyLogContainsFilter(tx, "logs.model_name", modelName)
-	tx = applyLogContainsFilter(tx, "logs.token_name", tokenName)
+	if tx, err = applyExplicitLogTextFilter(tx, "logs.model_name", modelName); err != nil {
+		return nil, 0, err
+	}
+	if tokenName != "" {
+		tx = tx.Where("logs.token_name = ?", tokenName)
+	}
 	if requestId != "" {
 		tx = tx.Where("logs.request_id = ?", requestId)
 	}
@@ -430,42 +454,34 @@ type Stat struct {
 	Tpm   int `json:"tpm"`
 }

-func logContainsPattern(input string) (string, bool) {
-	input = strings.TrimSpace(input)
-	if input == "" {
-		return "", false
-	}
-
-	replacer := strings.NewReplacer("!", "!!", "%", "!%", "_", "!_")
-	return "%" + replacer.Replace(input) + "%", true
-}
-
-func applyLogContainsFilter(tx *gorm.DB, column string, value string) *gorm.DB {
-	pattern, ok := logContainsPattern(value)
-	if !ok {
-		return tx
-	}
-	return tx.Where(column+" LIKE ? ESCAPE '!'", pattern)
-}
-
 func SumUsedQuota(logType int, startTimestamp int64, endTimestamp int64, modelName string, username string, tokenName string, channel int, group string) (stat Stat, err error) {
 	tx := LOG_DB.Table("logs").Select("sum(quota) quota")

 	// 为rpm和tpm创建单独的查询
 	rpmTpmQuery := LOG_DB.Table("logs").Select("count(*) rpm, sum(prompt_tokens) + sum(completion_tokens) tpm")

-	tx = applyLogContainsFilter(tx, "username", username)
-	rpmTpmQuery = applyLogContainsFilter(rpmTpmQuery, "username", username)
-	tx = applyLogContainsFilter(tx, "token_name", tokenName)
-	rpmTpmQuery = applyLogContainsFilter(rpmTpmQuery, "token_name", tokenName)
+	if tx, err = applyExplicitLogTextFilter(tx, "username", username); err != nil {
+		return stat, err
+	}
+	if rpmTpmQuery, err = applyExplicitLogTextFilter(rpmTpmQuery, "username", username); err != nil {
+		return stat, err
+	}
+	if tokenName != "" {
+		tx = tx.Where("token_name = ?", tokenName)
+		rpmTpmQuery = rpmTpmQuery.Where("token_name = ?", tokenName)
+	}
 	if startTimestamp != 0 {
 		tx = tx.Where("created_at >= ?", startTimestamp)
 	}
 	if endTimestamp != 0 {
 		tx = tx.Where("created_at <= ?", endTimestamp)
 	}
-	tx = applyLogContainsFilter(tx, "model_name", modelName)
-	rpmTpmQuery = applyLogContainsFilter(rpmTpmQuery, "model_name", modelName)
+	if tx, err = applyExplicitLogTextFilter(tx, "model_name", modelName); err != nil {
+		return stat, err
+	}
+	if rpmTpmQuery, err = applyExplicitLogTextFilter(rpmTpmQuery, "model_name", modelName); err != nil {
+		return stat, err
+	}
 	if channel != 0 {
 		tx = tx.Where("channel_id = ?", channel)
 		rpmTpmQuery = rpmTpmQuery.Where("channel_id = ?", channel)
@@ -399,6 +399,7 @@ func ensureSubscriptionPlanTableSQLite() error {
 ` + "`sort_order`" + ` integer DEFAULT 0,
 ` + "`stripe_price_id`" + ` varchar(128) DEFAULT '',
 ` + "`creem_product_id`" + ` varchar(128) DEFAULT '',
+` + "`waffo_pancake_product_id`" + ` varchar(128) DEFAULT '',
 ` + "`max_purchase_per_user`" + ` integer DEFAULT 0,
 ` + "`upgrade_group`" + ` varchar(64) DEFAULT '',
 ` + "`total_amount`" + ` bigint NOT NULL DEFAULT 0,
@@ -432,6 +433,7 @@ PRIMARY KEY (` + "`id`" + `)
 		{Name: "sort_order", DDL: "`sort_order` integer DEFAULT 0"},
 		{Name: "stripe_price_id", DDL: "`stripe_price_id` varchar(128) DEFAULT ''"},
 		{Name: "creem_product_id", DDL: "`creem_product_id` varchar(128) DEFAULT ''"},
+		{Name: "waffo_pancake_product_id", DDL: "`waffo_pancake_product_id` varchar(128) DEFAULT ''"},
 		{Name: "max_purchase_per_user", DDL: "`max_purchase_per_user` integer DEFAULT 0"},
 		{Name: "upgrade_group", DDL: "`upgrade_group` varchar(64) DEFAULT ''"},
 		{Name: "total_amount", DDL: "`total_amount` bigint NOT NULL DEFAULT 0"},
@@ -2,6 +2,7 @@ package model

 import (
 	"strconv"
+	"strings"

 	"github.com/QuantumNous/new-api/common"

@@ -135,6 +136,62 @@ func GetBoundChannelsByModelsMap(modelNames []string) (map[string][]BoundChannel
 	return result, nil
 }

+func normalizeLookupValues(values []string) []string {
+	seen := make(map[string]struct{}, len(values))
+	normalized := make([]string, 0, len(values))
+	for _, value := range values {
+		value = strings.TrimSpace(value)
+		if value == "" {
+			continue
+		}
+		if _, ok := seen[value]; ok {
+			continue
+		}
+		seen[value] = struct{}{}
+		normalized = append(normalized, value)
+	}
+	return normalized
+}
+
+func GetPreferredModelOwnerChannelTypes(modelNames []string, groups []string) (map[string]int, error) {
+	result := make(map[string]int)
+	modelNames = normalizeLookupValues(modelNames)
+	if len(modelNames) == 0 {
+		return result, nil
+	}
+
+	type row struct {
+		Model       string
+		ChannelType int
+	}
+	var rows []row
+
+	query := DB.Table("abilities").
+		Select("abilities.model as model, channels.type as channel_type").
+		Joins("JOIN channels ON abilities.channel_id = channels.id").
+		Where("abilities.model IN ? AND abilities.enabled = ? AND channels.status = ?", modelNames, true, common.ChannelStatusEnabled).
+		Order("COALESCE(abilities.priority, 0) DESC").
+		Order("abilities.weight DESC").
+		Order("abilities.channel_id ASC")
+
+	groups = normalizeLookupValues(groups)
+	if len(groups) > 0 {
+		query = query.Where("abilities."+commonGroupCol+" IN ?", groups)
+	}
+
+	if err := query.Scan(&rows).Error; err != nil {
+		return nil, err
+	}
+
+	for _, r := range rows {
+		if _, ok := result[r.Model]; ok {
+			continue
+		}
+		result[r.Model] = r.ChannelType
+	}
+	return result, nil
+}
+
 func SearchModels(keyword string, vendor string, offset int, limit int) ([]*Model, int64, error) {
 	var models []*Model
 	db := DB.Model(&Model{})
@@ -0,0 +1,141 @@
+package model
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/QuantumNous/new-api/common"
+	"github.com/QuantumNous/new-api/constant"
+	"github.com/stretchr/testify/require"
+)
+
+func clearPreferredOwnerTables(t *testing.T) {
+	t.Helper()
+	require.NoError(t, DB.Exec("DELETE FROM abilities").Error)
+	require.NoError(t, DB.Exec("DELETE FROM channels").Error)
+}
+
+func insertPreferredOwnerCandidate(
+	t *testing.T,
+	channelID int,
+	modelName string,
+	group string,
+	channelType int,
+	priority int64,
+	weight uint,
+	channelStatus int,
+	abilityEnabled bool,
+) {
+	t.Helper()
+	require.NoError(t, DB.Create(&Channel{
+		Id:     channelID,
+		Type:   channelType,
+		Key:    fmt.Sprintf("key-%d", channelID),
+		Status: channelStatus,
+		Name:   fmt.Sprintf("channel-%d", channelID),
+	}).Error)
+	require.NoError(t, DB.Create(&Ability{
+		Group:     group,
+		Model:     modelName,
+		ChannelId: channelID,
+		Enabled:   abilityEnabled,
+		Priority:  &priority,
+		Weight:    weight,
+	}).Error)
+}
+
+func TestGetPreferredModelOwnerChannelTypes(t *testing.T) {
+	const modelName = "gpt-5.4"
+
+	tests := []struct {
+		name     string
+		setup    func(t *testing.T)
+		groups   []string
+		expected int
+		found    bool
+	}{
+		{
+			name: "openai only",
+			setup: func(t *testing.T) {
+				insertPreferredOwnerCandidate(t, 1, modelName, "default", constant.ChannelTypeOpenAI, 0, 0, common.ChannelStatusEnabled, true)
+			},
+			groups:   []string{"default"},
+			expected: constant.ChannelTypeOpenAI,
+			found:    true,
+		},
+		{
+			name: "codex only",
+			setup: func(t *testing.T) {
+				insertPreferredOwnerCandidate(t, 1, modelName, "default", constant.ChannelTypeCodex, 0, 0, common.ChannelStatusEnabled, true)
+			},
+			groups:   []string{"default"},
+			expected: constant.ChannelTypeCodex,
+			found:    true,
+		},
+		{
+			name: "priority wins",
+			setup: func(t *testing.T) {
+				insertPreferredOwnerCandidate(t, 1, modelName, "default", constant.ChannelTypeOpenAI, 1, 100, common.ChannelStatusEnabled, true)
+				insertPreferredOwnerCandidate(t, 2, modelName, "default", constant.ChannelTypeCodex, 2, 0, common.ChannelStatusEnabled, true)
+			},
+			groups:   []string{"default"},
+			expected: constant.ChannelTypeCodex,
+			found:    true,
+		},
+		{
+			name: "weight wins when priority is equal",
+			setup: func(t *testing.T) {
+				insertPreferredOwnerCandidate(t, 1, modelName, "default", constant.ChannelTypeOpenAI, 1, 10, common.ChannelStatusEnabled, true)
+				insertPreferredOwnerCandidate(t, 2, modelName, "default", constant.ChannelTypeCodex, 1, 20, common.ChannelStatusEnabled, true)
+			},
+			groups:   []string{"default"},
+			expected: constant.ChannelTypeCodex,
+			found:    true,
+		},
+		{
+			name: "channel id stabilizes exact ties",
+			setup: func(t *testing.T) {
+				insertPreferredOwnerCandidate(t, 2, modelName, "default", constant.ChannelTypeCodex, 1, 10, common.ChannelStatusEnabled, true)
+				insertPreferredOwnerCandidate(t, 1, modelName, "default", constant.ChannelTypeOpenAI, 1, 10, common.ChannelStatusEnabled, true)
+			},
+			groups:   []string{"default"},
+			expected: constant.ChannelTypeOpenAI,
+			found:    true,
+		},
+		{
+			name: "group filter excludes other groups",
+			setup: func(t *testing.T) {
+				insertPreferredOwnerCandidate(t, 1, modelName, "vip", constant.ChannelTypeCodex, 10, 100, common.ChannelStatusEnabled, true)
+				insertPreferredOwnerCandidate(t, 2, modelName, "default", constant.ChannelTypeOpenAI, 1, 0, common.ChannelStatusEnabled, true)
+			},
+			groups:   []string{"default"},
+			expected: constant.ChannelTypeOpenAI,
+			found:    true,
+		},
+		{
+			name: "disabled candidates are ignored",
+			setup: func(t *testing.T) {
+				insertPreferredOwnerCandidate(t, 1, modelName, "default", constant.ChannelTypeCodex, 10, 100, common.ChannelStatusEnabled, false)
+				insertPreferredOwnerCandidate(t, 2, modelName, "default", constant.ChannelTypeOpenAI, 1, 0, common.ChannelStatusManuallyDisabled, true)
+			},
+			groups: []string{"default"},
+			found:  false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			clearPreferredOwnerTables(t)
+			tt.setup(t)
+
+			owners, err := GetPreferredModelOwnerChannelTypes([]string{modelName}, tt.groups)
+			require.NoError(t, err)
+
+			got, ok := owners[modelName]
+			require.Equal(t, tt.found, ok)
+			if tt.found {
+				require.Equal(t, tt.expected, got)
+			}
+		})
+	}
+}
@@ -12,6 +12,7 @@ import (
 	"github.com/QuantumNous/new-api/setting/performance_setting"
 	"github.com/QuantumNous/new-api/setting/ratio_setting"
 	"github.com/QuantumNous/new-api/setting/system_setting"
+	"gorm.io/gorm"
 )

 type Option struct {
@@ -106,18 +107,13 @@ func InitOptionMap() {
 	common.OptionMap["WaffoUnitPrice"] = strconv.FormatFloat(setting.WaffoUnitPrice, 'f', -1, 64)
 	common.OptionMap["WaffoMinTopUp"] = strconv.Itoa(setting.WaffoMinTopUp)
 	common.OptionMap["WaffoPayMethods"] = setting.WaffoPayMethods2JsonString()
-	common.OptionMap["WaffoPancakeEnabled"] = strconv.FormatBool(setting.WaffoPancakeEnabled)
-	common.OptionMap["WaffoPancakeSandbox"] = strconv.FormatBool(setting.WaffoPancakeSandbox)
 	common.OptionMap["WaffoPancakeMerchantID"] = setting.WaffoPancakeMerchantID
 	common.OptionMap["WaffoPancakePrivateKey"] = setting.WaffoPancakePrivateKey
-	common.OptionMap["WaffoPancakeWebhookPublicKey"] = setting.WaffoPancakeWebhookPublicKey
-	common.OptionMap["WaffoPancakeWebhookTestKey"] = setting.WaffoPancakeWebhookTestKey
-	common.OptionMap["WaffoPancakeStoreID"] = setting.WaffoPancakeStoreID
-	common.OptionMap["WaffoPancakeProductID"] = setting.WaffoPancakeProductID
 	common.OptionMap["WaffoPancakeReturnURL"] = setting.WaffoPancakeReturnURL
-	common.OptionMap["WaffoPancakeCurrency"] = setting.WaffoPancakeCurrency
 	common.OptionMap["WaffoPancakeUnitPrice"] = strconv.FormatFloat(setting.WaffoPancakeUnitPrice, 'f', -1, 64)
 	common.OptionMap["WaffoPancakeMinTopUp"] = strconv.Itoa(setting.WaffoPancakeMinTopUp)
+	common.OptionMap["WaffoPancakeStoreID"] = setting.WaffoPancakeStoreID
+	common.OptionMap["WaffoPancakeProductID"] = setting.WaffoPancakeProductID
 	common.OptionMap["TopupGroupRatio"] = common.TopupGroupRatio2JSONString()
 	common.OptionMap["Chats"] = setting.Chats2JsonString()
 	common.OptionMap["AutoGroups"] = setting.AutoGroups2JsonString()
@@ -222,6 +218,39 @@ func UpdateOption(key string, value string) error {
 	return updateOptionMap(key, value)
 }

+// UpdateOptionsBulk persists multiple key/value pairs in a single database
+// transaction, then dispatches them through updateOptionMap in one pass. If
+// any DB write fails the whole transaction rolls back and no in-memory state
+// is touched — safe for callers that must commit a set of related options
+// atomically (e.g. payment gateway binding).
+func UpdateOptionsBulk(values map[string]string) error {
+	if len(values) == 0 {
+		return nil
+	}
+	err := DB.Transaction(func(tx *gorm.DB) error {
+		for k, v := range values {
+			option := Option{Key: k}
+			if err := tx.FirstOrCreate(&option, Option{Key: k}).Error; err != nil {
+				return err
+			}
+			option.Value = v
+			if err := tx.Save(&option).Error; err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+	for k, v := range values {
+		if err := updateOptionMap(k, v); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 func updateOptionMap(key string, value string) (err error) {
 	common.OptionMapRWMutex.Lock()
 	defer common.OptionMapRWMutex.Unlock()
@@ -419,26 +448,16 @@ func updateOptionMap(key string, value string) (err error) {
 		setting.WaffoUnitPrice, _ = strconv.ParseFloat(value, 64)
 	case "WaffoMinTopUp":
 		setting.WaffoMinTopUp, _ = strconv.Atoi(value)
-	case "WaffoPancakeEnabled":
-		setting.WaffoPancakeEnabled = value == "true"
-	case "WaffoPancakeSandbox":
-		setting.WaffoPancakeSandbox = value == "true"
 	case "WaffoPancakeMerchantID":
 		setting.WaffoPancakeMerchantID = value
 	case "WaffoPancakePrivateKey":
 		setting.WaffoPancakePrivateKey = value
-	case "WaffoPancakeWebhookPublicKey":
-		setting.WaffoPancakeWebhookPublicKey = value
-	case "WaffoPancakeWebhookTestKey":
-		setting.WaffoPancakeWebhookTestKey = value
+	case "WaffoPancakeReturnURL":
+		setting.WaffoPancakeReturnURL = value
 	case "WaffoPancakeStoreID":
 		setting.WaffoPancakeStoreID = value
 	case "WaffoPancakeProductID":
 		setting.WaffoPancakeProductID = value
-	case "WaffoPancakeReturnURL":
-		setting.WaffoPancakeReturnURL = value
-	case "WaffoPancakeCurrency":
-		setting.WaffoPancakeCurrency = value
 	case "WaffoPancakeUnitPrice":
 		setting.WaffoPancakeUnitPrice, _ = strconv.ParseFloat(value, 64)
 	case "WaffoPancakeMinTopUp":
@@ -68,11 +68,18 @@ type PerfMetricSummary struct {
 	GenerationMs   int64  `json:"generation_ms"`
 }

-func GetPerfMetricsSummaryAll(startTs int64, endTs int64) ([]PerfMetricSummary, error) {
+func GetPerfMetricsSummaryAll(startTs int64, endTs int64, groups []string) ([]PerfMetricSummary, error) {
 	var summaries []PerfMetricSummary
-	err := DB.Model(&PerfMetric{}).
+	query := DB.Model(&PerfMetric{}).
 		Select("model_name, SUM(request_count) as request_count, SUM(success_count) as success_count, SUM(total_latency_ms) as total_latency_ms, SUM(output_tokens) as output_tokens, SUM(generation_ms) as generation_ms").
-		Where("bucket_ts >= ? AND bucket_ts <= ?", startTs, endTs).
+		Where("bucket_ts >= ? AND bucket_ts <= ?", startTs, endTs)
+	if groups != nil {
+		if len(groups) == 0 {
+			return summaries, nil
+		}
+		query = query.Where(commonGroupCol+" IN ?", groups)
+	}
+	err := query.
 		Group("model_name").
 		Having("SUM(request_count) > 0").
 		Find(&summaries).Error
@@ -11,6 +11,7 @@ import (
 	"github.com/QuantumNous/new-api/common"
 	"github.com/QuantumNous/new-api/pkg/cachex"
 	"github.com/samber/hot"
+	"github.com/shopspring/decimal"
 	"gorm.io/gorm"
 )

@@ -159,8 +160,9 @@ type SubscriptionPlan struct {
 	Enabled   bool `json:"enabled" gorm:"default:true"`
 	SortOrder int  `json:"sort_order" gorm:"type:int;default:0"`

-	StripePriceId  string `json:"stripe_price_id" gorm:"type:varchar(128);default:''"`
-	CreemProductId string `json:"creem_product_id" gorm:"type:varchar(128);default:''"`
+	StripePriceId         string `json:"stripe_price_id" gorm:"type:varchar(128);default:''"`
+	CreemProductId        string `json:"creem_product_id" gorm:"type:varchar(128);default:''"`
+	WaffoPancakeProductId string `json:"waffo_pancake_product_id" gorm:"type:varchar(128);default:''"`

 	// Max purchases per user (0 = unlimited)
 	MaxPurchasePerUser int `json:"max_purchase_per_user" gorm:"type:int;default:0"`
@@ -664,6 +666,106 @@ func AdminBindSubscription(userId int, planId int, sourceNote string) (string, e
 	return "", nil
 }

+func calcSubscriptionBalanceQuota(priceAmount float64) (int, error) {
+	if priceAmount <= 0 {
+		return 0, nil
+	}
+	if common.QuotaPerUnit <= 0 {
+		return 0, errors.New("额度单位配置错误")
+	}
+	quota := decimal.NewFromFloat(priceAmount).
+		Mul(decimal.NewFromFloat(common.QuotaPerUnit)).
+		Ceil().
+		IntPart()
+	return int(quota), nil
+}
+
+// PurchaseSubscriptionWithBalance creates a subscription by deducting the user's wallet quota.
+func PurchaseSubscriptionWithBalance(userId int, planId int) error {
+	if userId <= 0 || planId <= 0 {
+		return errors.New("invalid userId or planId")
+	}
+
+	var logPlanTitle string
+	var logMoney float64
+	var chargedQuota int
+	var upgradeGroup string
+	err := DB.Transaction(func(tx *gorm.DB) error {
+		plan, err := getSubscriptionPlanByIdTx(tx, planId)
+		if err != nil {
+			return err
+		}
+		if !plan.Enabled {
+			return errors.New("套餐未启用")
+		}
+		if plan.PriceAmount < 0 {
+			return errors.New("套餐价格不能为负数")
+		}
+
+		requiredQuota, err := calcSubscriptionBalanceQuota(plan.PriceAmount)
+		if err != nil {
+			return err
+		}
+
+		var user User
+		if err := tx.Set("gorm:query_option", "FOR UPDATE").Where("id = ?", userId).First(&user).Error; err != nil {
+			return err
+		}
+		if requiredQuota > 0 && user.Quota < requiredQuota {
+			return errors.New("余额不足")
+		}
+		if requiredQuota > 0 {
+			if err := tx.Model(&User{}).Where("id = ?", userId).
+				Update("quota", gorm.Expr("quota - ?", requiredQuota)).Error; err != nil {
+				return err
+			}
+		}
+
+		if _, err := CreateUserSubscriptionFromPlanTx(tx, userId, plan, PaymentMethodBalance); err != nil {
+			return err
+		}
+
+		now := common.GetTimestamp()
+		tradeNo := fmt.Sprintf("SUBBALUSR%dNO%s%d", userId, common.GetRandomString(6), time.Now().UnixNano())
+		order := &SubscriptionOrder{
+			UserId:          userId,
+			PlanId:          plan.Id,
+			Money:           plan.PriceAmount,
+			TradeNo:         tradeNo,
+			PaymentMethod:   PaymentMethodBalance,
+			PaymentProvider: PaymentProviderBalance,
+			Status:          common.TopUpStatusSuccess,
+			CreateTime:      now,
+			CompleteTime:    now,
+			ProviderPayload: fmt.Sprintf("charged_quota=%d", requiredQuota),
+		}
+		if err := tx.Create(order).Error; err != nil {
+			return err
+		}
+
+		logPlanTitle = plan.Title
+		logMoney = plan.PriceAmount
+		chargedQuota = requiredQuota
+		upgradeGroup = strings.TrimSpace(plan.UpgradeGroup)
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+
+	if chargedQuota > 0 {
+		if err := cacheDecrUserQuota(userId, int64(chargedQuota)); err != nil {
+			common.SysLog("failed to decrease user quota cache after subscription balance purchase: " + err.Error())
+		}
+	}
+	if upgradeGroup != "" {
+		_ = UpdateUserGroupCache(userId, upgradeGroup)
+	}
+	msg := fmt.Sprintf("使用余额购买订阅成功，套餐: %s，支付金额: %.2f，扣除额度: %d", logPlanTitle, logMoney, chargedQuota)
+	RecordLog(userId, LogTypeTopup, msg)
+	return nil
+}
+
 // GetAllActiveUserSubscriptions returns all active subscriptions for a user.
 func GetAllActiveUserSubscriptions(userId int) ([]SubscriptionSummary, error) {
 	if userId <= 0 {
@@ -26,6 +26,7 @@ func TestMain(m *testing.M) {
 	common.RedisEnabled = false
 	common.BatchUpdateEnabled = false
 	common.LogConsumeEnabled = true
+	initCol()

 	sqlDB, err := db.DB()
 	if err != nil {
@@ -39,10 +40,12 @@ func TestMain(m *testing.M) {
 		&Token{},
 		&Log{},
 		&Channel{},
+		&Ability{},
 		&TopUp{},
 		&SubscriptionPlan{},
 		&SubscriptionOrder{},
 		&UserSubscription{},
+		&PerfMetric{},
 	); err != nil {
 		panic("failed to migrate: " + err.Error())
 	}
@@ -58,10 +61,12 @@ func truncateTables(t *testing.T) {
 		DB.Exec("DELETE FROM tokens")
 		DB.Exec("DELETE FROM logs")
 		DB.Exec("DELETE FROM channels")
+		DB.Exec("DELETE FROM abilities")
 		DB.Exec("DELETE FROM top_ups")
 		DB.Exec("DELETE FROM subscription_orders")
 		DB.Exec("DELETE FROM subscription_plans")
 		DB.Exec("DELETE FROM user_subscriptions")
+		DB.Exec("DELETE FROM perf_metrics")
 	})
 }

@@ -29,6 +29,7 @@ const (
 	PaymentMethodCreem        = "creem"
 	PaymentMethodWaffo        = "waffo"
 	PaymentMethodWaffoPancake = "waffo_pancake"
+	PaymentMethodBalance      = "balance"
 )

 const (
@@ -37,6 +38,7 @@ const (
 	PaymentProviderCreem        = "creem"
 	PaymentProviderWaffo        = "waffo"
 	PaymentProviderWaffoPancake = "waffo_pancake"
+	PaymentProviderBalance      = "balance"
 )

 var (
@@ -225,7 +225,7 @@ func GetAllUsers(pageInfo *common.PageInfo) (users []*User, total int64, err err
 	return users, total, nil
 }

-func SearchUsers(keyword string, group string, startIdx int, num int) ([]*User, int64, error) {
+func SearchUsers(keyword string, group string, role *int, status *int, startIdx int, num int) ([]*User, int64, error) {
 	var users []*User
 	var total int64
 	var err error
@@ -246,28 +246,25 @@ func SearchUsers(keyword string, group string, startIdx int, num int) ([]*User,

 	// 构建搜索条件
 	likeCondition := "username LIKE ? OR email LIKE ? OR display_name LIKE ?"
+	likeArgs := []interface{}{"%" + keyword + "%", "%" + keyword + "%", "%" + keyword + "%"}

 	// 尝试将关键字转换为整数ID
 	keywordInt, err := strconv.Atoi(keyword)
 	if err == nil {
 		// 如果是数字，同时搜索ID和其他字段
 		likeCondition = "id = ? OR " + likeCondition
-		if group != "" {
-			query = query.Where("("+likeCondition+") AND "+commonGroupCol+" = ?",
-				keywordInt, "%"+keyword+"%", "%"+keyword+"%", "%"+keyword+"%", group)
-		} else {
-			query = query.Where(likeCondition,
-				keywordInt, "%"+keyword+"%", "%"+keyword+"%", "%"+keyword+"%")
-		}
-	} else {
-		// 非数字关键字，只搜索字符串字段
-		if group != "" {
-			query = query.Where("("+likeCondition+") AND "+commonGroupCol+" = ?",
-				"%"+keyword+"%", "%"+keyword+"%", "%"+keyword+"%", group)
-		} else {
-			query = query.Where(likeCondition,
-				"%"+keyword+"%", "%"+keyword+"%", "%"+keyword+"%")
-		}
+		likeArgs = append([]interface{}{keywordInt}, likeArgs...)
+	}
+
+	query = query.Where("("+likeCondition+")", likeArgs...)
+	if group != "" {
+		query = query.Where(commonGroupCol+" = ?", group)
+	}
+	if role != nil {
+		query = query.Where("role = ?", *role)
+	}
+	if status != nil {
+		query = query.Where("status = ?", *status)
 	}

 	// 获取总数
@@ -987,6 +984,23 @@ func updateUserUsedQuotaAndRequestCount(id int, quota int, count int) {
 	//}
 }

+func updateUserQuotaUsedQuotaAndRequestCount(id int, quota int, usedQuota int, requestCount int) {
+	if quota == 0 && usedQuota == 0 && requestCount == 0 {
+		return
+	}
+
+	err := DB.Model(&User{}).Where("id = ?", id).Updates(
+		map[string]interface{}{
+			"quota":         gorm.Expr("quota + ?", quota),
+			"used_quota":    gorm.Expr("used_quota + ?", usedQuota),
+			"request_count": gorm.Expr("request_count + ?", requestCount),
+		},
+	).Error
+	if err != nil {
+		common.SysLog("failed to batch update user quota, used quota and request count: " + err.Error())
+	}
+}
+
 func updateUserUsedQuota(id int, quota int) {
 	err := DB.Model(&User{}).Where("id = ?", id).Updates(
 		map[string]interface{}{
@@ -67,33 +67,48 @@ func batchUpdate() {
 	}

 	common.SysLog("batch update started")
+	stores := make([]map[int]int, BatchUpdateTypeCount)
 	for i := 0; i < BatchUpdateTypeCount; i++ {
 		batchUpdateLocks[i].Lock()
-		store := batchUpdateStores[i]
+		stores[i] = batchUpdateStores[i]
 		batchUpdateStores[i] = make(map[int]int)
 		batchUpdateLocks[i].Unlock()
-		// TODO: maybe we can combine updates with same key?
+	}
+
+	for i, store := range stores {
+		if i == BatchUpdateTypeUserQuota || i == BatchUpdateTypeUsedQuota || i == BatchUpdateTypeRequestCount {
+			continue
+		}
 		for key, value := range store {
 			switch i {
-			case BatchUpdateTypeUserQuota:
-				err := increaseUserQuota(key, value)
-				if err != nil {
-					common.SysLog("failed to batch update user quota: " + err.Error())
-				}
 			case BatchUpdateTypeTokenQuota:
 				err := increaseTokenQuota(key, value)
 				if err != nil {
 					common.SysLog("failed to batch update token quota: " + err.Error())
 				}
-			case BatchUpdateTypeUsedQuota:
-				updateUserUsedQuota(key, value)
-			case BatchUpdateTypeRequestCount:
-				updateUserRequestCount(key, value)
 			case BatchUpdateTypeChannelUsedQuota:
 				updateChannelUsedQuota(key, value)
 			}
 		}
 	}
+
+	userQuotaStore := stores[BatchUpdateTypeUserQuota]
+	usedQuotaStore := stores[BatchUpdateTypeUsedQuota]
+	requestCountStore := stores[BatchUpdateTypeRequestCount]
+
+	userIDs := make(map[int]struct{}, len(userQuotaStore)+len(usedQuotaStore)+len(requestCountStore))
+	for key := range userQuotaStore {
+		userIDs[key] = struct{}{}
+	}
+	for key := range usedQuotaStore {
+		userIDs[key] = struct{}{}
+	}
+	for key := range requestCountStore {
+		userIDs[key] = struct{}{}
+	}
+	for key := range userIDs {
+		updateUserQuotaUsedQuotaAndRequestCount(key, userQuotaStore[key], usedQuotaStore[key], requestCountStore[key])
+	}
 	common.SysLog("batch update finished")
 }

@@ -122,7 +122,7 @@ func Query(params QueryParams) (QueryResult, error) {
 	return buildQueryResult(params.Model, merged), nil
 }

-func QuerySummaryAll(hours int) (SummaryAllResult, error) {
+func QuerySummaryAll(hours int, groups []string) (SummaryAllResult, error) {
 	if hours <= 0 {
 		hours = 24
 	}
@@ -131,8 +131,9 @@ func QuerySummaryAll(hours int) (SummaryAllResult, error) {
 	}
 	endTs := time.Now().Unix()
 	startTs := endTs - int64(hours)*3600
+	allowedGroups := allowedGroupSet(groups)

-	rows, err := model.GetPerfMetricsSummaryAll(startTs, endTs)
+	rows, err := model.GetPerfMetricsSummaryAll(startTs, endTs, groups)
 	if err != nil {
 		return SummaryAllResult{}, err
 	}
@@ -153,6 +154,11 @@ func QuerySummaryAll(hours int) (SummaryAllResult, error) {
 		if k.bucketTs < startTs || k.bucketTs > endTs {
 			return true
 		}
+		if allowedGroups != nil {
+			if _, ok := allowedGroups[k.group]; !ok {
+				return true
+			}
+		}
 		snap := value.(*atomicBucket).snapshot()
 		if snap.requestCount == 0 {
 			return true
@@ -193,6 +199,17 @@ func QuerySummaryAll(hours int) (SummaryAllResult, error) {
 	return SummaryAllResult{Models: models}, nil
 }

+func allowedGroupSet(groups []string) map[string]struct{} {
+	if groups == nil {
+		return nil
+	}
+	allowed := make(map[string]struct{}, len(groups))
+	for _, group := range groups {
+		allowed[group] = struct{}{}
+	}
+	return allowed
+}
+
 func bucketStart(ts int64) int64 {
 	bucketSeconds := perf_metrics_setting.GetBucketSeconds()
 	if bucketSeconds <= 0 {
@@ -25,6 +25,23 @@ import (
 	"github.com/gorilla/websocket"
 )

+// applyUpstreamContentLength populates req.ContentLength when the upstream
+// body is wrapped in a BodyStorage (see relay/common/outbound_body.go).
+//
+// net/http.NewRequest only auto-detects ContentLength for *bytes.Reader,
+// *bytes.Buffer and *strings.Reader. When the body is a type-erased io.Reader
+// (which is the case for ReaderOnly(BodyStorage)), the Content-Length header
+// would otherwise be omitted, forcing chunked transfer encoding and breaking
+// some upstreams that require an explicit Content-Length.
+func applyUpstreamContentLength(req *http.Request, info *common.RelayInfo) {
+	if info == nil {
+		return
+	}
+	if info.UpstreamRequestBodySize > 0 && req.ContentLength <= 0 {
+		req.ContentLength = info.UpstreamRequestBodySize
+	}
+}
+
 func SetupApiRequestHeader(info *common.RelayInfo, c *gin.Context, req *http.Header) {
 	if info.RelayMode == constant.RelayModeAudioTranscription || info.RelayMode == constant.RelayModeAudioTranslation {
 		// multipart/form-data
@@ -297,6 +314,7 @@ func DoApiRequest(a Adaptor, c *gin.Context, info *common.RelayInfo, requestBody
 	if err != nil {
 		return nil, fmt.Errorf("new request failed: %w", err)
 	}
+	applyUpstreamContentLength(req, info)
 	headers := req.Header
 	err = a.SetupRequestHeader(c, &headers, info)
 	if err != nil {
@@ -326,6 +344,7 @@ func DoFormRequest(a Adaptor, c *gin.Context, info *common.RelayInfo, requestBod
 	if err != nil {
 		return nil, fmt.Errorf("new request failed: %w", err)
 	}
+	applyUpstreamContentLength(req, info)
 	// set form data
 	req.Header.Set("Content-Type", c.Request.Header.Get("Content-Type"))
 	headers := req.Header
@@ -522,6 +541,7 @@ func DoTaskApiRequest(a TaskAdaptor, c *gin.Context, info *common.RelayInfo, req
 	if err != nil {
 		return nil, fmt.Errorf("new request failed: %w", err)
 	}
+	applyUpstreamContentLength(req, info)
 	req.GetBody = func() (io.ReadCloser, error) {
 		return io.NopCloser(requestBody), nil
 	}
@@ -442,10 +442,7 @@ func StreamResponseClaude2OpenAI(claudeResponse *dto.ClaudeResponse) *dto.ChatCo
 	tools := make([]dto.ToolCallResponse, 0)
 	fcIdx := 0
 	if claudeResponse.Index != nil {
-		fcIdx = *claudeResponse.Index - 1
-		if fcIdx < 0 {
-			fcIdx = 0
-		}
+		fcIdx = *claudeResponse.Index
 	}
 	var choice dto.ChatCompletionsStreamResponseChoice
 	if claudeResponse.Type == "message_start" {
@@ -1079,17 +1079,47 @@ func responseGeminiChat2OpenAI(c *gin.Context, response *dto.GeminiChatResponse)
 			FinishReason: constant.FinishReasonStop,
 		}
 		if len(candidate.Content.Parts) > 0 {
-			var texts []string
+			// 使用 strings.Builder 直接累积最终 content，避免:
+			//   1) 每张 inline image 生成一次中间 "![image](...)" 字符串
+			//   2) 末尾 strings.Join 再分配一份等大缓冲
+			// Gemini 图片返回时 InlineData.Data 可能是数 MB 的 base64，
+			// 上述两份临时分配在高并发下会显著放大堆驻留。
+			var content strings.Builder
+			var inlineGrow int
+			for _, part := range candidate.Content.Parts {
+				if part.InlineData != nil {
+					inlineGrow += len(part.InlineData.MimeType) + len(part.InlineData.Data) + 32
+				}
+			}
+			if inlineGrow > 0 {
+				content.Grow(inlineGrow)
+			}
+			appended := 0
+			writeSep := func() {
+				if appended > 0 {
+					content.WriteByte('\n')
+				}
+				appended++
+			}
 			var toolCalls []dto.ToolCallResponse
 			for _, part := range candidate.Content.Parts {
 				if part.InlineData != nil {
 					// 媒体内容
 					if strings.HasPrefix(part.InlineData.MimeType, "image") {
-						imgText := "![image](data:" + part.InlineData.MimeType + ";base64," + part.InlineData.Data + ")"
-						texts = append(texts, imgText)
+						writeSep()
+						content.WriteString("![image](data:")
+						content.WriteString(part.InlineData.MimeType)
+						content.WriteString(";base64,")
+						content.WriteString(part.InlineData.Data)
+						content.WriteByte(')')
 					} else {
 						// 其他媒体类型，直接显示链接
-						texts = append(texts, fmt.Sprintf("[media](data:%s;base64,%s)", part.InlineData.MimeType, part.InlineData.Data))
+						writeSep()
+						content.WriteString("[media](data:")
+						content.WriteString(part.InlineData.MimeType)
+						content.WriteString(";base64,")
+						content.WriteString(part.InlineData.Data)
+						content.WriteByte(')')
 					}
 				} else if part.FunctionCall != nil {
 					choice.FinishReason = constant.FinishReasonToolCalls
@@ -1100,13 +1130,22 @@ func responseGeminiChat2OpenAI(c *gin.Context, response *dto.GeminiChatResponse)
 					choice.Message.ReasoningContent = &part.Text
 				} else {
 					if part.ExecutableCode != nil {
-						texts = append(texts, "```"+part.ExecutableCode.Language+"\n"+part.ExecutableCode.Code+"\n```")
+						writeSep()
+						content.WriteString("```")
+						content.WriteString(part.ExecutableCode.Language)
+						content.WriteByte('\n')
+						content.WriteString(part.ExecutableCode.Code)
+						content.WriteString("\n```")
 					} else if part.CodeExecutionResult != nil {
-						texts = append(texts, "```output\n"+part.CodeExecutionResult.Output+"\n```")
+						writeSep()
+						content.WriteString("```output\n")
+						content.WriteString(part.CodeExecutionResult.Output)
+						content.WriteString("\n```")
 					} else {
 						// 过滤掉空行
 						if part.Text != "\n" {
-							texts = append(texts, part.Text)
+							writeSep()
+							content.WriteString(part.Text)
 						}
 					}
 				}
@@ -1115,7 +1154,7 @@ func responseGeminiChat2OpenAI(c *gin.Context, response *dto.GeminiChatResponse)
 				choice.Message.SetToolCalls(toolCalls)
 				isToolCall = true
 			}
-			choice.Message.SetStringContent(strings.Join(texts, "\n"))
+			choice.Message.SetStringContent(content.String())

 		}
 		if candidate.FinishReason != nil {
@@ -1169,7 +1208,25 @@ func streamResponseGeminiChat2OpenAI(geminiResponse *dto.GeminiChatResponse) (*d
 				//Role: "assistant",
 			},
 		}
-		var texts []string
+		// 使用 strings.Builder 直接累积 delta content，避免每张 image / 每个
+		// 文本片段都先 `+` 拼出一份临时 string，再 strings.Join 再拷贝一遍。
+		var content strings.Builder
+		var inlineGrow int
+		for _, part := range candidate.Content.Parts {
+			if part.InlineData != nil {
+				inlineGrow += len(part.InlineData.MimeType) + len(part.InlineData.Data) + 32
+			}
+		}
+		if inlineGrow > 0 {
+			content.Grow(inlineGrow)
+		}
+		appended := 0
+		writeSep := func() {
+			if appended > 0 {
+				content.WriteByte('\n')
+			}
+			appended++
+		}
 		isTools := false
 		isThought := false
 		if candidate.FinishReason != nil {
@@ -1207,8 +1264,12 @@ func streamResponseGeminiChat2OpenAI(geminiResponse *dto.GeminiChatResponse) (*d
 		for _, part := range candidate.Content.Parts {
 			if part.InlineData != nil {
 				if strings.HasPrefix(part.InlineData.MimeType, "image") {
-					imgText := "![image](data:" + part.InlineData.MimeType + ";base64," + part.InlineData.Data + ")"
-					texts = append(texts, imgText)
+					writeSep()
+					content.WriteString("![image](data:")
+					content.WriteString(part.InlineData.MimeType)
+					content.WriteString(";base64,")
+					content.WriteString(part.InlineData.Data)
+					content.WriteByte(')')
 				}
 			} else if part.FunctionCall != nil {
 				isTools = true
@@ -1219,23 +1280,33 @@ func streamResponseGeminiChat2OpenAI(geminiResponse *dto.GeminiChatResponse) (*d

 			} else if part.Thought {
 				isThought = true
-				texts = append(texts, part.Text)
+				writeSep()
+				content.WriteString(part.Text)
 			} else {
 				if part.ExecutableCode != nil {
-					texts = append(texts, "```"+part.ExecutableCode.Language+"\n"+part.ExecutableCode.Code+"\n```\n")
+					writeSep()
+					content.WriteString("```")
+					content.WriteString(part.ExecutableCode.Language)
+					content.WriteByte('\n')
+					content.WriteString(part.ExecutableCode.Code)
+					content.WriteString("\n```\n")
 				} else if part.CodeExecutionResult != nil {
-					texts = append(texts, "```output\n"+part.CodeExecutionResult.Output+"\n```\n")
+					writeSep()
+					content.WriteString("```output\n")
+					content.WriteString(part.CodeExecutionResult.Output)
+					content.WriteString("\n```\n")
 				} else {
 					if part.Text != "\n" {
-						texts = append(texts, part.Text)
+						writeSep()
+						content.WriteString(part.Text)
 					}
 				}
 			}
 		}
 		if isThought {
-			choice.Delta.SetReasoningContent(strings.Join(texts, "\n"))
+			choice.Delta.SetReasoningContent(content.String())
 		} else {
-			choice.Delta.SetContentString(strings.Join(texts, "\n"))
+			choice.Delta.SetContentString(content.String())
 		}
 		if isTools {
 			choice.FinishReason = &constant.FinishReasonToolCalls
@@ -1339,6 +1410,14 @@ func GeminiChatStreamHandler(c *gin.Context, info *relaycommon.RelayInfo, resp *
 		response.Id = id
 		response.Created = createAt
 		response.Model = info.UpstreamModelName
+		if response.IsToolCall() {
+			finishReason = constant.FinishReasonToolCalls
+			if info.RelayFormat == types.RelayFormatClaude {
+				for choiceIdx := range response.Choices {
+					response.Choices[choiceIdx].FinishReason = nil
+				}
+			}
+		}
 		for choiceIdx := range response.Choices {
 			choiceKey := response.Choices[choiceIdx].Index
 			for toolIdx := range response.Choices[choiceIdx].Delta.ToolCalls {
@@ -1399,7 +1478,9 @@ func GeminiChatStreamHandler(c *gin.Context, info *relaycommon.RelayInfo, resp *
 			logger.LogError(c, err.Error())
 		}
 		if isStop {
-			_ = handleStream(c, info, helper.GenerateStopResponse(id, createAt, info.UpstreamModelName, finishReason))
+			if info.RelayFormat != types.RelayFormatClaude {
+				_ = handleStream(c, info, helper.GenerateStopResponse(id, createAt, info.UpstreamModelName, finishReason))
+			}
 		}
 		return true
 	})
@@ -1409,6 +1490,10 @@ func GeminiChatStreamHandler(c *gin.Context, info *relaycommon.RelayInfo, resp *
 	}

 	response := helper.GenerateFinalUsageResponse(id, createAt, info.UpstreamModelName, *usage)
+	if info.RelayFormat == types.RelayFormatClaude && info.ClaudeConvertInfo != nil && !info.ClaudeConvertInfo.Done {
+		response = helper.GenerateStopResponse(id, createAt, info.UpstreamModelName, finishReason)
+		response.Usage = usage
+	}
 	handleErr := handleFinalStream(c, info, response)
 	if handleErr != nil {
 		common.SysLog("send final response failed: " + handleErr.Error())
@@ -1,7 +1,6 @@
 package openai

 import (
-	"encoding/json"
 	"strings"

 	"github.com/QuantumNous/new-api/common"
@@ -92,78 +91,28 @@ func ProcessStreamResponse(streamResponse dto.ChatCompletionsStreamResponse, res
 	return nil
 }

-func processTokens(relayMode int, streamItems []string, responseTextBuilder *strings.Builder, toolCount *int) error {
-	streamResp := "[" + strings.Join(streamItems, ",") + "]"
-
+func processTokenData(relayMode int, data string, responseTextBuilder *strings.Builder, toolCount *int) error {
 	switch relayMode {
 	case relayconstant.RelayModeChatCompletions:
-		return processChatCompletions(streamResp, streamItems, responseTextBuilder, toolCount)
+		var streamResponse dto.ChatCompletionsStreamResponse
+		if err := common.UnmarshalJsonStr(data, &streamResponse); err != nil {
+			return err
+		}
+		return ProcessStreamResponse(streamResponse, responseTextBuilder, toolCount)
 	case relayconstant.RelayModeCompletions:
-		return processCompletions(streamResp, streamItems, responseTextBuilder)
+		var streamResponse dto.CompletionsStreamResponse
+		if err := common.UnmarshalJsonStr(data, &streamResponse); err != nil {
+			return err
+		}
+		processCompletionsStreamResponse(streamResponse, responseTextBuilder)
 	}
 	return nil
 }

-func processChatCompletions(streamResp string, streamItems []string, responseTextBuilder *strings.Builder, toolCount *int) error {
-	var streamResponses []dto.ChatCompletionsStreamResponse
-	if err := json.Unmarshal(common.StringToByteSlice(streamResp), &streamResponses); err != nil {
-		// 一次性解析失败，逐个解析
-		common.SysLog("error unmarshalling stream response: " + err.Error())
-		for _, item := range streamItems {
-			var streamResponse dto.ChatCompletionsStreamResponse
-			if err := json.Unmarshal(common.StringToByteSlice(item), &streamResponse); err != nil {
-				return err
-			}
-			if err := ProcessStreamResponse(streamResponse, responseTextBuilder, toolCount); err != nil {
-				common.SysLog("error processing stream response: " + err.Error())
-			}
-		}
-		return nil
+func processCompletionsStreamResponse(streamResponse dto.CompletionsStreamResponse, responseTextBuilder *strings.Builder) {
+	for _, choice := range streamResponse.Choices {
+		responseTextBuilder.WriteString(choice.Text)
 	}
-
-	// 批量处理所有响应
-	for _, streamResponse := range streamResponses {
-		for _, choice := range streamResponse.Choices {
-			responseTextBuilder.WriteString(choice.Delta.GetContentString())
-			responseTextBuilder.WriteString(choice.Delta.GetReasoningContent())
-			if choice.Delta.ToolCalls != nil {
-				if len(choice.Delta.ToolCalls) > *toolCount {
-					*toolCount = len(choice.Delta.ToolCalls)
-				}
-				for _, tool := range choice.Delta.ToolCalls {
-					responseTextBuilder.WriteString(tool.Function.Name)
-					responseTextBuilder.WriteString(tool.Function.Arguments)
-				}
-			}
-		}
-	}
-	return nil
-}
-
-func processCompletions(streamResp string, streamItems []string, responseTextBuilder *strings.Builder) error {
-	var streamResponses []dto.CompletionsStreamResponse
-	if err := json.Unmarshal(common.StringToByteSlice(streamResp), &streamResponses); err != nil {
-		// 一次性解析失败，逐个解析
-		common.SysLog("error unmarshalling stream response: " + err.Error())
-		for _, item := range streamItems {
-			var streamResponse dto.CompletionsStreamResponse
-			if err := json.Unmarshal(common.StringToByteSlice(item), &streamResponse); err != nil {
-				continue
-			}
-			for _, choice := range streamResponse.Choices {
-				responseTextBuilder.WriteString(choice.Text)
-			}
-		}
-		return nil
-	}
-
-	// 批量处理所有响应
-	for _, streamResponse := range streamResponses {
-		for _, choice := range streamResponse.Choices {
-			responseTextBuilder.WriteString(choice.Text)
-		}
-	}
-	return nil
 }

 func handleLastResponse(lastStreamData string, responseId *string, createAt *int64,
@@ -119,7 +119,6 @@ func OaiStreamHandler(c *gin.Context, info *relaycommon.RelayInfo, resp *http.Re
 	var responseTextBuilder strings.Builder
 	var toolCount int
 	var usage = &dto.Usage{}
-	var streamItems []string // store stream items
 	var lastStreamData string
 	var secondLastStreamData string // 存储倒数第二个stream data，用于音频模型

@@ -140,7 +139,10 @@ func OaiStreamHandler(c *gin.Context, info *relaycommon.RelayInfo, resp *http.Re
 			}

 			lastStreamData = data
-			streamItems = append(streamItems, data)
+			if err := processTokenData(info.RelayMode, data, &responseTextBuilder, &toolCount); err != nil {
+				logger.LogError(c, "error processing stream token data: "+err.Error())
+				sr.Error(err)
+			}
 		}
 	})

@@ -175,11 +177,6 @@ func OaiStreamHandler(c *gin.Context, info *relaycommon.RelayInfo, resp *http.Re
 		}
 	}

-	// 处理token计算
-	if err := processTokens(info.RelayMode, streamItems, &responseTextBuilder, &toolCount); err != nil {
-		logger.LogError(c, "error processing tokens: "+err.Error())
-	}
-
 	if !containStreamUsage {
 		usage = service.ResponseText2Usage(c, responseTextBuilder.String(), info.UpstreamModelName, info.GetEstimatePromptTokens())
 		usage.CompletionTokens += toolCount * 7
@@ -1,7 +1,6 @@
 package relay

 import (
-	"bytes"
 	"io"
 	"net/http"
 	"strings"
@@ -125,7 +124,14 @@ func chatCompletionsViaResponses(c *gin.Context, info *relaycommon.RelayInfo, ad
 		return nil, types.NewError(err, types.ErrorCodeConvertRequestFailed, types.ErrOptionWithSkipRetry())
 	}

-	var requestBody io.Reader = bytes.NewBuffer(jsonData)
+	body, size, closer, err := relaycommon.NewOutboundJSONBody(jsonData)
+	if err != nil {
+		return nil, types.NewError(err, types.ErrorCodeConvertRequestFailed, types.ErrOptionWithSkipRetry())
+	}
+	defer closer.Close()
+	jsonData = nil
+	info.UpstreamRequestBodySize = size
+	var requestBody io.Reader = body

 	var httpResp *http.Response
 	resp, err := adaptor.DoRequest(c, info, requestBody)
@@ -1,7 +1,6 @@
 package relay

 import (
-	"bytes"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -179,7 +178,14 @@ func ClaudeHelper(c *gin.Context, info *relaycommon.RelayInfo) (newAPIError *typ
 		}

 		logger.LogDebug(c, "requestBody: %s", jsonData)
-		requestBody = bytes.NewBuffer(jsonData)
+		body, size, closer, err := relaycommon.NewOutboundJSONBody(jsonData)
+		if err != nil {
+			return types.NewError(err, types.ErrorCodeConvertRequestFailed, types.ErrOptionWithSkipRetry())
+		}
+		defer closer.Close()
+		jsonData = nil
+		info.UpstreamRequestBodySize = size
+		requestBody = body
 	}

 	statusCodeMappingStr := c.GetString("status_code_mapping")
@@ -0,0 +1,31 @@
+package common
+
+import (
+	"io"
+
+	"github.com/QuantumNous/new-api/common"
+)
+
+// NewOutboundJSONBody wraps the already-marshaled upstream request body into a
+// BodyStorage. When disk cache is enabled and the payload exceeds the configured
+// threshold, the data is written to a temp file and the original []byte can be
+// GC'd, significantly reducing the heap residency while waiting for the
+// upstream provider to respond (the dominant cost for large base64 payloads).
+//
+// In memory mode the underlying memoryStorage reuses the same backing array,
+// so this is equivalent to bytes.NewReader(data) in terms of memory usage.
+//
+// The caller MUST invoke closer.Close() once the upstream call has finished
+// (typically via defer) to release the disk file / memory accounting.
+//
+// The returned reader is wrapped with common.ReaderOnly to prevent the HTTP
+// transport from prematurely closing the underlying BodyStorage. The returned
+// size is meant to be propagated to http.Request.ContentLength because the
+// type-erased io.Reader prevents net/http from auto-detecting it.
+func NewOutboundJSONBody(data []byte) (body io.Reader, size int64, closer io.Closer, err error) {
+	storage, err := common.CreateBodyStorage(data)
+	if err != nil {
+		return nil, 0, nil, err
+	}
+	return common.ReaderOnly(storage), storage.Size(), storage, nil
+}
@@ -26,13 +26,20 @@ const (

 var errSourceHeaderNotFound = errors.New("source header does not exist")

-var paramOverrideKeyAuditPaths = map[string]struct{}{
-	"model":          {},
-	"original_model": {},
-	"upstream_model": {},
-	"service_tier":   {},
-	"inference_geo":  {},
-	"speed":          {},
+var paramOverrideSensitivePathPrefixes = []string{
+	"model",
+	"original_model",
+	"upstream_model",
+	"service_tier",
+	"inference_geo",
+	"speed",
+	"messages",
+	"input",
+	"instructions",
+	"system",
+	"contents",
+	"systemInstruction",
+	"system_instruction",
 }

 type paramOverrideAuditRecorder struct {
@@ -146,9 +153,8 @@ func ApplyParamOverride(jsonData []byte, paramOverride map[string]interface{}, c
 			}
 		}

-		// 使用新方法
-		result, err := applyOperations(string(workingJSON), operations, conditionContext)
-		return []byte(result), err
+		// 使用新方法（基于 []byte，避免整包 string 拷贝）
+		return applyOperations(workingJSON, operations, conditionContext)
 	}

 	// 直接使用旧方法
@@ -206,6 +212,7 @@ func shouldEnableParamOverrideAudit(paramOverride map[string]interface{}) bool {
 	if operations, ok := tryParseOperations(paramOverride); ok {
 		for _, operation := range operations {
 			if shouldAuditParamPath(strings.TrimSpace(operation.Path)) ||
+				shouldAuditParamPath(strings.TrimSpace(operation.From)) ||
 				shouldAuditParamPath(strings.TrimSpace(operation.To)) {
 				return true
 			}
@@ -255,15 +262,19 @@ func shouldAuditParamPath(path string) bool {
 	if common.DebugEnabled {
 		return true
 	}
-	_, ok := paramOverrideKeyAuditPaths[path]
-	return ok
+	for _, prefix := range paramOverrideSensitivePathPrefixes {
+		if path == prefix || strings.HasPrefix(path, prefix+".") {
+			return true
+		}
+	}
+	return false
 }

 func shouldAuditOperation(mode, path, from, to string) bool {
 	if common.DebugEnabled {
 		return true
 	}
-	for _, candidate := range []string{path, to} {
+	for _, candidate := range []string{path, from, to} {
 		if shouldAuditParamPath(candidate) {
 			return true
 		}
@@ -498,13 +509,13 @@ func tryParseOperations(paramOverride map[string]interface{}) ([]ParamOperation,
 	return operations, true
 }

-func checkConditions(jsonStr, contextJSON string, conditions []ConditionOperation, logic string) (bool, error) {
+func checkConditions(data []byte, contextJSON string, conditions []ConditionOperation, logic string) (bool, error) {
 	if len(conditions) == 0 {
 		return true, nil // 没有条件，直接通过
 	}
 	results := make([]bool, len(conditions))
 	for i, condition := range conditions {
-		result, err := checkSingleCondition(jsonStr, contextJSON, condition)
+		result, err := checkSingleCondition(data, contextJSON, condition)
 		if err != nil {
 			return false, err
 		}
@@ -517,10 +528,10 @@ func checkConditions(jsonStr, contextJSON string, conditions []ConditionOperatio
 	return lo.SomeBy(results, func(item bool) bool { return item }), nil
 }

-func checkSingleCondition(jsonStr, contextJSON string, condition ConditionOperation) (bool, error) {
+func checkSingleCondition(data []byte, contextJSON string, condition ConditionOperation) (bool, error) {
 	// 处理负数索引
-	path := processNegativeIndex(jsonStr, condition.Path)
-	value := gjson.Get(jsonStr, path)
+	path := processNegativeIndex(data, condition.Path)
+	value := gjson.GetBytes(data, path)
 	if !value.Exists() && contextJSON != "" {
 		value = gjson.Get(contextJSON, condition.Path)
 	}
@@ -549,7 +560,7 @@ func checkSingleCondition(jsonStr, contextJSON string, condition ConditionOperat
 	return result, nil
 }

-func processNegativeIndex(jsonStr string, path string) string {
+func processNegativeIndex(data []byte, path string) string {
 	matches := negativeIndexRegexp.FindAllStringSubmatch(path, -1)

 	if len(matches) == 0 {
@@ -566,7 +577,7 @@ func processNegativeIndex(jsonStr string, path string) string {
 			arrayPath = arrayPath[:len(arrayPath)-1]
 		}

-		array := gjson.Get(jsonStr, arrayPath)
+		array := gjson.GetBytes(data, arrayPath)
 		if array.IsArray() {
 			length := len(array.Array())
 			actualIndex := length + index
@@ -655,36 +666,76 @@ func compareNumeric(jsonValue, targetValue gjson.Result, operator string) (bool,
 	}
 }

-// applyOperationsLegacy 原参数覆盖方法
+// applyOperationsLegacy 原参数覆盖方法。
+//
+// 旧实现把整个 jsonData unmarshal 成 map[string]interface{} 再 marshal 回来，
+// 对包含大 base64 字段（如 Gemini inlineData.data）的请求会放大数倍内存
+// （interface 装箱、map bucket、再次 marshal）。
+// 这里改成在 []byte 上直接调用 sjson.SetBytes，按顶层 key 逐个写入，
+// 不再把 payload 解码到 map[string]interface{}。
+//
+// 语义保持：每个 paramOverride 顶层 key 视为字面 key（不解析点号路径），
+// 与旧的 reqMap[key] = value 一致。包含 `.` `*` `?` `\` 的 key 会被转义，
+// 防止被 sjson 当作嵌套路径或通配符。
 func applyOperationsLegacy(jsonData []byte, paramOverride map[string]interface{}, auditRecorder *paramOverrideAuditRecorder) ([]byte, error) {
-	reqMap := make(map[string]interface{})
-	err := common.Unmarshal(jsonData, &reqMap)
-	if err != nil {
-		return nil, err
+	if len(paramOverride) == 0 {
+		return jsonData, nil
 	}

+	result := jsonData
 	for key, value := range paramOverride {
-		reqMap[key] = value
+		escaped := escapeSjsonLiteralKey(key)
+		next, err := sjson.SetBytes(result, escaped, value)
+		if err != nil {
+			return nil, err
+		}
+		result = next
 		auditRecorder.recordOperation("set", key, "", "", value)
 	}

-	return common.Marshal(reqMap)
+	return result, nil
 }

-func applyOperations(jsonStr string, operations []ParamOperation, conditionContext map[string]interface{}) (string, error) {
+// escapeSjsonLiteralKey 把可能被 sjson 误判为路径或通配符的字符转义，
+// 用于把字面 key 安全地传给 sjson.SetBytes / sjson.DeleteBytes。
+func escapeSjsonLiteralKey(key string) string {
+	if !strings.ContainsAny(key, ".*?\\") {
+		return key
+	}
+	var sb strings.Builder
+	sb.Grow(len(key) + 4)
+	for i := 0; i < len(key); i++ {
+		c := key[i]
+		switch c {
+		case '.', '*', '?', '\\':
+			sb.WriteByte('\\')
+		}
+		sb.WriteByte(c)
+	}
+	return sb.String()
+}
+
+// applyOperations 在 []byte 上原地应用所有 param override 操作。
+//
+// 旧实现走 string-based gjson/sjson，在 ApplyParamOverride 入口会做
+// string(jsonData) 与最终 []byte(result) 各一次整包拷贝，对大 base64
+// payload 来说每次重试都额外多花 2 倍 body 体积的临时内存。
+// 这里改成全程在 []byte 上工作，sjson.SetBytes / gjson.GetBytes 都是
+// 直接读写 []byte，每个操作只会产生一份新 buffer。
+func applyOperations(jsonData []byte, operations []ParamOperation, conditionContext map[string]interface{}) ([]byte, error) {
 	context := ensureContextMap(conditionContext)
 	auditRecorder := getParamOverrideAuditRecorder(context)
 	contextJSON, err := marshalContextJSON(context)
 	if err != nil {
-		return "", fmt.Errorf("failed to marshal condition context: %v", err)
+		return nil, fmt.Errorf("failed to marshal condition context: %v", err)
 	}

-	result := jsonStr
+	result := jsonData
 	for _, op := range operations {
 		// 检查条件是否满足
 		ok, err := checkConditions(result, contextJSON, op.Conditions, op.Logic)
 		if err != nil {
-			return "", err
+			return nil, err
 		}
 		if !ok {
 			continue // 条件不满足，跳过当前操作
@@ -695,7 +746,7 @@ func applyOperations(jsonStr string, operations []ParamOperation, conditionConte
 		if isPathBasedOperation(op.Mode) {
 			opPaths, err = resolveOperationPaths(result, opPath)
 			if err != nil {
-				return "", err
+				return nil, err
 			}
 			if len(opPaths) == 0 {
 				continue
@@ -713,10 +764,10 @@ func applyOperations(jsonStr string, operations []ParamOperation, conditionConte
 			}
 		case "set":
 			for _, path := range opPaths {
-				if op.KeepOrigin && gjson.Get(result, path).Exists() {
+				if op.KeepOrigin && gjson.GetBytes(result, path).Exists() {
 					continue
 				}
-				result, err = sjson.Set(result, path, op.Value)
+				result, err = sjson.SetBytes(result, path, op.Value)
 				if err != nil {
 					break
 				}
@@ -731,7 +782,7 @@ func applyOperations(jsonStr string, operations []ParamOperation, conditionConte
 			}
 		case "copy":
 			if op.From == "" || op.To == "" {
-				return "", fmt.Errorf("copy from/to is required")
+				return nil, fmt.Errorf("copy from/to is required")
 			}
 			opFrom := processNegativeIndex(result, op.From)
 			opTo := processNegativeIndex(result, op.To)
@@ -831,9 +882,9 @@ func applyOperations(jsonStr string, operations []ParamOperation, conditionConte
 			auditRecorder.recordOperation("return_error", op.Path, "", "", op.Value)
 			returnErr, parseErr := parseParamOverrideReturnError(op.Value)
 			if parseErr != nil {
-				return "", parseErr
+				return nil, parseErr
 			}
-			return "", returnErr
+			return nil, returnErr
 		case "prune_objects":
 			for _, path := range opPaths {
 				result, err = pruneObjects(result, path, contextJSON, op.Value)
@@ -890,7 +941,7 @@ func applyOperations(jsonStr string, operations []ParamOperation, conditionConte
 		case "pass_headers":
 			headerNames, parseErr := parseHeaderPassThroughNames(op.Value)
 			if parseErr != nil {
-				return "", parseErr
+				return nil, parseErr
 			}
 			for _, headerName := range headerNames {
 				if err = copyHeaderInContext(context, headerName, headerName, op.KeepOrigin); err != nil {
@@ -912,10 +963,10 @@ func applyOperations(jsonStr string, operations []ParamOperation, conditionConte
 				contextJSON, err = marshalContextJSON(context)
 			}
 		default:
-			return "", fmt.Errorf("unknown operation: %s", op.Mode)
+			return nil, fmt.Errorf("unknown operation: %s", op.Mode)
 		}
 		if err != nil {
-			return "", fmt.Errorf("operation %s failed: %w", op.Mode, err)
+			return nil, fmt.Errorf("operation %s failed: %w", op.Mode, err)
 		}
 	}
 	return result, nil
@@ -1349,11 +1400,11 @@ func parseSyncTarget(spec string) (syncTarget, error) {
 	}
 }

-func readSyncTargetValue(jsonStr string, context map[string]interface{}, target syncTarget) (interface{}, bool, error) {
+func readSyncTargetValue(data []byte, context map[string]interface{}, target syncTarget) (interface{}, bool, error) {
 	switch target.kind {
 	case "json":
-		path := processNegativeIndex(jsonStr, target.key)
-		value := gjson.Get(jsonStr, path)
+		path := processNegativeIndex(data, target.key)
+		value := gjson.GetBytes(data, path)
 		if !value.Exists() || value.Type == gjson.Null {
 			return nil, false, nil
 		}
@@ -1372,52 +1423,52 @@ func readSyncTargetValue(jsonStr string, context map[string]interface{}, target
 	}
 }

-func writeSyncTargetValue(jsonStr string, context map[string]interface{}, target syncTarget, value interface{}) (string, error) {
+func writeSyncTargetValue(data []byte, context map[string]interface{}, target syncTarget, value interface{}) ([]byte, error) {
 	switch target.kind {
 	case "json":
-		path := processNegativeIndex(jsonStr, target.key)
-		nextJSON, err := sjson.Set(jsonStr, path, value)
+		path := processNegativeIndex(data, target.key)
+		nextJSON, err := sjson.SetBytes(data, path, value)
 		if err != nil {
-			return "", err
+			return nil, err
 		}
 		return nextJSON, nil
 	case "header":
 		if err := setHeaderOverrideInContext(context, target.key, value, false); err != nil {
-			return "", err
+			return nil, err
 		}
-		return jsonStr, nil
+		return data, nil
 	default:
-		return "", fmt.Errorf("unsupported sync_fields target kind: %s", target.kind)
+		return nil, fmt.Errorf("unsupported sync_fields target kind: %s", target.kind)
 	}
 }

-func syncFieldsBetweenTargets(jsonStr string, context map[string]interface{}, fromSpec string, toSpec string) (string, error) {
+func syncFieldsBetweenTargets(data []byte, context map[string]interface{}, fromSpec string, toSpec string) ([]byte, error) {
 	fromTarget, err := parseSyncTarget(fromSpec)
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 	toTarget, err := parseSyncTarget(toSpec)
 	if err != nil {
-		return "", err
+		return nil, err
 	}

-	fromValue, fromExists, err := readSyncTargetValue(jsonStr, context, fromTarget)
+	fromValue, fromExists, err := readSyncTargetValue(data, context, fromTarget)
 	if err != nil {
-		return "", err
+		return nil, err
 	}
-	toValue, toExists, err := readSyncTargetValue(jsonStr, context, toTarget)
+	toValue, toExists, err := readSyncTargetValue(data, context, toTarget)
 	if err != nil {
-		return "", err
+		return nil, err
 	}

 	// If one side exists and the other side is missing, sync the missing side.
 	if fromExists && !toExists {
-		return writeSyncTargetValue(jsonStr, context, toTarget, fromValue)
+		return writeSyncTargetValue(data, context, toTarget, fromValue)
 	}
 	if toExists && !fromExists {
-		return writeSyncTargetValue(jsonStr, context, fromTarget, toValue)
+		return writeSyncTargetValue(data, context, fromTarget, toValue)
 	}
-	return jsonStr, nil
+	return data, nil
 }

 func ensureMapKeyInContext(context map[string]interface{}, key string) map[string]interface{} {
@@ -1491,24 +1542,24 @@ func syncRuntimeHeaderOverrideFromContext(info *RelayInfo, context map[string]in
 	info.UseRuntimeHeadersOverride = true
 }

-func moveValue(jsonStr, fromPath, toPath string) (string, error) {
-	sourceValue := gjson.Get(jsonStr, fromPath)
+func moveValue(data []byte, fromPath, toPath string) ([]byte, error) {
+	sourceValue := gjson.GetBytes(data, fromPath)
 	if !sourceValue.Exists() {
-		return jsonStr, fmt.Errorf("source path does not exist: %s", fromPath)
+		return data, fmt.Errorf("source path does not exist: %s", fromPath)
 	}
-	result, err := sjson.Set(jsonStr, toPath, sourceValue.Value())
+	result, err := sjson.SetBytes(data, toPath, sourceValue.Value())
 	if err != nil {
-		return "", err
+		return nil, err
 	}
-	return sjson.Delete(result, fromPath)
+	return sjson.DeleteBytes(result, fromPath)
 }

-func copyValue(jsonStr, fromPath, toPath string) (string, error) {
-	sourceValue := gjson.Get(jsonStr, fromPath)
+func copyValue(data []byte, fromPath, toPath string) ([]byte, error) {
+	sourceValue := gjson.GetBytes(data, fromPath)
 	if !sourceValue.Exists() {
-		return jsonStr, fmt.Errorf("source path does not exist: %s", fromPath)
+		return data, fmt.Errorf("source path does not exist: %s", fromPath)
 	}
-	return sjson.Set(jsonStr, toPath, sourceValue.Value())
+	return sjson.SetBytes(data, toPath, sourceValue.Value())
 }

 func isPathBasedOperation(mode string) bool {
@@ -1520,16 +1571,16 @@ func isPathBasedOperation(mode string) bool {
 	}
 }

-func resolveOperationPaths(jsonStr, path string) ([]string, error) {
+func resolveOperationPaths(data []byte, path string) ([]string, error) {
 	if !strings.Contains(path, "*") {
 		return []string{path}, nil
 	}
-	return expandWildcardPaths(jsonStr, path)
+	return expandWildcardPaths(data, path)
 }

-func expandWildcardPaths(jsonStr, path string) ([]string, error) {
+func expandWildcardPaths(data []byte, path string) ([]string, error) {
 	var root interface{}
-	if err := common.Unmarshal([]byte(jsonStr), &root); err != nil {
+	if err := common.Unmarshal(data, &root); err != nil {
 		return nil, err
 	}

@@ -1590,28 +1641,28 @@ func collectWildcardPaths(node interface{}, segments []string, prefix []string)
 	}
 }

-func deleteValue(jsonStr, path string) (string, error) {
+func deleteValue(data []byte, path string) ([]byte, error) {
 	if strings.TrimSpace(path) == "" {
-		return jsonStr, nil
+		return data, nil
 	}
-	return sjson.Delete(jsonStr, path)
+	return sjson.DeleteBytes(data, path)
 }

-func modifyValue(jsonStr, path string, value interface{}, keepOrigin, isPrepend bool) (string, error) {
-	current := gjson.Get(jsonStr, path)
+func modifyValue(data []byte, path string, value interface{}, keepOrigin, isPrepend bool) ([]byte, error) {
+	current := gjson.GetBytes(data, path)
 	switch {
 	case current.IsArray():
-		return modifyArray(jsonStr, path, value, isPrepend)
+		return modifyArray(data, path, value, isPrepend)
 	case current.Type == gjson.String:
-		return modifyString(jsonStr, path, value, isPrepend)
+		return modifyString(data, path, value, isPrepend)
 	case current.Type == gjson.JSON:
-		return mergeObjects(jsonStr, path, value, keepOrigin)
+		return mergeObjects(data, path, value, keepOrigin)
 	}
-	return jsonStr, fmt.Errorf("operation not supported for type: %v", current.Type)
+	return data, fmt.Errorf("operation not supported for type: %v", current.Type)
 }

-func modifyArray(jsonStr, path string, value interface{}, isPrepend bool) (string, error) {
-	current := gjson.Get(jsonStr, path)
+func modifyArray(data []byte, path string, value interface{}, isPrepend bool) ([]byte, error) {
+	current := gjson.GetBytes(data, path)
 	var newArray []interface{}
 	// 添加新值
 	addValue := func() {
@@ -1635,11 +1686,11 @@ func modifyArray(jsonStr, path string, value interface{}, isPrepend bool) (strin
 		addOriginal()
 		addValue()
 	}
-	return sjson.Set(jsonStr, path, newArray)
+	return sjson.SetBytes(data, path, newArray)
 }

-func modifyString(jsonStr, path string, value interface{}, isPrepend bool) (string, error) {
-	current := gjson.Get(jsonStr, path)
+func modifyString(data []byte, path string, value interface{}, isPrepend bool) ([]byte, error) {
+	current := gjson.GetBytes(data, path)
 	valueStr := fmt.Sprintf("%v", value)
 	var newStr string
 	if isPrepend {
@@ -1647,17 +1698,17 @@ func modifyString(jsonStr, path string, value interface{}, isPrepend bool) (stri
 	} else {
 		newStr = current.String() + valueStr
 	}
-	return sjson.Set(jsonStr, path, newStr)
+	return sjson.SetBytes(data, path, newStr)
 }

-func trimStringValue(jsonStr, path string, value interface{}, isPrefix bool) (string, error) {
-	current := gjson.Get(jsonStr, path)
+func trimStringValue(data []byte, path string, value interface{}, isPrefix bool) ([]byte, error) {
+	current := gjson.GetBytes(data, path)
 	if current.Type != gjson.String {
-		return jsonStr, fmt.Errorf("operation not supported for type: %v", current.Type)
+		return data, fmt.Errorf("operation not supported for type: %v", current.Type)
 	}

 	if value == nil {
-		return jsonStr, fmt.Errorf("trim value is required")
+		return data, fmt.Errorf("trim value is required")
 	}
 	valueStr := fmt.Sprintf("%v", value)

@@ -1667,69 +1718,69 @@ func trimStringValue(jsonStr, path string, value interface{}, isPrefix bool) (st
 	} else {
 		newStr = strings.TrimSuffix(current.String(), valueStr)
 	}
-	return sjson.Set(jsonStr, path, newStr)
+	return sjson.SetBytes(data, path, newStr)
 }

-func ensureStringAffix(jsonStr, path string, value interface{}, isPrefix bool) (string, error) {
-	current := gjson.Get(jsonStr, path)
+func ensureStringAffix(data []byte, path string, value interface{}, isPrefix bool) ([]byte, error) {
+	current := gjson.GetBytes(data, path)
 	if current.Type != gjson.String {
-		return jsonStr, fmt.Errorf("operation not supported for type: %v", current.Type)
+		return data, fmt.Errorf("operation not supported for type: %v", current.Type)
 	}

 	if value == nil {
-		return jsonStr, fmt.Errorf("ensure value is required")
+		return data, fmt.Errorf("ensure value is required")
 	}
 	valueStr := fmt.Sprintf("%v", value)
 	if valueStr == "" {
-		return jsonStr, fmt.Errorf("ensure value is required")
+		return data, fmt.Errorf("ensure value is required")
 	}

 	currentStr := current.String()
 	if isPrefix {
 		if strings.HasPrefix(currentStr, valueStr) {
-			return jsonStr, nil
+			return data, nil
 		}
-		return sjson.Set(jsonStr, path, valueStr+currentStr)
+		return sjson.SetBytes(data, path, valueStr+currentStr)
 	}

 	if strings.HasSuffix(currentStr, valueStr) {
-		return jsonStr, nil
+		return data, nil
 	}
-	return sjson.Set(jsonStr, path, currentStr+valueStr)
+	return sjson.SetBytes(data, path, currentStr+valueStr)
 }

-func transformStringValue(jsonStr, path string, transform func(string) string) (string, error) {
-	current := gjson.Get(jsonStr, path)
+func transformStringValue(data []byte, path string, transform func(string) string) ([]byte, error) {
+	current := gjson.GetBytes(data, path)
 	if current.Type != gjson.String {
-		return jsonStr, fmt.Errorf("operation not supported for type: %v", current.Type)
+		return data, fmt.Errorf("operation not supported for type: %v", current.Type)
 	}
-	return sjson.Set(jsonStr, path, transform(current.String()))
+	return sjson.SetBytes(data, path, transform(current.String()))
 }

-func replaceStringValue(jsonStr, path, from, to string) (string, error) {
-	current := gjson.Get(jsonStr, path)
+func replaceStringValue(data []byte, path, from, to string) ([]byte, error) {
+	current := gjson.GetBytes(data, path)
 	if current.Type != gjson.String {
-		return jsonStr, fmt.Errorf("operation not supported for type: %v", current.Type)
+		return data, fmt.Errorf("operation not supported for type: %v", current.Type)
 	}
 	if from == "" {
-		return jsonStr, fmt.Errorf("replace from is required")
+		return data, fmt.Errorf("replace from is required")
 	}
-	return sjson.Set(jsonStr, path, strings.ReplaceAll(current.String(), from, to))
+	return sjson.SetBytes(data, path, strings.ReplaceAll(current.String(), from, to))
 }

-func regexReplaceStringValue(jsonStr, path, pattern, replacement string) (string, error) {
-	current := gjson.Get(jsonStr, path)
+func regexReplaceStringValue(data []byte, path, pattern, replacement string) ([]byte, error) {
+	current := gjson.GetBytes(data, path)
 	if current.Type != gjson.String {
-		return jsonStr, fmt.Errorf("operation not supported for type: %v", current.Type)
+		return data, fmt.Errorf("operation not supported for type: %v", current.Type)
 	}
 	if pattern == "" {
-		return jsonStr, fmt.Errorf("regex pattern is required")
+		return data, fmt.Errorf("regex pattern is required")
 	}
 	re, err := regexp.Compile(pattern)
 	if err != nil {
-		return jsonStr, err
+		return data, err
 	}
-	return sjson.Set(jsonStr, path, re.ReplaceAllString(current.String(), replacement))
+	return sjson.SetBytes(data, path, re.ReplaceAllString(current.String(), replacement))
 }

 type pruneObjectsOptions struct {
@@ -1738,37 +1789,33 @@ type pruneObjectsOptions struct {
 	recursive  bool
 }

-func pruneObjects(jsonStr, path, contextJSON string, value interface{}) (string, error) {
+func pruneObjects(data []byte, path, contextJSON string, value interface{}) ([]byte, error) {
 	options, err := parsePruneObjectsOptions(value)
 	if err != nil {
-		return "", err
+		return nil, err
 	}

 	if path == "" {
 		var root interface{}
-		if err := common.Unmarshal([]byte(jsonStr), &root); err != nil {
-			return "", err
+		if err := common.Unmarshal(data, &root); err != nil {
+			return nil, err
 		}
 		cleaned, _, err := pruneObjectsNode(root, options, contextJSON, true)
 		if err != nil {
-			return "", err
+			return nil, err
 		}
-		cleanedBytes, err := common.Marshal(cleaned)
-		if err != nil {
-			return "", err
-		}
-		return string(cleanedBytes), nil
+		return common.Marshal(cleaned)
 	}

-	target := gjson.Get(jsonStr, path)
+	target := gjson.GetBytes(data, path)
 	if !target.Exists() {
-		return jsonStr, nil
+		return data, nil
 	}

 	var targetNode interface{}
 	if target.Type == gjson.JSON {
-		if err := common.Unmarshal([]byte(target.Raw), &targetNode); err != nil {
-			return "", err
+		if err := common.UnmarshalJsonStr(target.Raw, &targetNode); err != nil {
+			return nil, err
 		}
 	} else {
 		targetNode = target.Value()
@@ -1776,13 +1823,13 @@ func pruneObjects(jsonStr, path, contextJSON string, value interface{}) (string,

 	cleaned, _, err := pruneObjectsNode(targetNode, options, contextJSON, true)
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 	cleanedBytes, err := common.Marshal(cleaned)
 	if err != nil {
-		return "", err
+		return nil, err
 	}
-	return sjson.SetRaw(jsonStr, path, string(cleanedBytes))
+	return sjson.SetRawBytes(data, path, cleanedBytes)
 }

 func parsePruneObjectsOptions(value interface{}) (pruneObjectsOptions, error) {
@@ -1958,16 +2005,16 @@ func shouldPruneObject(node map[string]interface{}, options pruneObjectsOptions,
 	if err != nil {
 		return false, err
 	}
-	return checkConditions(string(nodeBytes), contextJSON, options.conditions, options.logic)
+	return checkConditions(nodeBytes, contextJSON, options.conditions, options.logic)
 }

-func mergeObjects(jsonStr, path string, value interface{}, keepOrigin bool) (string, error) {
-	current := gjson.Get(jsonStr, path)
+func mergeObjects(data []byte, path string, value interface{}, keepOrigin bool) ([]byte, error) {
+	current := gjson.GetBytes(data, path)
 	var currentMap, newMap map[string]interface{}

-	// 解析当前值
-	if err := common.Unmarshal([]byte(current.Raw), &currentMap); err != nil {
-		return "", err
+	// 解析当前值（current.Raw 是 data 的子串，避免再分配一份）
+	if err := common.UnmarshalJsonStr(current.Raw, &currentMap); err != nil {
+		return nil, err
 	}
 	// 解析新值
 	switch v := value.(type) {
@@ -1976,7 +2023,7 @@ func mergeObjects(jsonStr, path string, value interface{}, keepOrigin bool) (str
 	default:
 		jsonBytes, _ := common.Marshal(v)
 		if err := common.Unmarshal(jsonBytes, &newMap); err != nil {
-			return "", err
+			return nil, err
 		}
 	}
 	// 合并
@@ -1989,7 +2036,7 @@ func mergeObjects(jsonStr, path string, value interface{}, keepOrigin bool) (str
 			result[k] = v
 		}
 	}
-	return sjson.Set(jsonStr, path, result)
+	return sjson.SetBytes(data, path, result)
 }

 // BuildParamOverrideContext 提供 ApplyParamOverride 可用的上下文信息。
@@ -12,6 +12,7 @@ import (
 	"github.com/QuantumNous/new-api/dto"
 	"github.com/QuantumNous/new-api/setting/model_setting"
 	"github.com/samber/lo"
+	"github.com/stretchr/testify/require"
 )

 func TestApplyParamOverrideTrimPrefix(t *testing.T) {
@@ -2053,6 +2054,17 @@ func TestRemoveDisabledFieldsDefaultFiltering(t *testing.T) {
 	assertJSONEqual(t, `{"cache_control":{"type":"ephemeral"},"store":true}`, string(out))
 }

+func TestRemoveDisabledFieldsNoControlledFieldsKeepsBody(t *testing.T) {
+	input := `{"model":"gpt-4o","messages":[{"role":"user","content":"hi"}]}`
+	settings := dto.ChannelOtherSettings{}
+
+	out, err := RemoveDisabledFields([]byte(input), settings, false)
+	if err != nil {
+		t.Fatalf("RemoveDisabledFields returned error: %v", err)
+	}
+	require.Equal(t, input, string(out))
+}
+
 func TestRemoveDisabledFieldsAllowInferenceGeo(t *testing.T) {
 	input := `{
 		"inference_geo":"eu",
@@ -2184,6 +2196,95 @@ func TestApplyParamOverrideWithRelayInfoRecordsOnlyKeyOperationsWhenDebugDisable
 	}
 }

+func TestApplyParamOverrideWithRelayInfoRecordsConversationBodyOperationsWhenDebugDisabled(t *testing.T) {
+	originalDebugEnabled := common2.DebugEnabled
+	common2.DebugEnabled = false
+	t.Cleanup(func() {
+		common2.DebugEnabled = originalDebugEnabled
+	})
+
+	info := &RelayInfo{
+		ChannelMeta: &ChannelMeta{
+			ParamOverride: map[string]interface{}{
+				"operations": []interface{}{
+					map[string]interface{}{
+						"mode": "replace",
+						"path": "messages.0.content",
+						"from": "hello",
+						"to":   "hi",
+					},
+					map[string]interface{}{
+						"mode":  "set",
+						"path":  "input.0.content.0.text",
+						"value": "rewritten response input",
+					},
+					map[string]interface{}{
+						"mode":  "set",
+						"path":  "instructions",
+						"value": "new instruction",
+					},
+					map[string]interface{}{
+						"mode":  "append",
+						"path":  "contents.0.parts",
+						"value": map[string]interface{}{"text": "new gemini part"},
+					},
+					map[string]interface{}{
+						"mode": "copy",
+						"from": "system",
+						"to":   "metadata.system_copy",
+					},
+					map[string]interface{}{
+						"mode":  "set",
+						"path":  "temperature",
+						"value": 0.1,
+					},
+				},
+			},
+		},
+	}
+
+	out, err := ApplyParamOverrideWithRelayInfo([]byte(`{
+		"messages":[{"role":"user","content":"hello world"}],
+		"input":[{"role":"user","content":[{"type":"input_text","text":"original response input"}]}],
+		"instructions":"old instruction",
+		"system":"old system",
+		"contents":[{"role":"user","parts":[{"text":"hello gemini"}]}],
+		"temperature":0.7
+	}`), info)
+	require.NoError(t, err)
+	assertJSONEqual(t, `{
+		"messages":[{"role":"user","content":"hi world"}],
+		"input":[{"role":"user","content":[{"type":"input_text","text":"rewritten response input"}]}],
+		"instructions":"new instruction",
+		"system":"old system",
+		"contents":[{"role":"user","parts":[{"text":"hello gemini"},{"text":"new gemini part"}]}],
+		"temperature":0.1,
+		"metadata":{"system_copy":"old system"}
+	}`, string(out))
+
+	require.Equal(t, []string{
+		"replace messages.0.content from hello to hi",
+		"set input.0.content.0.text = rewritten response input",
+		"set instructions = new instruction",
+		"append contents.0.parts with {\"text\":\"new gemini part\"}",
+		"copy system -> metadata.system_copy",
+	}, info.ParamOverrideAudit)
+}
+
+func TestShouldAuditParamPathUsesFieldBoundaryPrefixMatching(t *testing.T) {
+	originalDebugEnabled := common2.DebugEnabled
+	common2.DebugEnabled = false
+	t.Cleanup(func() {
+		common2.DebugEnabled = originalDebugEnabled
+	})
+
+	require.True(t, shouldAuditParamPath("messages"))
+	require.True(t, shouldAuditParamPath("messages.0.content"))
+	require.True(t, shouldAuditParamPath("systemInstruction.parts.0.text"))
+	require.False(t, shouldAuditParamPath("model_name"))
+	require.False(t, shouldAuditParamPath("message"))
+}
+
 func assertJSONEqual(t *testing.T, want, got string) {
 	t.Helper()

@@ -18,6 +18,7 @@ import (

 	"github.com/gin-gonic/gin"
 	"github.com/gorilla/websocket"
+	"github.com/tidwall/gjson"
 )

 type ThinkingContentInfo struct {
@@ -153,6 +154,13 @@ type RelayInfo struct {
 	UseRuntimeHeadersOverride             bool
 	ParamOverrideAudit                    []string

+	// UpstreamRequestBodySize is the byte size of the marshaled upstream request
+	// body. It is set when the body is wrapped in a BodyStorage (see
+	// relay/common/outbound_body.go), so that DoApiRequest can populate
+	// http.Request.ContentLength manually (net/http only auto-detects it for
+	// *bytes.Reader/Buffer/strings.Reader). 0 means "let net/http decide".
+	UpstreamRequestBodySize int64
+
 	PriceData types.PriceData

 	// TieredBillingSnapshot is a frozen snapshot of tiered billing rules
@@ -785,6 +793,9 @@ func RemoveDisabledFields(jsonData []byte, channelOtherSettings dto.ChannelOther
 	if model_setting.GetGlobalSettings().PassThroughRequestEnabled || channelPassThroughEnabled {
 		return jsonData, nil
 	}
+	if !hasRemovableDisabledField(jsonData, channelOtherSettings) {
+		return jsonData, nil
+	}

 	var data map[string]interface{}
 	if err := common.Unmarshal(jsonData, &data); err != nil {
@@ -851,6 +862,25 @@ func RemoveDisabledFields(jsonData []byte, channelOtherSettings dto.ChannelOther
 	return jsonDataAfter, nil
 }

+func hasRemovableDisabledField(jsonData []byte, channelOtherSettings dto.ChannelOtherSettings) bool {
+	values := gjson.GetManyBytes(
+		jsonData,
+		"service_tier",
+		"inference_geo",
+		"speed",
+		"store",
+		"safety_identifier",
+		"stream_options.include_obfuscation",
+	)
+
+	return (!channelOtherSettings.AllowServiceTier && values[0].Exists()) ||
+		(!channelOtherSettings.AllowInferenceGeo && values[1].Exists()) ||
+		(!channelOtherSettings.AllowSpeed && values[2].Exists()) ||
+		(channelOtherSettings.DisableStore && values[3].Exists()) ||
+		(!channelOtherSettings.AllowSafetyIdentifier && values[4].Exists()) ||
+		(!channelOtherSettings.AllowIncludeObfuscation && values[5].Exists())
+}
+
 // RemoveGeminiDisabledFields removes disabled fields from Gemini request JSON data
 // Currently supports removing functionResponse.id field which Vertex AI does not support
 func RemoveGeminiDisabledFields(jsonData []byte) ([]byte, error) {
@@ -1,7 +1,6 @@
 package relay

 import (
-	"bytes"
 	"fmt"
 	"io"
 	"net/http"
@@ -176,7 +175,14 @@ func TextHelper(c *gin.Context, info *relaycommon.RelayInfo) (newAPIError *types

 		logger.LogDebug(c, "text request body: %s", jsonData)

-		requestBody = bytes.NewBuffer(jsonData)
+		body, size, closer, err := relaycommon.NewOutboundJSONBody(jsonData)
+		if err != nil {
+			return types.NewError(err, types.ErrorCodeConvertRequestFailed, types.ErrOptionWithSkipRetry())
+		}
+		defer closer.Close()
+		jsonData = nil
+		info.UpstreamRequestBodySize = size
+		requestBody = body
 	}

 	var httpResp *http.Response
@@ -1,7 +1,6 @@
 package relay

 import (
-	"bytes"
 	"fmt"
 	"io"
 	"net/http"
@@ -59,7 +58,14 @@ func EmbeddingHelper(c *gin.Context, info *relaycommon.RelayInfo) (newAPIError *
 	}

 	logger.LogDebug(c, "converted embedding request body: %s", jsonData)
-	var requestBody io.Reader = bytes.NewBuffer(jsonData)
+	body, size, closer, err := relaycommon.NewOutboundJSONBody(jsonData)
+	if err != nil {
+		return types.NewError(err, types.ErrorCodeConvertRequestFailed, types.ErrOptionWithSkipRetry())
+	}
+	defer closer.Close()
+	jsonData = nil
+	info.UpstreamRequestBodySize = size
+	var requestBody io.Reader = body
 	statusCodeMappingStr := c.GetString("status_code_mapping")
 	resp, err := adaptor.DoRequest(c, info, requestBody)
 	if err != nil {
@@ -1,7 +1,6 @@
 package relay

 import (
-	"bytes"
 	"fmt"
 	"io"
 	"net/http"
@@ -165,7 +164,14 @@ func GeminiHelper(c *gin.Context, info *relaycommon.RelayInfo) (newAPIError *typ

 		logger.LogDebug(c, "Gemini request body: %s", jsonData)

-		requestBody = bytes.NewReader(jsonData)
+		body, size, closer, err := relaycommon.NewOutboundJSONBody(jsonData)
+		if err != nil {
+			return types.NewError(err, types.ErrorCodeConvertRequestFailed, types.ErrOptionWithSkipRetry())
+		}
+		defer closer.Close()
+		jsonData = nil
+		info.UpstreamRequestBodySize = size
+		requestBody = body
 	}

 	resp, err := adaptor.DoRequest(c, info, requestBody)
@@ -263,7 +269,14 @@ func GeminiEmbeddingHandler(c *gin.Context, info *relaycommon.RelayInfo) (newAPI
 		}
 	}
 	logger.LogDebug(c, "Gemini embedding request body: %s", jsonData)
-	requestBody = bytes.NewReader(jsonData)
+	body, size, closer, err := relaycommon.NewOutboundJSONBody(jsonData)
+	if err != nil {
+		return types.NewError(err, types.ErrorCodeConvertRequestFailed, types.ErrOptionWithSkipRetry())
+	}
+	defer closer.Close()
+	jsonData = nil
+	info.UpstreamRequestBodySize = size
+	requestBody = body

 	resp, err := adaptor.DoRequest(c, info, requestBody)
 	if err != nil {
@@ -77,7 +77,14 @@ func ImageHelper(c *gin.Context, info *relaycommon.RelayInfo) (newAPIError *type
 			}

 			logger.LogDebug(c, "image request body: %s", jsonData)
-			requestBody = bytes.NewBuffer(jsonData)
+			body, size, closer, err := relaycommon.NewOutboundJSONBody(jsonData)
+			if err != nil {
+				return types.NewError(err, types.ErrorCodeConvertRequestFailed, types.ErrOptionWithSkipRetry())
+			}
+			defer closer.Close()
+			jsonData = nil
+			info.UpstreamRequestBodySize = size
+			requestBody = body
 		}
 	}

@@ -133,9 +140,9 @@ func ImageHelper(c *gin.Context, info *relaycommon.RelayInfo) (newAPIError *type
 		usage.(*dto.Usage).PromptTokens = 1
 	}

-	quality := "standard"
-	if request.Quality == "hd" {
-		quality = "hd"
+	quality := request.Quality
+	if quality == "" {
+		quality = "standard"
 	}

 	var logContent []string
@@ -1,7 +1,6 @@
 package relay

 import (
-	"bytes"
 	"fmt"
 	"io"
 	"net/http"
@@ -69,7 +68,14 @@ func RerankHelper(c *gin.Context, info *relaycommon.RelayInfo) (newAPIError *typ
 		}

 		logger.LogDebug(c, "Rerank request body: %s", jsonData)
-		requestBody = bytes.NewBuffer(jsonData)
+		body, size, closer, err := relaycommon.NewOutboundJSONBody(jsonData)
+		if err != nil {
+			return types.NewError(err, types.ErrorCodeConvertRequestFailed, types.ErrOptionWithSkipRetry())
+		}
+		defer closer.Close()
+		jsonData = nil
+		info.UpstreamRequestBodySize = size
+		requestBody = body
 	}

 	resp, err := adaptor.DoRequest(c, info, requestBody)
@@ -1,7 +1,6 @@
 package relay

 import (
-	"bytes"
 	"fmt"
 	"io"
 	"net/http"
@@ -104,7 +103,14 @@ func ResponsesHelper(c *gin.Context, info *relaycommon.RelayInfo) (newAPIError *
 		}

 		logger.LogDebug(c, "requestBody: %s", jsonData)
-		requestBody = bytes.NewBuffer(jsonData)
+		body, size, closer, err := relaycommon.NewOutboundJSONBody(jsonData)
+		if err != nil {
+			return types.NewError(err, types.ErrorCodeConvertRequestFailed, types.ErrOptionWithSkipRetry())
+		}
+		defer closer.Close()
+		jsonData = nil
+		info.UpstreamRequestBodySize = size
+		requestBody = body
 	}

 	var httpResp *http.Response
@@ -56,7 +56,9 @@ func SetApiRouter(router *gin.Engine) {
 		apiRouter.POST("/stripe/webhook", controller.StripeWebhook)
 		apiRouter.POST("/creem/webhook", controller.CreemWebhook)
 		apiRouter.POST("/waffo/webhook", controller.WaffoWebhook)
-		//apiRouter.POST("/waffo-pancake/webhook", controller.WaffoPancakeWebhook)
+		// :env separates test vs prod URLs so the operator can register each
+		// in Pancake's matching webhook slot; handler enforces env match.
+		apiRouter.POST("/waffo-pancake/webhook/:env", controller.WaffoPancakeWebhook)

 		// Universal secure verification routes
 		apiRouter.POST("/verify", middleware.UserAuth(), middleware.CriticalRateLimit(), controller.UniversalVerify)
@@ -100,8 +102,8 @@ func SetApiRouter(router *gin.Engine) {
 				selfRoute.POST("/creem/pay", middleware.CriticalRateLimit(), controller.RequestCreemPay)
 				selfRoute.POST("/waffo/amount", controller.RequestWaffoAmount)
 				selfRoute.POST("/waffo/pay", middleware.CriticalRateLimit(), controller.RequestWaffoPay)
-				//selfRoute.POST("/waffo-pancake/amount", controller.RequestWaffoPancakeAmount)
-				//selfRoute.POST("/waffo-pancake/pay", middleware.CriticalRateLimit(), controller.RequestWaffoPancakePay)
+				selfRoute.POST("/waffo-pancake/amount", controller.RequestWaffoPancakeAmount)
+				selfRoute.POST("/waffo-pancake/pay", middleware.CriticalRateLimit(), controller.RequestWaffoPancakePay)
 				selfRoute.POST("/aff_transfer", controller.TransferAffQuota)
 				selfRoute.PUT("/setting", controller.UpdateUserSetting)

@@ -151,9 +153,11 @@ func SetApiRouter(router *gin.Engine) {
 			subscriptionRoute.GET("/plans", controller.GetSubscriptionPlans)
 			subscriptionRoute.GET("/self", controller.GetSubscriptionSelf)
 			subscriptionRoute.PUT("/self/preference", controller.UpdateSubscriptionPreference)
+			subscriptionRoute.POST("/balance/pay", middleware.CriticalRateLimit(), controller.SubscriptionRequestBalancePay)
 			subscriptionRoute.POST("/epay/pay", middleware.CriticalRateLimit(), controller.SubscriptionRequestEpay)
 			subscriptionRoute.POST("/stripe/pay", middleware.CriticalRateLimit(), controller.SubscriptionRequestStripePay)
 			subscriptionRoute.POST("/creem/pay", middleware.CriticalRateLimit(), controller.SubscriptionRequestCreemPay)
+			subscriptionRoute.POST("/waffo-pancake/pay", middleware.CriticalRateLimit(), controller.SubscriptionRequestWaffoPancakePay)
 		}
 		subscriptionAdminRoute := apiRouter.Group("/subscription/admin")
 		subscriptionAdminRoute.Use(middleware.AdminAuth())
@@ -186,6 +190,11 @@ func SetApiRouter(router *gin.Engine) {
 			optionRoute.DELETE("/channel_affinity_cache", controller.ClearChannelAffinityCache)
 			optionRoute.POST("/rest_model_ratio", controller.ResetModelRatio)
 			optionRoute.POST("/migrate_console_setting", controller.MigrateConsoleSetting) // 用于迁移检测的旧键，下个版本会删除
+			optionRoute.POST("/waffo-pancake/catalog", controller.ListWaffoPancakeCatalog)
+			optionRoute.POST("/waffo-pancake/pair", controller.CreateWaffoPancakePair)
+			optionRoute.POST("/waffo-pancake/save", controller.SaveWaffoPancake)
+			optionRoute.POST("/waffo-pancake/subscription-product", controller.CreateWaffoPancakeSubscriptionProduct)
+			optionRoute.POST("/waffo-pancake/subscription-product-options", controller.ListWaffoPancakeSubscriptionProductOptions)
 		}

 		// Custom OAuth provider management (root only)
@@ -17,7 +17,7 @@ func formatNotifyType(channelId int, status int) string {

 // disable & notify
 func DisableChannel(channelError types.ChannelError, reason string) {
-	common.SysLog(fmt.Sprintf("通道「%s」（#%d）发生错误，准备禁用，原因：%s", channelError.ChannelName, channelError.ChannelId, reason))
+	common.SysLog(fmt.Sprintf("通道「%s」（#%d）发生错误，准备禁用，原因：%s", channelError.ChannelName, channelError.ChannelId, common.LocalLogPreview(reason)))

 	// 检查是否启用自动禁用功能
 	if !channelError.AutoBan {
@@ -92,11 +92,13 @@ func RelayErrorHandler(ctx context.Context, resp *http.Response, showBodyWhenFai
 	}
 	CloseResponseBodyGracefully(resp)
 	var errResponse dto.GeneralErrorResponse
+	responseBodyText := string(responseBody)
+	responseBodyPreview := common.LocalLogPreview(responseBodyText)
 	buildErrWithBody := func(message string) error {
 		if message == "" {
-			return fmt.Errorf("bad response status code %d, body: %s", resp.StatusCode, string(responseBody))
+			return fmt.Errorf("bad response status code %d, body: %s", resp.StatusCode, responseBodyText)
 		}
-		return fmt.Errorf("bad response status code %d, message: %s, body: %s", resp.StatusCode, message, string(responseBody))
+		return fmt.Errorf("bad response status code %d, message: %s, body: %s", resp.StatusCode, message, responseBodyText)
 	}

 	err = common.Unmarshal(responseBody, &errResponse)
@@ -104,7 +106,7 @@ func RelayErrorHandler(ctx context.Context, resp *http.Response, showBodyWhenFai
 		if showBodyWhenFail {
 			newApiErr.Err = buildErrWithBody("")
 		} else {
-			logger.LogError(ctx, fmt.Sprintf("bad response status code %d, body: %s", resp.StatusCode, string(responseBody)))
+			logger.LogError(ctx, fmt.Sprintf("bad response status code %d, body: %s", resp.StatusCode, responseBodyPreview))
 			newApiErr.Err = fmt.Errorf("bad response status code %d", resp.StatusCode)
 		}
 		return
@@ -1,9 +1,17 @@
 package service

 import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
 	"testing"

+	"github.com/QuantumNous/new-api/common"
 	"github.com/QuantumNous/new-api/types"
+	"github.com/gin-gonic/gin"
 	"github.com/stretchr/testify/require"
 )

@@ -55,3 +63,99 @@ func TestResetStatusCode(t *testing.T) {
 		})
 	}
 }
+
+func TestRelayErrorHandlerTruncatesInvalidJSONBodyInLog(t *testing.T) {
+	withDebugEnabled(t, false)
+
+	body := strings.Repeat("b", common.LocalLogContentLimit+256)
+	var logBuffer bytes.Buffer
+
+	common.LogWriterMu.Lock()
+	oldWriter := gin.DefaultErrorWriter
+	gin.DefaultErrorWriter = &logBuffer
+	common.LogWriterMu.Unlock()
+	t.Cleanup(func() {
+		common.LogWriterMu.Lock()
+		gin.DefaultErrorWriter = oldWriter
+		common.LogWriterMu.Unlock()
+	})
+
+	resp := &http.Response{
+		StatusCode: http.StatusInternalServerError,
+		Body:       io.NopCloser(strings.NewReader(body)),
+	}
+
+	newAPIError := RelayErrorHandler(context.Background(), resp, false)
+
+	require.NotNil(t, newAPIError)
+	require.Equal(t, "bad response status code 500", newAPIError.Error())
+	require.Contains(t, logBuffer.String(), "[truncated")
+	require.Contains(t, logBuffer.String(), fmt.Sprintf("original_length=%d", len(body)))
+	require.NotContains(t, logBuffer.String(), strings.Repeat("b", common.LocalLogContentLimit+1))
+}
+
+func TestRelayErrorHandlerKeepsStructuredErrorMessage(t *testing.T) {
+	message := strings.Repeat("c", common.LocalLogContentLimit+256)
+	body := `{"message":"` + message + `"}`
+	resp := &http.Response{
+		StatusCode: http.StatusInternalServerError,
+		Body:       io.NopCloser(strings.NewReader(body)),
+	}
+
+	newAPIError := RelayErrorHandler(context.Background(), resp, false)
+
+	require.NotNil(t, newAPIError)
+	require.Equal(t, message, newAPIError.Error())
+}
+
+func TestRelayErrorHandlerKeepsOpenAIErrorMessage(t *testing.T) {
+	message := strings.Repeat("d", common.LocalLogContentLimit+256)
+	body := `{"error":{"message":"` + message + `","type":"server_error","code":"server_error"}}`
+	resp := &http.Response{
+		StatusCode: http.StatusInternalServerError,
+		Body:       io.NopCloser(strings.NewReader(body)),
+	}
+
+	newAPIError := RelayErrorHandler(context.Background(), resp, false)
+
+	require.NotNil(t, newAPIError)
+	require.Equal(t, message, newAPIError.Error())
+}
+
+func TestRelayErrorHandlerKeepsInvalidJSONBodyInDebugLog(t *testing.T) {
+	withDebugEnabled(t, true)
+
+	body := strings.Repeat("e", common.LocalLogContentLimit+256)
+	var logBuffer bytes.Buffer
+
+	common.LogWriterMu.Lock()
+	oldWriter := gin.DefaultErrorWriter
+	gin.DefaultErrorWriter = &logBuffer
+	common.LogWriterMu.Unlock()
+	t.Cleanup(func() {
+		common.LogWriterMu.Lock()
+		gin.DefaultErrorWriter = oldWriter
+		common.LogWriterMu.Unlock()
+	})
+
+	resp := &http.Response{
+		StatusCode: http.StatusInternalServerError,
+		Body:       io.NopCloser(strings.NewReader(body)),
+	}
+
+	newAPIError := RelayErrorHandler(context.Background(), resp, false)
+
+	require.NotNil(t, newAPIError)
+	require.NotContains(t, logBuffer.String(), "[truncated")
+	require.Contains(t, logBuffer.String(), body)
+}
+
+func withDebugEnabled(t *testing.T, enabled bool) {
+	t.Helper()
+
+	oldDebug := common.DebugEnabled
+	common.DebugEnabled = enabled
+	t.Cleanup(func() {
+		common.DebugEnabled = oldDebug
+	})
+}
@@ -1,398 +1,483 @@
 package service

 import (
-	"bytes"
 	"context"
-	"crypto"
-	"crypto/rsa"
-	"crypto/sha256"
-	"crypto/x509"
-	"encoding/base64"
-	"encoding/pem"
 	"fmt"
-	"io"
-	"math"
-	"net/http"
-	"strconv"
 	"strings"
-	"time"

-	"github.com/QuantumNous/new-api/common"
-	"github.com/QuantumNous/new-api/dto"
 	"github.com/QuantumNous/new-api/model"
 	"github.com/QuantumNous/new-api/setting"
+	pancake "github.com/waffo-com/waffo-pancake-sdk-go"
 )

-const (
-	waffoPancakeAuthBaseURL      = "https://waffo-pancake-auth-service.vercel.app"
-	waffoPancakeCheckoutPath     = "/v1/actions/checkout/create-session"
-	waffoPancakeDefaultTolerance = 5 * time.Minute
-)
-
+// WaffoPancakePriceSnapshot is the per-session price override sent with checkout.
 type WaffoPancakePriceSnapshot struct {
-	Amount      string `json:"amount"`
-	TaxIncluded bool   `json:"taxIncluded"`
-	TaxCategory string `json:"taxCategory"`
+	Amount      string
+	TaxCategory string
 }

+// WaffoPancakeCreateSessionParams is the input to CreateWaffoPancakeCheckoutSession.
+// BuyerIdentity must be stable per user (see WaffoPancakeBuyerIdentityFromUserID).
+// OrderMerchantExternalID = our trade_no; Pancake echoes it back in webhooks.
 type WaffoPancakeCreateSessionParams struct {
-	StoreID          string                     `json:"storeId"`
-	ProductID        string                     `json:"productId"`
-	ProductType      string                     `json:"productType"`
-	Currency         string                     `json:"currency"`
-	PriceSnapshot    *WaffoPancakePriceSnapshot `json:"priceSnapshot,omitempty"`
-	BuyerEmail       string                     `json:"buyerEmail,omitempty"`
-	SuccessURL       string                     `json:"successUrl,omitempty"`
-	ExpiresInSeconds *int                       `json:"expiresInSeconds,omitempty"`
+	ProductID               string
+	BuyerIdentity           string
+	PriceSnapshot           *WaffoPancakePriceSnapshot
+	BuyerEmail              string
+	ExpiresInSeconds        *int
+	OrderMerchantExternalID string
 }

+// WaffoPancakeCheckoutSession is the response of CreateWaffoPancakeCheckoutSession.
+// CheckoutURL already carries the `#token=...` fragment; Token / TokenExpiresAt
+// are exposed separately for self-service flows driven from new-api's own UI.
 type WaffoPancakeCheckoutSession struct {
-	SessionID   string `json:"sessionId"`
-	CheckoutURL string `json:"checkoutUrl"`
-	ExpiresAt   string `json:"expiresAt"`
-	OrderID     string `json:"orderId"`
+	SessionID      string
+	CheckoutURL    string
+	ExpiresAt      string
+	OrderID        string
+	Token          string
+	TokenExpiresAt string
 }

-type waffoPancakeAPIError struct {
-	Message string `json:"message"`
-	Layer   string `json:"layer"`
+// WaffoPancakeWebhookEvent mirrors the SDK's WebhookEvent shape using plain
+// strings so controllers don't have to import the SDK package.
+type WaffoPancakeWebhookEvent struct {
+	ID        string
+	Timestamp string
+	EventType string
+	EventID   string
+	StoreID   string
+	Mode      string
+	Data      WaffoPancakeWebhookData
 }

-type waffoPancakeCreateSessionResponse struct {
-	Data   *WaffoPancakeCheckoutSession `json:"data"`
-	Errors []waffoPancakeAPIError       `json:"errors"`
+type WaffoPancakeWebhookData struct {
+	// OrderID = Pancake ORD_* (logs); OrderMerchantExternalID = our trade_no (lookup).
+	OrderID                       string
+	OrderMerchantExternalID       string
+	BuyerEmail                    string
+	Currency                      string
+	Amount                        string
+	TaxAmount                     string
+	ProductName                   string
+	MerchantProvidedBuyerIdentity string
 }

-type waffoPancakeWebhookData struct {
-	ID          string          `json:"id"`
-	OrderID     string          `json:"orderId"`
-	BuyerEmail  string          `json:"buyerEmail"`
-	Currency    string          `json:"currency"`
-	Amount      dto.StringValue `json:"amount"`
-	TaxAmount   dto.StringValue `json:"taxAmount"`
-	ProductName string          `json:"productName"`
-}
-
-type waffoPancakeWebhookEvent struct {
-	ID        string                  `json:"id"`
-	Timestamp string                  `json:"timestamp"`
-	EventType string                  `json:"eventType"`
-	EventID   string                  `json:"eventId"`
-	StoreID   string                  `json:"storeId"`
-	Mode      string                  `json:"mode"`
-	Data      waffoPancakeWebhookData `json:"data"`
-}
-
-func (e *waffoPancakeWebhookEvent) NormalizedEventType() string {
+// NormalizedEventType returns the event type or empty string for a nil event.
+func (e *WaffoPancakeWebhookEvent) NormalizedEventType() string {
 	if e == nil {
 		return ""
 	}
 	return e.EventType
 }

+// newWaffoPancakeClient builds an SDK client from persisted settings. The
+// runtime checkout / webhook paths use this; configuration endpoints use
+// newWaffoPancakeClientFromCreds so the operator can verify typed-but-not-
+// yet-saved credentials.
+func newWaffoPancakeClient() (*pancake.Client, error) {
+	return pancake.New(pancake.Config{
+		MerchantID: setting.WaffoPancakeMerchantID,
+		PrivateKey: setting.WaffoPancakePrivateKey,
+	})
+}
+
+func newWaffoPancakeClientFromCreds(merchantID, privateKey string) (*pancake.Client, error) {
+	if strings.TrimSpace(merchantID) == "" || strings.TrimSpace(privateKey) == "" {
+		return nil, fmt.Errorf("merchant id and private key are required")
+	}
+	return pancake.New(pancake.Config{
+		MerchantID: merchantID,
+		PrivateKey: privateKey,
+	})
+}
+
+// CreateWaffoPancakeCheckoutSession creates an Authenticated-mode checkout
+// session: the order is bound to BuyerIdentity (stable per user) so it stays
+// attributable even if the buyer edits the email on Waffo's checkout form.
 func CreateWaffoPancakeCheckoutSession(ctx context.Context, params *WaffoPancakeCreateSessionParams) (*WaffoPancakeCheckoutSession, error) {
 	if params == nil {
 		return nil, fmt.Errorf("missing checkout params")
 	}
-
-	body, err := common.Marshal(params)
+	if strings.TrimSpace(params.BuyerIdentity) == "" {
+		return nil, fmt.Errorf("missing buyer identity")
+	}
+	if strings.TrimSpace(params.OrderMerchantExternalID) == "" {
+		return nil, fmt.Errorf("missing order merchant external id")
+	}
+	client, err := newWaffoPancakeClient()
 	if err != nil {
-		return nil, fmt.Errorf("marshal Waffo Pancake checkout payload: %w", err)
+		return nil, fmt.Errorf("build Waffo Pancake client: %w", err)
 	}

-	privateKey, err := normalizeRSAPrivateKey(setting.WaffoPancakePrivateKey)
-	if err != nil {
-		return nil, err
+	sdkParams := pancake.AuthenticatedCheckoutParams{
+		CreateCheckoutSessionParams: pancake.CreateCheckoutSessionParams{
+			ProductID:               params.ProductID,
+			Currency:                "USD",
+			BuyerEmail:              optionalString(params.BuyerEmail),
+			ExpiresInSeconds:        params.ExpiresInSeconds,
+			OrderMerchantExternalID: optionalString(params.OrderMerchantExternalID),
+		},
+		BuyerIdentity: params.BuyerIdentity,
 	}
-
-	timestamp := strconv.FormatInt(time.Now().Unix(), 10)
-	signature, err := signWaffoPancakeRequest(http.MethodPost, waffoPancakeCheckoutPath, timestamp, string(body), privateKey)
-	if err != nil {
-		return nil, err
-	}
-
-	req, err := http.NewRequestWithContext(ctx, http.MethodPost, waffoPancakeAuthBaseURL+waffoPancakeCheckoutPath, bytes.NewReader(body))
-	if err != nil {
-		return nil, fmt.Errorf("build Waffo Pancake checkout request: %w", err)
-	}
-	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("X-Merchant-Id", setting.WaffoPancakeMerchantID)
-	req.Header.Set("X-Timestamp", timestamp)
-	req.Header.Set("X-Signature", signature)
-	if setting.WaffoPancakeSandbox {
-		req.Header.Set("X-Environment", "test")
-	} else {
-		req.Header.Set("X-Environment", "prod")
-	}
-
-	resp, err := http.DefaultClient.Do(req)
-	if err != nil {
-		return nil, fmt.Errorf("request Waffo Pancake checkout session: %w", err)
-	}
-	defer resp.Body.Close()
-
-	responseBody, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return nil, fmt.Errorf("read Waffo Pancake checkout response: %w", err)
-	}
-
-	var result waffoPancakeCreateSessionResponse
-	if err := common.Unmarshal(responseBody, &result); err != nil {
-		return nil, fmt.Errorf("decode Waffo Pancake checkout response: %w", err)
-	}
-	if resp.StatusCode >= http.StatusBadRequest {
-		if len(result.Errors) > 0 {
-			return nil, fmt.Errorf("Waffo Pancake error (%d): %s", resp.StatusCode, result.Errors[0].Message)
+	if params.PriceSnapshot != nil {
+		sdkParams.PriceSnapshot = &pancake.PriceInfo{
+			Amount:      params.PriceSnapshot.Amount,
+			TaxCategory: pancake.TaxCategory(params.PriceSnapshot.TaxCategory),
 		}
-		return nil, fmt.Errorf("Waffo Pancake checkout request failed with status %d", resp.StatusCode)
 	}
-	if len(result.Errors) > 0 {
-		return nil, fmt.Errorf("Waffo Pancake error: %s", result.Errors[0].Message)
+
+	session, err := client.Checkout.Authenticated.Create(ctx, sdkParams)
+	if err != nil {
+		return nil, err
 	}
-	if result.Data == nil || result.Data.CheckoutURL == "" || strings.TrimSpace(result.Data.SessionID) == "" {
+	if session == nil || strings.TrimSpace(session.CheckoutURL) == "" || strings.TrimSpace(session.SessionID) == "" {
 		return nil, fmt.Errorf("Waffo Pancake returned empty checkout session")
 	}
-	return result.Data, nil
+	return &WaffoPancakeCheckoutSession{
+		SessionID:      session.SessionID,
+		CheckoutURL:    session.CheckoutURL,
+		ExpiresAt:      session.ExpiresAt,
+		Token:          session.Token,
+		TokenExpiresAt: session.TokenExpiresAt,
+	}, nil
 }

-func VerifyConfiguredWaffoPancakeWebhook(payload string, signatureHeader string) (*waffoPancakeWebhookEvent, error) {
-	environment := resolveWaffoPancakeWebhookEnvironment(payload)
-	return verifyWaffoPancakeWebhook(payload, signatureHeader, environment)
+func optionalString(s string) *string {
+	if strings.TrimSpace(s) == "" {
+		return nil
+	}
+	v := s
+	return &v
 }

-func ResolveWaffoPancakeTradeNo(event *waffoPancakeWebhookEvent) (string, error) {
+// WaffoPancakeBuyerIdentityFromUserID renders the canonical buyer identity
+// for checkout. Webhook handlers compare against the value rendered here to
+// reject identity mismatches, so both call sites must use this function.
+func WaffoPancakeBuyerIdentityFromUserID(userID int) string {
+	return fmt.Sprintf("new-api-user-%d", userID)
+}
+
+// VerifyConfiguredWaffoPancakeWebhook verifies the signature header. The SDK
+// picks the matching test / prod public key from the payload's `mode` field.
+func VerifyConfiguredWaffoPancakeWebhook(payload string, signatureHeader string) (*WaffoPancakeWebhookEvent, error) {
+	evt, err := pancake.VerifyWebhookTyped[pancake.WebhookEventData](payload, signatureHeader, nil)
+	if err != nil {
+		return nil, err
+	}
+	identity := ""
+	if evt.Data.MerchantProvidedBuyerIdentity != nil {
+		identity = *evt.Data.MerchantProvidedBuyerIdentity
+	}
+	externalID := ""
+	if evt.Data.OrderMerchantExternalID != nil {
+		externalID = *evt.Data.OrderMerchantExternalID
+	}
+	return &WaffoPancakeWebhookEvent{
+		ID:        evt.ID,
+		Timestamp: evt.Timestamp,
+		EventType: evt.EventType,
+		EventID:   evt.EventID,
+		StoreID:   evt.StoreID,
+		Mode:      string(evt.Mode),
+		Data: WaffoPancakeWebhookData{
+			OrderID:                       evt.Data.OrderID,
+			OrderMerchantExternalID:       externalID,
+			BuyerEmail:                    evt.Data.BuyerEmail,
+			Currency:                      evt.Data.Currency,
+			Amount:                        evt.Data.Amount,
+			TaxAmount:                     evt.Data.TaxAmount,
+			ProductName:                   evt.Data.ProductName,
+			MerchantProvidedBuyerIdentity: identity,
+		},
+	}, nil
+}
+
+// ResolveWaffoPancakeTradeNo maps a verified webhook event to a local TopUp
+// trade_no via OrderMerchantExternalID, and rejects buyer-identity mismatches.
+func ResolveWaffoPancakeTradeNo(event *WaffoPancakeWebhookEvent) (string, error) {
 	if event == nil {
 		return "", fmt.Errorf("missing webhook event")
 	}
-
-	if tradeNo := strings.TrimSpace(event.Data.OrderID); tradeNo != "" {
-		topUp := model.GetTopUpByTradeNo(tradeNo)
-		if topUp != nil && topUp.PaymentMethod == model.PaymentMethodWaffoPancake {
-			return tradeNo, nil
-		}
-		return "", fmt.Errorf("waffo pancake order not found for webhook orderId=%s", tradeNo)
+	tradeNo := strings.TrimSpace(event.Data.OrderMerchantExternalID)
+	if tradeNo == "" {
+		return "", fmt.Errorf("missing webhook orderMerchantExternalId")
 	}
-
-	return "", fmt.Errorf("missing webhook orderId")
+	topUp := model.GetTopUpByTradeNo(tradeNo)
+	if topUp == nil || topUp.PaymentProvider != model.PaymentProviderWaffoPancake {
+		return "", fmt.Errorf("waffo pancake order not found for tradeNo=%s", tradeNo)
+	}
+	expectedIdentity := WaffoPancakeBuyerIdentityFromUserID(topUp.UserId)
+	actualIdentity := strings.TrimSpace(event.Data.MerchantProvidedBuyerIdentity)
+	if actualIdentity != expectedIdentity {
+		return "", fmt.Errorf(
+			"waffo pancake buyer identity mismatch for tradeNo=%s: expected=%q actual=%q",
+			tradeNo,
+			expectedIdentity,
+			actualIdentity,
+		)
+	}
+	return tradeNo, nil
 }

-func normalizeRSAPrivateKey(raw string) (string, error) {
-	return normalizePEMKey(raw, "PRIVATE KEY", "RSA PRIVATE KEY")
+// ResolveWaffoPancakeSubscriptionTradeNo is the SubscriptionOrder counterpart
+// of ResolveWaffoPancakeTradeNo.
+func ResolveWaffoPancakeSubscriptionTradeNo(event *WaffoPancakeWebhookEvent) (string, error) {
+	if event == nil {
+		return "", fmt.Errorf("missing webhook event")
+	}
+	tradeNo := strings.TrimSpace(event.Data.OrderMerchantExternalID)
+	if tradeNo == "" {
+		return "", fmt.Errorf("missing webhook orderMerchantExternalId")
+	}
+	order := model.GetSubscriptionOrderByTradeNo(tradeNo)
+	if order == nil || order.PaymentProvider != model.PaymentProviderWaffoPancake {
+		return "", fmt.Errorf("waffo pancake subscription order not found for tradeNo=%s", tradeNo)
+	}
+	expectedIdentity := WaffoPancakeBuyerIdentityFromUserID(order.UserId)
+	actualIdentity := strings.TrimSpace(event.Data.MerchantProvidedBuyerIdentity)
+	if actualIdentity != expectedIdentity {
+		return "", fmt.Errorf(
+			"waffo pancake buyer identity mismatch for subscription tradeNo=%s: expected=%q actual=%q",
+			tradeNo,
+			expectedIdentity,
+			actualIdentity,
+		)
+	}
+	return tradeNo, nil
 }

-func normalizeRSAPublicKey(raw string) (string, error) {
-	return normalizePEMKey(raw, "PUBLIC KEY", "RSA PUBLIC KEY")
-}
+// Deterministic default names for "+ Create": stable bodies mean stable
+// X-Idempotency-Key, which lets Pancake dedupe retries server-side.
+const (
+	defaultWaffoPancakeStoreName   = "new-api-store"
+	defaultWaffoPancakeProductName = "new-api-charge-product"
+)

-func normalizePEMKey(raw string, pkcs8Type string, pkcs1Type string) (string, error) {
-	if strings.TrimSpace(raw) == "" {
-		return "", fmt.Errorf("%s is empty", strings.ToLower(pkcs8Type))
-	}
-
-	normalized := strings.TrimSpace(strings.ReplaceAll(raw, `\n`, "\n"))
-	if strings.Contains(normalized, "BEGIN ") {
-		block, _ := pem.Decode([]byte(normalized))
-		if block == nil {
-			return "", fmt.Errorf("invalid PEM encoded %s", strings.ToLower(pkcs8Type))
-		}
-		return string(pem.EncodeToMemory(block)), nil
-	}
-
-	der, err := base64.StdEncoding.DecodeString(strings.ReplaceAll(normalized, "\n", ""))
+// CreateWaffoPancakePrimaryStore creates a Pancake Store using in-flight
+// (not-yet-persisted) credentials and returns the new store ID.
+func CreateWaffoPancakePrimaryStore(ctx context.Context, merchantID, privateKey string) (string, error) {
+	client, err := newWaffoPancakeClientFromCreds(merchantID, privateKey)
 	if err != nil {
-		return "", fmt.Errorf("invalid base64 encoded %s: %w", strings.ToLower(pkcs8Type), err)
+		return "", err
 	}
-
-	pemType := pkcs8Type
-	if pkcs8Type == "PRIVATE KEY" {
-		if _, err := x509.ParsePKCS8PrivateKey(der); err != nil {
-			if _, err := x509.ParsePKCS1PrivateKey(der); err == nil {
-				pemType = pkcs1Type
-			} else {
-				return "", fmt.Errorf("invalid RSA private key")
-			}
-		}
-	} else {
-		if _, err := x509.ParsePKIXPublicKey(der); err != nil {
-			if _, err := x509.ParsePKCS1PublicKey(der); err == nil {
-				pemType = pkcs1Type
-			} else {
-				return "", fmt.Errorf("invalid RSA public key")
-			}
-		}
-	}
-
-	return string(pem.EncodeToMemory(&pem.Block{Type: pemType, Bytes: der})), nil
-}
-
-func signWaffoPancakeRequest(method string, path string, timestamp string, body string, privateKeyPEM string) (string, error) {
-	block, _ := pem.Decode([]byte(privateKeyPEM))
-	if block == nil {
-		return "", fmt.Errorf("invalid RSA private key PEM")
-	}
-
-	var privateKey *rsa.PrivateKey
-	switch block.Type {
-	case "PRIVATE KEY":
-		key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
-		if err != nil {
-			return "", fmt.Errorf("parse PKCS#8 private key: %w", err)
-		}
-		parsed, ok := key.(*rsa.PrivateKey)
-		if !ok {
-			return "", fmt.Errorf("private key is not RSA")
-		}
-		privateKey = parsed
-	case "RSA PRIVATE KEY":
-		key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
-		if err != nil {
-			return "", fmt.Errorf("parse PKCS#1 private key: %w", err)
-		}
-		privateKey = key
-	default:
-		return "", fmt.Errorf("unsupported private key type: %s", block.Type)
-	}
-
-	canonicalRequest := buildWaffoPancakeCanonicalRequest(method, path, timestamp, body)
-	digest := sha256.Sum256([]byte(canonicalRequest))
-	signature, err := rsa.SignPKCS1v15(nil, privateKey, crypto.SHA256, digest[:])
+	storeRes, err := client.Stores.Create(ctx, pancake.CreateStoreParams{
+		Name: defaultWaffoPancakeStoreName,
+	})
 	if err != nil {
-		return "", fmt.Errorf("sign Waffo Pancake request: %w", err)
+		return "", fmt.Errorf("create Waffo Pancake store: %w", err)
 	}
-	return base64.StdEncoding.EncodeToString(signature), nil
+	return storeRes.Store.ID, nil
 }

-func buildWaffoPancakeCanonicalRequest(method string, path string, timestamp string, body string) string {
-	bodyHash := sha256.Sum256([]byte(body))
-	return fmt.Sprintf(
-		"%s\n%s\n%s\n%s",
-		strings.ToUpper(method),
-		path,
-		timestamp,
-		base64.StdEncoding.EncodeToString(bodyHash[:]),
-	)
-}
-
-func verifyWaffoPancakeWebhook(payload string, signatureHeader string, environment string) (*waffoPancakeWebhookEvent, error) {
-	if signatureHeader == "" {
-		return nil, fmt.Errorf("missing X-Waffo-Signature header")
+// CreateWaffoPancakeProductForPlan mints (and publishes) a Pancake
+// OnetimeProduct priced at `amount` USD, used as a subscription plan's
+// SubscriptionPlan.WaffoPancakeProductId.
+//
+// OnetimeProduct (not SubscriptionProduct) because new-api has no renewal-
+// event handling; Pancake auto-renewing without new-api extending user
+// access would be a UX divergence. Revisit if renewal handling is added.
+func CreateWaffoPancakeProductForPlan(ctx context.Context, merchantID, privateKey, storeID, name, amount, returnURL string) (string, error) {
+	storeID = strings.TrimSpace(storeID)
+	if storeID == "" {
+		return "", fmt.Errorf("store id is required to create a product")
 	}
-
-	timestampPart, signaturePart := parseWaffoPancakeSignatureHeader(signatureHeader)
-	if timestampPart == "" || signaturePart == "" {
-		return nil, fmt.Errorf("malformed X-Waffo-Signature header")
+	name = strings.TrimSpace(name)
+	if name == "" {
+		return "", fmt.Errorf("plan name is required")
 	}
-
-	timestampMs, err := strconv.ParseInt(timestampPart, 10, 64)
+	amount = strings.TrimSpace(amount)
+	if amount == "" {
+		return "", fmt.Errorf("plan price is required")
+	}
+	client, err := newWaffoPancakeClientFromCreds(merchantID, privateKey)
 	if err != nil {
-		return nil, fmt.Errorf("invalid timestamp in X-Waffo-Signature header")
+		return "", err
 	}
-	if math.Abs(float64(time.Now().UnixMilli()-timestampMs)) > float64(waffoPancakeDefaultTolerance.Milliseconds()) {
-		return nil, fmt.Errorf("webhook timestamp outside tolerance window")
-	}
-
-	signatureInput := fmt.Sprintf("%s.%s", timestampPart, payload)
-	if err := verifyWaffoPancakeWebhookWithKey(signatureInput, signaturePart, resolveWaffoPancakeWebhookPublicKey(environment)); err != nil {
-		return nil, fmt.Errorf("invalid webhook signature")
-	}
-
-	var event waffoPancakeWebhookEvent
-	if err := common.Unmarshal([]byte(payload), &event); err != nil {
-		return nil, fmt.Errorf("parse Waffo Pancake webhook payload: %w", err)
-	}
-	return &event, nil
-}
-
-func parseWaffoPancakeSignatureHeader(header string) (string, string) {
-	var timestampPart string
-	var signaturePart string
-	for _, pair := range strings.Split(header, ",") {
-		key, value, found := strings.Cut(strings.TrimSpace(pair), "=")
-		if !found {
-			continue
-		}
-		switch key {
-		case "t":
-			timestampPart = value
-		case "v1":
-			signaturePart = value
-		}
-	}
-	return timestampPart, signaturePart
-}
-
-func resolveWaffoPancakeWebhookEnvironment(payload string) string {
-	var envelope struct {
-		Mode string `json:"mode"`
-	}
-	if err := common.Unmarshal([]byte(payload), &envelope); err != nil {
-		if setting.WaffoPancakeSandbox {
-			return "test"
-		}
-		return "prod"
-	}
-
-	switch strings.ToLower(strings.TrimSpace(envelope.Mode)) {
-	case "test":
-		return "test"
-	case "prod":
-		return "prod"
-	default:
-		if setting.WaffoPancakeSandbox {
-			return "test"
-		}
-		return "prod"
-	}
-}
-
-func resolveWaffoPancakeWebhookPublicKey(environment string) string {
-	if environment == "prod" {
-		return strings.TrimSpace(setting.WaffoPancakeWebhookPublicKey)
-	}
-	return strings.TrimSpace(setting.WaffoPancakeWebhookTestKey)
-}
-
-func verifyWaffoPancakeWebhookWithKey(signatureInput string, signaturePart string, rawPublicKey string) error {
-	publicKeyPEM, err := normalizeRSAPublicKey(rawPublicKey)
+	prodRes, err := client.OnetimeProducts.Create(ctx, pancake.CreateOnetimeProductParams{
+		StoreID: storeID,
+		Name:    name,
+		Prices: pancake.Prices{
+			"USD": {
+				Amount:      amount,
+				TaxCategory: pancake.TaxCategory("saas"),
+			},
+		},
+		SuccessURL: optionalString(strings.TrimSpace(returnURL)),
+	})
 	if err != nil {
-		return err
+		return "", fmt.Errorf("create Waffo Pancake plan product: %w", err)
 	}
-
-	block, _ := pem.Decode([]byte(publicKeyPEM))
-	if block == nil {
-		return fmt.Errorf("invalid RSA public key PEM")
+	productID := prodRes.Product.ID
+	if _, err := client.OnetimeProducts.Publish(ctx, pancake.PublishOnetimeProductParams{ID: productID}); err != nil {
+		return "", fmt.Errorf("publish Waffo Pancake plan product: %w", err)
 	}
+	return productID, nil
+}

-	var publicKey *rsa.PublicKey
-	switch block.Type {
-	case "PUBLIC KEY":
-		key, err := x509.ParsePKIXPublicKey(block.Bytes)
-		if err != nil {
-			return fmt.Errorf("parse PKIX public key: %w", err)
-		}
-		parsed, ok := key.(*rsa.PublicKey)
-		if !ok {
-			return fmt.Errorf("public key is not RSA")
-		}
-		publicKey = parsed
-	case "RSA PUBLIC KEY":
-		key, err := x509.ParsePKCS1PublicKey(block.Bytes)
-		if err != nil {
-			return fmt.Errorf("parse PKCS#1 public key: %w", err)
-		}
-		publicKey = key
-	default:
-		return fmt.Errorf("unsupported public key type: %s", block.Type)
+// CreateWaffoPancakePrimaryProduct mints (and publishes) the wallet-top-up
+// OnetimeProduct under storeID. Per-checkout price overrides via PriceSnapshot
+// are what make the "1.00" seed price irrelevant at runtime.
+func CreateWaffoPancakePrimaryProduct(ctx context.Context, merchantID, privateKey, storeID, returnURL string) (string, error) {
+	storeID = strings.TrimSpace(storeID)
+	if storeID == "" {
+		return "", fmt.Errorf("store id is required to create a product")
 	}
-
-	signature, err := base64.StdEncoding.DecodeString(signaturePart)
+	client, err := newWaffoPancakeClientFromCreds(merchantID, privateKey)
 	if err != nil {
-		return fmt.Errorf("decode webhook signature: %w", err)
+		return "", err
 	}
+	prodRes, err := client.OnetimeProducts.Create(ctx, pancake.CreateOnetimeProductParams{
+		StoreID: storeID,
+		Name:    defaultWaffoPancakeProductName,
+		Prices: pancake.Prices{
+			"USD": {
+				Amount:      "1.00", // overridden at checkout via PriceSnapshot
+				TaxCategory: pancake.TaxCategory("saas"),
+			},
+		},
+		SuccessURL: optionalString(strings.TrimSpace(returnURL)),
+	})
+	if err != nil {
+		return "", fmt.Errorf("create Waffo Pancake product: %w", err)
+	}
+	productID := prodRes.Product.ID
+	if _, err := client.OnetimeProducts.Publish(ctx, pancake.PublishOnetimeProductParams{ID: productID}); err != nil {
+		return "", fmt.Errorf("publish Waffo Pancake product: %w", err)
+	}
+	return productID, nil
+}

-	digest := sha256.Sum256([]byte(signatureInput))
-	if err := rsa.VerifyPKCS1v15(publicKey, crypto.SHA256, digest[:], signature); err != nil {
-		return fmt.Errorf("verify webhook signature: %w", err)
+// WaffoPancakePairResult is the response of CreateWaffoPancakePrimaryPair.
+// When OrphanStore is true the store was created but the product wasn't,
+// so the caller can surface a partial-failure message with StoreID.
+type WaffoPancakePairResult struct {
+	StoreID     string
+	StoreName   string
+	ProductID   string
+	ProductName string
+	OrphanStore bool
+}
+
+// CreateWaffoPancakePrimaryPair mints a Store + OnetimeProduct in one
+// round-trip — the canonical "+ Create" entry point. Nothing is persisted
+// to settings; the operator's final Save commits the chosen IDs.
+func CreateWaffoPancakePrimaryPair(ctx context.Context, merchantID, privateKey, returnURL string) (*WaffoPancakePairResult, error) {
+	storeID, err := CreateWaffoPancakePrimaryStore(ctx, merchantID, privateKey)
+	if err != nil {
+		return nil, err
+	}
+	productID, err := CreateWaffoPancakePrimaryProduct(ctx, merchantID, privateKey, storeID, returnURL)
+	if err != nil {
+		return &WaffoPancakePairResult{
+			StoreID:     storeID,
+			StoreName:   defaultWaffoPancakeStoreName,
+			OrphanStore: true,
+		}, fmt.Errorf("store created at %s but product creation failed: %w", storeID, err)
+	}
+	return &WaffoPancakePairResult{
+		StoreID:     storeID,
+		StoreName:   defaultWaffoPancakeStoreName,
+		ProductID:   productID,
+		ProductName: defaultWaffoPancakeProductName,
+	}, nil
+}
+
+// SaveWaffoPancakeConfig persists the operator-controlled fields atomically
+// at the end of the configuration flow via model.UpdateOptionsBulk (single
+// DB transaction). A blank privateKey is treated as "keep current"
+// (Stripe-style API-secret UX) and is omitted from the bulk payload.
+func SaveWaffoPancakeConfig(ctx context.Context, merchantID, privateKey, returnURL, storeID, productID string) error {
+	merchantID = strings.TrimSpace(merchantID)
+	storeID = strings.TrimSpace(storeID)
+	productID = strings.TrimSpace(productID)
+	if merchantID == "" || storeID == "" || productID == "" {
+		return fmt.Errorf("merchant id, store id, and product id are required to save")
+	}
+	values := map[string]string{
+		"WaffoPancakeMerchantID": merchantID,
+		"WaffoPancakeReturnURL":  strings.TrimSpace(returnURL),
+		"WaffoPancakeStoreID":    storeID,
+		"WaffoPancakeProductID":  productID,
+	}
+	if pk := strings.TrimSpace(privateKey); pk != "" {
+		values["WaffoPancakePrivateKey"] = pk
+	}
+	if err := model.UpdateOptionsBulk(values); err != nil {
+		return fmt.Errorf("persist Waffo Pancake config: %w", err)
 	}
 	return nil
 }
+
+type WaffoPancakeCatalogProduct struct {
+	ID     string `json:"id"`
+	Name   string `json:"name"`
+	Status string `json:"status"`
+}
+
+// WaffoPancakeCatalogStore nests its OnetimeProducts so the UI can render a
+// dependent store→product select without a second round-trip.
+type WaffoPancakeCatalogStore struct {
+	ID              string                       `json:"id"`
+	Name            string                       `json:"name"`
+	Status          string                       `json:"status"`
+	ProdEnabled     bool                         `json:"prodEnabled"`
+	OnetimeProducts []WaffoPancakeCatalogProduct `json:"onetimeProducts"`
+}
+
+type WaffoPancakeCatalog struct {
+	Stores []WaffoPancakeCatalogStore `json:"stores"`
+}
+
+// ListWaffoPancakeCatalog queries Pancake's GraphQL `stores` for the
+// merchant's stores + onetime products. A successful call also proves
+// the supplied credentials authenticate (doubles as a credential probe).
+func ListWaffoPancakeCatalog(ctx context.Context, merchantID, privateKey string) (*WaffoPancakeCatalog, error) {
+	client, err := newWaffoPancakeClientFromCreds(merchantID, privateKey)
+	if err != nil {
+		return nil, err
+	}
+
+	type queryShape struct {
+		Stores []WaffoPancakeCatalogStore `json:"stores"`
+	}
+	// `limit: 100` because the API returns a single store when limit is
+	// omitted, even for multi-store merchants. Bump to paginated fetches
+	// (via `offset`) if real catalogs ever cross the cap.
+	resp, err := pancake.GraphQLQuery[queryShape](ctx, client, pancake.GraphQLParams{
+		Query: `query {
+			stores(limit: 100) {
+				id
+				name
+				status
+				prodEnabled
+				onetimeProducts {
+					id
+					name
+					status
+				}
+			}
+		}`,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("query Waffo Pancake catalog: %w", err)
+	}
+	if len(resp.Errors) > 0 {
+		return nil, fmt.Errorf("waffo pancake catalog query returned %d errors: %s",
+			len(resp.Errors), resp.Errors[0].Message)
+	}
+	// Drop non-active products. Operators should only see items they can
+	// actually bind without later hitting "product unavailable" at checkout.
+	stores := resp.Data.Stores
+	for i := range stores {
+		active := stores[i].OnetimeProducts[:0]
+		for _, p := range stores[i].OnetimeProducts {
+			if strings.EqualFold(strings.TrimSpace(p.Status), "active") {
+				active = append(active, p)
+			}
+		}
+		stores[i].OnetimeProducts = active
+	}
+	return &WaffoPancakeCatalog{Stores: stores}, nil
+}
@@ -1,6 +1,7 @@
 package service

 import (
+	"context"
 	"fmt"
 	"strings"
 	"testing"
@@ -8,7 +9,6 @@ import (

 	"github.com/QuantumNous/new-api/common"
 	"github.com/QuantumNous/new-api/model"
-	"github.com/QuantumNous/new-api/setting"
 	"github.com/glebarez/sqlite"
 	"github.com/stretchr/testify/require"
 	"gorm.io/gorm"
@@ -29,7 +29,7 @@ func setupWaffoPancakeTestDB(t *testing.T) *gorm.DB {
 	model.DB = db
 	model.LOG_DB = db

-	require.NoError(t, db.AutoMigrate(&model.User{}, &model.TopUp{}))
+	require.NoError(t, db.AutoMigrate(&model.User{}, &model.TopUp{}, &model.SubscriptionOrder{}))

 	t.Cleanup(func() {
 		sqlDB, err := db.DB()
@@ -41,44 +41,101 @@ func setupWaffoPancakeTestDB(t *testing.T) *gorm.DB {
 	return db
 }

-func TestWaffoPancakeCreateSessionResponseParsesDocumentedPayload(t *testing.T) {
-	var result waffoPancakeCreateSessionResponse
-	err := common.Unmarshal([]byte(`{
-		"data": {
-			"sessionId": "cs_550e8400-e29b-41d4-a716-446655440000",
-			"checkoutUrl": "https://checkout.waffo.ai/my-store-abc123/checkout/cs_550e8400-e29b-41d4-a716-446655440000",
-			"expiresAt": "2026-01-22T10:30:00.000Z"
-		}
-	}`), &result)
-	require.NoError(t, err)
-	require.NotNil(t, result.Data)
-	require.Equal(t, "cs_550e8400-e29b-41d4-a716-446655440000", result.Data.SessionID)
-	require.Empty(t, result.Data.OrderID)
+func TestCreateWaffoPancakeCheckoutSession_RequiresOrderMerchantExternalID(t *testing.T) {
+	session, err := CreateWaffoPancakeCheckoutSession(context.Background(), &WaffoPancakeCreateSessionParams{
+		ProductID:     "PROD_checkout_guard",
+		BuyerIdentity: WaffoPancakeBuyerIdentityFromUserID(1),
+	})
+
+	require.Error(t, err)
+	require.Nil(t, session)
+	require.Contains(t, err.Error(), "missing order merchant external id")
 }

 func TestResolveWaffoPancakeTradeNo_UsesWebhookOrderIDWhenLocalOrderExists(t *testing.T) {
 	db := setupWaffoPancakeTestDB(t)

 	topUp := &model.TopUp{
-		UserId:        1,
-		Amount:        10,
-		Money:         29,
-		TradeNo:       "ORD_5dXBtmF2HLlHfbPNm0Wcnz",
-		PaymentMethod: model.PaymentMethodWaffoPancake,
-		CreateTime:    time.Now().Unix(),
-		Status:        common.TopUpStatusPending,
+		UserId:          1,
+		Amount:          10,
+		Money:           29,
+		TradeNo:         "ORD_5dXBtmF2HLlHfbPNm0Wcnz",
+		PaymentMethod:   model.PaymentMethodWaffoPancake,
+		PaymentProvider: model.PaymentProviderWaffoPancake,
+		CreateTime:      time.Now().Unix(),
+		Status:          common.TopUpStatusPending,
 	}
 	require.NoError(t, db.Create(topUp).Error)

-	tradeNo, err := ResolveWaffoPancakeTradeNo(&waffoPancakeWebhookEvent{
-		Data: waffoPancakeWebhookData{
-			OrderID: "ORD_5dXBtmF2HLlHfbPNm0Wcnz",
+	tradeNo, err := ResolveWaffoPancakeTradeNo(&WaffoPancakeWebhookEvent{
+		Data: WaffoPancakeWebhookData{
+			OrderID:                       "ORD_internal_pancake_id",
+			OrderMerchantExternalID:       "ORD_5dXBtmF2HLlHfbPNm0Wcnz",
+			MerchantProvidedBuyerIdentity: WaffoPancakeBuyerIdentityFromUserID(topUp.UserId),
 		},
 	})
 	require.NoError(t, err)
 	require.Equal(t, "ORD_5dXBtmF2HLlHfbPNm0Wcnz", tradeNo)
 }

+func TestResolveWaffoPancakeTradeNo_RejectsBuyerIdentityMismatch(t *testing.T) {
+	db := setupWaffoPancakeTestDB(t)
+
+	topUp := &model.TopUp{
+		UserId:          42,
+		Amount:          10,
+		Money:           29,
+		TradeNo:         "ORD_identity_mismatch_case",
+		PaymentMethod:   model.PaymentMethodWaffoPancake,
+		PaymentProvider: model.PaymentProviderWaffoPancake,
+		CreateTime:      time.Now().Unix(),
+		Status:          common.TopUpStatusPending,
+	}
+	require.NoError(t, db.Create(topUp).Error)
+
+	// Webhook reports the right order but a different buyer — could be a
+	// crossed-wires bug or a tampered payload. Either way: reject.
+	tradeNo, err := ResolveWaffoPancakeTradeNo(&WaffoPancakeWebhookEvent{
+		Data: WaffoPancakeWebhookData{
+			OrderID:                       "ORD_internal_pancake_id",
+			OrderMerchantExternalID:       "ORD_identity_mismatch_case",
+			MerchantProvidedBuyerIdentity: WaffoPancakeBuyerIdentityFromUserID(99), // wrong user
+		},
+	})
+	require.Error(t, err)
+	require.Empty(t, tradeNo)
+	require.Contains(t, err.Error(), "buyer identity mismatch")
+}
+
+func TestResolveWaffoPancakeTradeNo_RejectsMissingBuyerIdentity(t *testing.T) {
+	db := setupWaffoPancakeTestDB(t)
+
+	topUp := &model.TopUp{
+		UserId:          7,
+		Amount:          10,
+		Money:           29,
+		TradeNo:         "ORD_missing_identity",
+		PaymentMethod:   model.PaymentMethodWaffoPancake,
+		PaymentProvider: model.PaymentProviderWaffoPancake,
+		CreateTime:      time.Now().Unix(),
+		Status:          common.TopUpStatusPending,
+	}
+	require.NoError(t, db.Create(topUp).Error)
+
+	// An empty MerchantProvidedBuyerIdentity means the order was either created
+	// via the (now-deprecated) anonymous flow or the field was stripped — also
+	// reject so that we never credit anonymous orders to a specific user.
+	tradeNo, err := ResolveWaffoPancakeTradeNo(&WaffoPancakeWebhookEvent{
+		Data: WaffoPancakeWebhookData{
+			OrderID:                 "ORD_internal_pancake_id",
+			OrderMerchantExternalID: "ORD_missing_identity",
+		},
+	})
+	require.Error(t, err)
+	require.Empty(t, tradeNo)
+	require.Contains(t, err.Error(), "buyer identity mismatch")
+}
+
 func TestResolveWaffoPancakeTradeNo_FailsWhenWebhookOrderIDIsUnknown(t *testing.T) {
 	db := setupWaffoPancakeTestDB(t)

@@ -91,67 +148,132 @@ func TestResolveWaffoPancakeTradeNo_FailsWhenWebhookOrderIDIsUnknown(t *testing.
 	require.NoError(t, db.Create(user).Error)

 	topUp := &model.TopUp{
-		UserId:        user.Id,
-		Amount:        10,
-		Money:         29,
-		TradeNo:       "WAFFO_PANCAKE-42-123456-abc123",
-		PaymentMethod: model.PaymentMethodWaffoPancake,
-		CreateTime:    time.Now().Unix(),
-		Status:        common.TopUpStatusPending,
+		UserId:          user.Id,
+		Amount:          10,
+		Money:           29,
+		TradeNo:         "WAFFO_PANCAKE-42-123456-abc123",
+		PaymentMethod:   model.PaymentMethodWaffoPancake,
+		PaymentProvider: model.PaymentProviderWaffoPancake,
+		CreateTime:      time.Now().Unix(),
+		Status:          common.TopUpStatusPending,
 	}
 	require.NoError(t, db.Create(topUp).Error)

-	tradeNo, err := ResolveWaffoPancakeTradeNo(&waffoPancakeWebhookEvent{
-		Data: waffoPancakeWebhookData{
-			OrderID:    "ORD_unknown",
-			BuyerEmail: user.Email,
-			Amount:     "29.00",
+	tradeNo, err := ResolveWaffoPancakeTradeNo(&WaffoPancakeWebhookEvent{
+		Data: WaffoPancakeWebhookData{
+			OrderID:                 "ORD_internal_pancake_id",
+			OrderMerchantExternalID: "WAFFO_PANCAKE-unknown",
+			BuyerEmail:              user.Email,
+			Amount:                  "29.00",
 		},
 	})
 	require.Error(t, err)
 	require.Empty(t, tradeNo)
 }

-func TestResolveWaffoPancakeWebhookEnvironment(t *testing.T) {
-	originalSandbox := setting.WaffoPancakeSandbox
-	t.Cleanup(func() {
-		setting.WaffoPancakeSandbox = originalSandbox
+// Parity tests for ResolveWaffoPancakeSubscriptionTradeNo — same four cases
+// as the TopUp resolver above, exercised against SubscriptionOrder records.
+// Drift between the two webhook flows is a real risk because they share
+// the same buyer-identity defence-in-depth pattern.
+
+func TestResolveWaffoPancakeSubscriptionTradeNo_UsesWebhookOrderIDWhenLocalOrderExists(t *testing.T) {
+	db := setupWaffoPancakeTestDB(t)
+
+	order := &model.SubscriptionOrder{
+		UserId:          1,
+		PlanId:          5,
+		Money:           29,
+		TradeNo:         "WAFFO_PANCAKE_SUB-1-1700000000-abc123",
+		PaymentMethod:   model.PaymentMethodWaffoPancake,
+		PaymentProvider: model.PaymentProviderWaffoPancake,
+		CreateTime:      time.Now().Unix(),
+		Status:          common.TopUpStatusPending,
+	}
+	require.NoError(t, db.Create(order).Error)
+
+	tradeNo, err := ResolveWaffoPancakeSubscriptionTradeNo(&WaffoPancakeWebhookEvent{
+		Data: WaffoPancakeWebhookData{
+			OrderID:                       "ORD_internal_pancake_id",
+			OrderMerchantExternalID:       "WAFFO_PANCAKE_SUB-1-1700000000-abc123",
+			MerchantProvidedBuyerIdentity: WaffoPancakeBuyerIdentityFromUserID(order.UserId),
+		},
 	})
-
-	testCases := []struct {
-		name     string
-		payload  string
-		expected string
-		sandbox  bool
-	}{
-		{
-			name:     "test mode",
-			payload:  `{"mode":"test"}`,
-			expected: "test",
-		},
-		{
-			name:     "prod mode",
-			payload:  `{"mode":"prod"}`,
-			expected: "prod",
-		},
-		{
-			name:     "missing mode falls back to sandbox",
-			payload:  `{}`,
-			expected: "test",
-			sandbox:  true,
-		},
-		{
-			name:     "invalid mode falls back to prod",
-			payload:  `{"mode":"staging"}`,
-			expected: "prod",
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			setting.WaffoPancakeSandbox = tc.sandbox
-			environment := resolveWaffoPancakeWebhookEnvironment(tc.payload)
-			require.Equal(t, tc.expected, environment)
-		})
-	}
+	require.NoError(t, err)
+	require.Equal(t, "WAFFO_PANCAKE_SUB-1-1700000000-abc123", tradeNo)
+}
+
+func TestResolveWaffoPancakeSubscriptionTradeNo_RejectsBuyerIdentityMismatch(t *testing.T) {
+	db := setupWaffoPancakeTestDB(t)
+
+	order := &model.SubscriptionOrder{
+		UserId:          42,
+		PlanId:          5,
+		Money:           29,
+		TradeNo:         "WAFFO_PANCAKE_SUB-42-mismatch",
+		PaymentMethod:   model.PaymentMethodWaffoPancake,
+		PaymentProvider: model.PaymentProviderWaffoPancake,
+		CreateTime:      time.Now().Unix(),
+		Status:          common.TopUpStatusPending,
+	}
+	require.NoError(t, db.Create(order).Error)
+
+	tradeNo, err := ResolveWaffoPancakeSubscriptionTradeNo(&WaffoPancakeWebhookEvent{
+		Data: WaffoPancakeWebhookData{
+			OrderID:                       "ORD_internal_pancake_id",
+			OrderMerchantExternalID:       "WAFFO_PANCAKE_SUB-42-mismatch",
+			MerchantProvidedBuyerIdentity: WaffoPancakeBuyerIdentityFromUserID(99), // wrong user
+		},
+	})
+	require.Error(t, err)
+	require.Empty(t, tradeNo)
+	require.Contains(t, err.Error(), "buyer identity mismatch")
+}
+
+func TestResolveWaffoPancakeSubscriptionTradeNo_RejectsMissingBuyerIdentity(t *testing.T) {
+	db := setupWaffoPancakeTestDB(t)
+
+	order := &model.SubscriptionOrder{
+		UserId:          7,
+		PlanId:          5,
+		Money:           29,
+		TradeNo:         "WAFFO_PANCAKE_SUB-7-missing-identity",
+		PaymentMethod:   model.PaymentMethodWaffoPancake,
+		PaymentProvider: model.PaymentProviderWaffoPancake,
+		CreateTime:      time.Now().Unix(),
+		Status:          common.TopUpStatusPending,
+	}
+	require.NoError(t, db.Create(order).Error)
+
+	tradeNo, err := ResolveWaffoPancakeSubscriptionTradeNo(&WaffoPancakeWebhookEvent{
+		Data: WaffoPancakeWebhookData{
+			OrderMerchantExternalID: "WAFFO_PANCAKE_SUB-7-missing-identity",
+		},
+	})
+	require.Error(t, err)
+	require.Empty(t, tradeNo)
+	require.Contains(t, err.Error(), "buyer identity mismatch")
+}
+
+func TestResolveWaffoPancakeSubscriptionTradeNo_FailsWhenWebhookOrderIDIsUnknown(t *testing.T) {
+	db := setupWaffoPancakeTestDB(t)
+
+	order := &model.SubscriptionOrder{
+		UserId:          42,
+		PlanId:          5,
+		Money:           29,
+		TradeNo:         "WAFFO_PANCAKE_SUB-42-real-order",
+		PaymentMethod:   model.PaymentMethodWaffoPancake,
+		PaymentProvider: model.PaymentProviderWaffoPancake,
+		CreateTime:      time.Now().Unix(),
+		Status:          common.TopUpStatusPending,
+	}
+	require.NoError(t, db.Create(order).Error)
+
+	tradeNo, err := ResolveWaffoPancakeSubscriptionTradeNo(&WaffoPancakeWebhookEvent{
+		Data: WaffoPancakeWebhookData{
+			OrderMerchantExternalID: "WAFFO_PANCAKE_SUB-unknown",
+		},
+	})
+	require.Error(t, err)
+	require.Empty(t, tradeNo)
 }
@@ -1,16 +1,15 @@
 package setting

+// Waffo Pancake hosted checkout configuration. Gateway is enabled once
+// MerchantID + PrivateKey + ProductID are populated (no separate Enabled
+// flag, matching Stripe / Creem). StoreID + ProductID are operator-bound
+// via SaveWaffoPancakeConfig.
 var (
-	WaffoPancakeEnabled          bool
-	WaffoPancakeSandbox          bool
-	WaffoPancakeMerchantID       string
-	WaffoPancakePrivateKey       string
-	WaffoPancakeWebhookPublicKey string
-	WaffoPancakeWebhookTestKey   string
-	WaffoPancakeStoreID          string
-	WaffoPancakeProductID        string
-	WaffoPancakeReturnURL        string
-	WaffoPancakeCurrency         string  = "USD"
-	WaffoPancakeUnitPrice        float64 = 1.0
-	WaffoPancakeMinTopUp         int     = 1
+	WaffoPancakeMerchantID string
+	WaffoPancakePrivateKey string
+	WaffoPancakeReturnURL  string
+	WaffoPancakeUnitPrice  float64 = 1.0
+	WaffoPancakeMinTopUp   int     = 1
+	WaffoPancakeStoreID    string
+	WaffoPancakeProductID  string
 )
@@ -0,0 +1,5 @@
+<svg width="27" height="27" viewBox="0 0 27 27" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M12.8965 17.8787L11.2995 12.6132L10.1344 8.7762C9.97497 8.25193 9.4909 7.89355 8.94204 7.89355H4.41838C3.89937 7.89355 3.52838 8.39249 3.67767 8.88637L6.0675 16.7643C6.37941 17.7907 7.32849 18.4928 8.40398 18.4928H12.4398C12.7599 18.4922 12.9893 18.1845 12.8965 17.8787ZM7.47396 10.6301C7.11059 10.7302 6.71038 10.4345 6.58079 9.96909C6.4512 9.50371 6.64177 9.04403 7.00514 8.94399C7.36851 8.84395 7.76745 9.13964 7.89641 9.60502C8.026 10.0717 7.83733 10.5301 7.47396 10.6301Z" fill="white"/>
+<path d="M13.0281 18.269C12.8777 18.4077 12.6794 18.4926 12.4646 18.4927H12.4382C12.7588 18.4926 12.9887 18.1847 12.8962 17.8784L11.2996 12.6128L11.3054 12.5923L13.0281 18.269ZM14.5144 13.771V13.7729L13.2615 17.9028C13.2401 17.973 13.2071 18.0369 13.1697 18.0972L11.4021 12.271L12.4626 8.77588C12.6221 8.25169 13.1063 7.89317 13.655 7.89307H16.2976L14.5144 13.771Z" fill="white"/>
+<path d="M19.5133 18.4932H16.8707C16.3221 18.493 15.8378 18.135 15.6783 17.6104L14.61 14.0859L16.3883 8.19336L17.7311 12.6133L19.1617 7.89355H22.7291L19.5133 18.4932Z" fill="white"/>
+</svg>
@@ -0,0 +1,5 @@
+<svg width="27" height="27" viewBox="0 0 27 27" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M12.8967 17.8789L11.2996 12.6135L10.1346 8.77644C9.97511 8.25218 9.49104 7.8938 8.94218 7.8938H4.4185C3.8995 7.8938 3.5285 8.39274 3.67779 8.88662L6.06763 16.7646C6.37954 17.7909 7.32862 18.4931 8.40411 18.4931H12.4399C12.7601 18.4925 12.9894 18.1848 12.8967 17.8789ZM7.47409 10.6304C7.11073 10.7304 6.71051 10.4347 6.58092 9.96934C6.45133 9.50396 6.64191 9.04428 7.00527 8.94423C7.36864 8.84419 7.76758 9.13989 7.89654 9.60527C8.02613 10.0719 7.83746 10.5303 7.47409 10.6304Z" fill="black"/>
+<path d="M13.0278 18.2703C12.8774 18.4086 12.679 18.4929 12.4643 18.4929H12.4379C12.7587 18.4929 12.9886 18.1851 12.8959 17.8787L11.2993 12.613L11.3051 12.5925L13.0278 18.2703ZM16.2973 7.89331L14.5151 13.7712V13.7732L13.2612 17.9031C13.2397 17.9736 13.207 18.0379 13.1694 18.0984L11.4018 12.2712L12.4633 8.77612C12.6228 8.25186 13.1068 7.89331 13.6557 7.89331H16.2973Z" fill="black"/>
+<path d="M22.7283 7.89478L19.5134 18.4934H16.8718C16.323 18.4934 15.8389 18.1355 15.6794 17.6106L14.6101 14.0862L16.3884 8.19458L17.7312 12.6145L19.1619 7.89478H22.7283Z" fill="black"/>
+</svg>
@@ -24,7 +24,6 @@ import SettingsPaymentGateway from '../../pages/Setting/Payment/SettingsPaymentG
 import SettingsPaymentGatewayStripe from '../../pages/Setting/Payment/SettingsPaymentGatewayStripe';
 import SettingsPaymentGatewayCreem from '../../pages/Setting/Payment/SettingsPaymentGatewayCreem';
 import SettingsPaymentGatewayWaffo from '../../pages/Setting/Payment/SettingsPaymentGatewayWaffo';
-import SettingsPaymentGatewayWaffoPancake from '../../pages/Setting/Payment/SettingsPaymentGatewayWaffoPancake';
 import { API, showError, showSuccess, toBoolean } from '../../helpers';
 import { useTranslation } from 'react-i18next';
 import RiskAcknowledgementModal from '../common/modals/RiskAcknowledgementModal';
@@ -53,16 +52,6 @@ const PaymentSetting = () => {
    StripeMinTopUp: 1,
    StripePromotionCodesEnabled: false,

-    WaffoPancakeEnabled: false,
-    WaffoPancakeSandbox: false,
-    WaffoPancakeMerchantID: '',
-    WaffoPancakePrivateKey: '',
-    WaffoPancakeStoreID: '',
-    WaffoPancakeProductID: '',
-    WaffoPancakeReturnURL: '',
-    WaffoPancakeCurrency: 'USD',
-    WaffoPancakeUnitPrice: 1.0,
-    WaffoPancakeMinTopUp: 1,
    'payment_setting.compliance_confirmed': false,
    'payment_setting.compliance_terms_version': '',
    'payment_setting.compliance_confirmed_at': 0,
@@ -171,21 +160,8 @@ const PaymentSetting = () => {
          case 'MinTopUp':
          case 'StripeUnitPrice':
          case 'StripeMinTopUp':
-          case 'WaffoPancakeUnitPrice':
-          case 'WaffoPancakeMinTopUp':
            newInputs[item.key] = parseFloat(item.value);
            break;
-          case 'WaffoPancakeMerchantID':
-          case 'WaffoPancakePrivateKey':
-          case 'WaffoPancakeStoreID':
-          case 'WaffoPancakeProductID':
-          case 'WaffoPancakeReturnURL':
-          case 'WaffoPancakeCurrency':
-            newInputs[item.key] = item.value;
-            break;
-          case 'WaffoPancakeSandbox':
-            newInputs[item.key] = toBoolean(item.value);
-            break;
          default:
            if (item.key.endsWith('Enabled')) {
              newInputs[item.key] = toBoolean(item.value);
@@ -327,13 +303,6 @@ const PaymentSetting = () => {
                  hideSectionTitle
                />
              </Tabs.TabPane>
-              {/*<Tabs.TabPane tab={t('Waffo Pancake 设置')} itemKey='waffo-pancake'>*/}
-              {/*  <SettingsPaymentGatewayWaffoPancake*/}
-              {/*    options={inputs}*/}
-              {/*    refresh={onRefresh}*/}
-              {/*    hideSectionTitle*/}
-              {/*  />*/}
-              {/*</Tabs.TabPane>*/}
            </Tabs>
          </div>
        </Card>
@@ -47,6 +47,7 @@ import {
 } from 'lucide-react';
 import { IconGift } from '@douyinfe/semi-icons';
 import { useMinimumLoadingTime } from '../../hooks/common/useMinimumLoadingTime';
+import { useActualTheme } from '../../context/Theme';
 import { getCurrencyConfig } from '../../helpers/render';
 import SubscriptionPlansCard from './SubscriptionPlansCard';

@@ -102,6 +103,7 @@ const RechargeCard = ({
  const redeemFormApiRef = useRef(null);
  const initialTabSetRef = useRef(false);
  const showAmountSkeleton = useMinimumLoadingTime(amountLoading);
+  const actualTheme = useActualTheme();
  const [activeTab, setActiveTab] = useState('topup');
  const shouldShowSubscription =
    !subscriptionLoading && subscriptionPlans.length > 0;
@@ -355,9 +357,18 @@ const RechargeCard = ({
                                      }}
                                    />
                                  ) : payMethod.type === 'waffo_pancake' ? (
-                                    <CreditCard
-                                      size={18}
-                                      color='var(--semi-color-primary)'
+                                    <img
+                                      src={
+                                        actualTheme === 'dark'
+                                          ? '/waffo-logo-dark.svg'
+                                          : '/waffo-logo-light.svg'
+                                      }
+                                      alt='Waffo'
+                                      style={{
+                                        width: 18,
+                                        height: 18,
+                                        objectFit: 'contain',
+                                      }}
                                    />
                                  ) : (
                                    <CreditCard
@@ -40,6 +40,23 @@ import TransferModal from './modals/TransferModal';
 import PaymentConfirmModal from './modals/PaymentConfirmModal';
 import TopupHistoryModal from './modals/TopupHistoryModal';

+// Reject non-navigable schemes (e.g. javascript:, data:) and relative URLs.
+// Only http / https are allowed for backend-provided redirect targets.
+// Mirrors isSafeHttpCheckoutUrl in the default frontend's
+// features/wallet/hooks/use-waffo-pancake-payment.ts.
+function isSafeHttpCheckoutUrl(value) {
+  const trimmed = (value || '').trim();
+  if (!trimmed) {
+    return false;
+  }
+  try {
+    const u = new URL(trimmed);
+    return u.protocol === 'http:' || u.protocol === 'https:';
+  } catch {
+    return false;
+  }
+}
+
 const TopUp = () => {
  const { t } = useTranslation();
  const [searchParams, setSearchParams] = useSearchParams();
@@ -454,8 +471,12 @@ const TopUp = () => {
        const { message, data } = res.data;
        if (message === 'success') {
          const checkoutUrl = data?.checkout_url || '';
-          if (checkoutUrl) {
-            window.open(checkoutUrl, '_blank');
+          if (checkoutUrl && isSafeHttpCheckoutUrl(checkoutUrl)) {
+            // In-tab redirect (not window.open) — popup blocker fires after
+            // the await loses user-gesture context.
+            window.location.href = checkoutUrl;
+          } else if (checkoutUrl) {
+            showError(t('支付跳转地址不安全'));
          } else {
            showError(t('支付请求失败'));
          }
@@ -1720,6 +1720,7 @@
    "支付渠道": "Payment Channels",
    "支付设置": "Payment",
    "支付请求失败": "Payment request failed",
+    "支付跳转地址不安全": "Unsafe payment redirect URL",
    "支付返回地址": "Return URL",
    "支付金额": "Payment Amount",
    "支持 Ctrl+V 粘贴图片": "Supports Ctrl+V to paste images",
@@ -1154,6 +1154,7 @@
    "支付方式": "支付方式",
    "支付设置": "支付设置",
    "支付请求失败": "支付请求失败",
+    "支付跳转地址不安全": "支付跳转地址不安全",
    "支付金额": "支付金额",
    "支持 Ctrl+V 粘贴图片": "支持 Ctrl+V 粘贴图片",
    "支持6位TOTP验证码或8位备用码，可到`个人设置-安全设置-两步验证设置`配置或查看。": "支持6位TOTP验证码或8位备用码，可到`个人设置-安全设置-两步验证设置`配置或查看。",
@@ -26,25 +26,14 @@ import {
  showSuccess,
 } from '../../../helpers';
 import { useTranslation } from 'react-i18next';
-import { BookOpen, TriangleAlert } from 'lucide-react';
+import { BookOpen } from 'lucide-react';

 const defaultInputs = {
-  WaffoPancakeEnabled: false,
-  WaffoPancakeSandbox: false,
  WaffoPancakeMerchantID: '',
  WaffoPancakePrivateKey: '',
-  WaffoPancakeWebhookPublicKey: '',
-  WaffoPancakeWebhookTestKey: '',
-  WaffoPancakeStoreID: '',
-  WaffoPancakeProductID: '',
  WaffoPancakeReturnURL: '',
-  WaffoPancakeCurrency: 'USD',
-  WaffoPancakeUnitPrice: 1.0,
-  WaffoPancakeMinTopUp: 1,
 };

-const toBoolean = (value) => value === true || value === 'true';
-
 export default function SettingsPaymentGatewayWaffoPancake(props) {
  const { t } = useTranslation();
  const sectionTitle = props.hideSectionTitle
@@ -58,26 +47,9 @@ export default function SettingsPaymentGatewayWaffoPancake(props) {
    if (!props.options || !formApiRef.current) return;

    const currentInputs = {
-      WaffoPancakeEnabled: toBoolean(props.options.WaffoPancakeEnabled),
-      WaffoPancakeSandbox: toBoolean(props.options.WaffoPancakeSandbox),
      WaffoPancakeMerchantID: props.options.WaffoPancakeMerchantID || '',
      WaffoPancakePrivateKey: props.options.WaffoPancakePrivateKey || '',
-      WaffoPancakeWebhookPublicKey:
-        props.options.WaffoPancakeWebhookPublicKey || '',
-      WaffoPancakeWebhookTestKey:
-        props.options.WaffoPancakeWebhookTestKey || '',
-      WaffoPancakeStoreID: props.options.WaffoPancakeStoreID || '',
-      WaffoPancakeProductID: props.options.WaffoPancakeProductID || '',
      WaffoPancakeReturnURL: props.options.WaffoPancakeReturnURL || '',
-      WaffoPancakeCurrency: props.options.WaffoPancakeCurrency || 'USD',
-      WaffoPancakeUnitPrice:
-        props.options.WaffoPancakeUnitPrice !== undefined
-          ? parseFloat(props.options.WaffoPancakeUnitPrice)
-          : 1.0,
-      WaffoPancakeMinTopUp:
-        props.options.WaffoPancakeMinTopUp !== undefined
-          ? parseFloat(props.options.WaffoPancakeMinTopUp)
-          : 1,
    };

    setInputs(currentInputs);
@@ -93,90 +65,23 @@ export default function SettingsPaymentGatewayWaffoPancake(props) {
      ...inputs,
      ...(formApiRef.current?.getValues?.() || {}),
    };
-    values.WaffoPancakeEnabled = toBoolean(values.WaffoPancakeEnabled);
-    values.WaffoPancakeSandbox = toBoolean(values.WaffoPancakeSandbox);
-    const currentWebhookField = values.WaffoPancakeSandbox
-      ? 'WaffoPancakeWebhookTestKey'
-      : 'WaffoPancakeWebhookPublicKey';
-    const currentWebhookLabel = values.WaffoPancakeSandbox
-      ? t('Webhook 公钥（测试环境）')
-      : t('Webhook 公钥（生产环境）');
-
-      if (values.WaffoPancakeEnabled && !values.WaffoPancakeMerchantID.trim()) {
-      showError(t('请输入商户 ID'));
-      return;
-    }
-
-    if (values.WaffoPancakeEnabled && !values.WaffoPancakeStoreID.trim()) {
-      showError(t('请输入 Store ID'));
-      return;
-    }
-
-    if (values.WaffoPancakeEnabled && !values.WaffoPancakeProductID.trim()) {
-      showError(t('请输入 Product ID'));
-      return;
-    }
-
-    if (
-      values.WaffoPancakeEnabled &&
-      !String(values[currentWebhookField] || '').trim()
-    ) {
-      showError(currentWebhookLabel);
-      return;
-    }
-
-    if (
-      values.WaffoPancakeEnabled &&
-      Number(values.WaffoPancakeUnitPrice) <= 0
-    ) {
-      showError(t('充值价格必须大于 0'));
-      return;
-    }
-
-    if (values.WaffoPancakeEnabled && Number(values.WaffoPancakeMinTopUp) < 1) {
-      showError(t('最低充值美元数量必须大于 0'));
-      return;
-    }

    setLoading(true);
    try {
+      // Classic admin only persists the three operator-typed fields.
+      // Store/Product binding is handled exclusively by the default
+      // frontend's catalog flow (see waffo-pancake-settings-section.tsx)
+      // because picking entities from a live catalog needs the Select +
+      // dependent-dropdown UX that the classic Semi-UI page doesn't have.
      const options = [
-        {
-          key: 'WaffoPancakeEnabled',
-          value: values.WaffoPancakeEnabled ? 'true' : 'false',
-        },
-        {
-          key: 'WaffoPancakeSandbox',
-          value: values.WaffoPancakeSandbox ? 'true' : 'false',
-        },
        {
          key: 'WaffoPancakeMerchantID',
          value: values.WaffoPancakeMerchantID || '',
        },
-        {
-          key: 'WaffoPancakeStoreID',
-          value: values.WaffoPancakeStoreID || '',
-        },
-        {
-          key: 'WaffoPancakeProductID',
-          value: values.WaffoPancakeProductID || '',
-        },
        {
          key: 'WaffoPancakeReturnURL',
          value: removeTrailingSlash(values.WaffoPancakeReturnURL || ''),
        },
-        {
-          key: 'WaffoPancakeCurrency',
-          value: values.WaffoPancakeCurrency || 'USD',
-        },
-        {
-          key: 'WaffoPancakeUnitPrice',
-          value: String(values.WaffoPancakeUnitPrice),
-        },
-        {
-          key: 'WaffoPancakeMinTopUp',
-          value: String(values.WaffoPancakeMinTopUp),
-        },
      ];

      if ((values.WaffoPancakePrivateKey || '').trim()) {
@@ -186,20 +91,6 @@ export default function SettingsPaymentGatewayWaffoPancake(props) {
        });
      }

-      if ((values.WaffoPancakeWebhookPublicKey || '').trim()) {
-        options.push({
-          key: 'WaffoPancakeWebhookPublicKey',
-          value: values.WaffoPancakeWebhookPublicKey,
-        });
-      }
-
-      if ((values.WaffoPancakeWebhookTestKey || '').trim()) {
-        options.push({
-          key: 'WaffoPancakeWebhookTestKey',
-          value: values.WaffoPancakeWebhookTestKey,
-        });
-      }
-
      const results = await Promise.all(
        options.map((opt) =>
          API.put('/api/option/', {
@@ -237,103 +128,43 @@ export default function SettingsPaymentGatewayWaffoPancake(props) {
            icon={<BookOpen size={16} />}
            description={
              <>
-                Waffo Pancake 的商户、商品和签名密钥请
+                Waffo Pancake 商户 ID 与私钥请在
                <a
-                  href='https://docs.waffo.ai'
+                  href='https://pancake.waffo.ai/merchant/dashboard'
                  target='_blank'
                  rel='noreferrer'
                >
-                  点击此处
+                  Waffo Pancake 控制台
                </a>
-                获取，建议先在测试环境完成联调。
+                获取，保存后系统会自动在该商户名下创建 Store + Product，无需手动配置；
+                环境（test / 生产）由你粘贴的 API 私钥本身决定。
+                请在 Pancake 控制台把下面两个回调地址分别注册到 Test Mode 和 Production Mode
+                两个 webhook 位置，分开走避免测试流量污染生产数据：
                <br />
-                {t('回调地址')}：
+                {t('Test 回调地址')}：
                {props.options.ServerAddress
                  ? removeTrailingSlash(props.options.ServerAddress)
                  : t('网站地址')}
-                /api/waffo-pancake/webhook
+                /api/waffo-pancake/webhook/test
+                <br />
+                {t('Production 回调地址')}：
+                {props.options.ServerAddress
+                  ? removeTrailingSlash(props.options.ServerAddress)
+                  : t('网站地址')}
+                /api/waffo-pancake/webhook/prod
              </>
            }
            style={{ marginBottom: 12 }}
          />
-          <Banner
-            type='warning'
-            icon={<TriangleAlert size={16} />}
-            description={t(
-              '请确认 Merchant、Store、Product 和所选环境密钥一致。',
-            )}
-            style={{ marginBottom: 16 }}
-          />
-          <Row gutter={{ xs: 8, sm: 16, md: 24, lg: 24, xl: 24, xxl: 24 }}>
-            <Col xs={24} sm={12} md={8} lg={8} xl={8}>
-              <Form.Switch
-                field='WaffoPancakeEnabled'
-                label={t('启用 Waffo Pancake')}
-                checkedText='｜'
-                uncheckedText='〇'
-              />
-            </Col>
-            <Col xs={24} sm={12} md={8} lg={8} xl={8}>
-              <Form.Switch
-                field='WaffoPancakeSandbox'
-                label={t('沙盒模式')}
-                checkedText='｜'
-                uncheckedText='〇'
-                extraText={t('用于切换当前下单和回调校验所使用的环境')}
-              />
-            </Col>
-            <Col xs={24} sm={12} md={8} lg={8} xl={8}>
-              <Form.Input
-                field='WaffoPancakeCurrency'
-                label={t('货币')}
-                placeholder='USD'
-                extraText={t('默认使用 USD 结算')}
-              />
-            </Col>
-          </Row>
-
-          <Row
-            gutter={{ xs: 8, sm: 16, md: 24, lg: 24, xl: 24, xxl: 24 }}
-            style={{ marginTop: 16 }}
-          >
-            <Col xs={24} sm={24} md={8} lg={8} xl={8}>
-              <Form.Input
-                field='WaffoPancakeMerchantID'
-                label={t('商户 ID')}
-                placeholder={t('例如：MER_xxx')}
-                extraText={t('请填写当前环境对应的商户 ID')}
-              />
-            </Col>
-            <Col xs={24} sm={24} md={8} lg={8} xl={8}>
-              <Form.Input
-                field='WaffoPancakeStoreID'
-                label={t('Store ID')}
-                placeholder={t('例如：STO_xxx')}
-                extraText={t('请填写当前环境对应的 Store ID')}
-              />
-            </Col>
-            <Col xs={24} sm={24} md={8} lg={8} xl={8}>
-              <Form.Input
-                field='WaffoPancakeProductID'
-                label={t('Product ID')}
-                placeholder={t('例如：PROD_xxx')}
-                extraText={t('请填写当前环境对应的 Product ID')}
-              />
-            </Col>
-          </Row>
-
          <Row
            gutter={{ xs: 8, sm: 16, md: 24, lg: 24, xl: 24, xxl: 24 }}
            style={{ marginTop: 16 }}
          >
            <Col xs={24} sm={24} md={12} lg={12} xl={12}>
-              <Form.TextArea
-                field='WaffoPancakePrivateKey'
-                label={t('API 私钥')}
-                placeholder={t('填写后覆盖当前私钥，留空表示保持当前不变')}
-                extraText={t('保存后不会回显，请填写当前环境对应的 API 私钥')}
-                type='password'
-                autosize={{ minRows: 4, maxRows: 8 }}
+              <Form.Input
+                field='WaffoPancakeMerchantID'
+                label={t('商户 ID')}
+                placeholder={t('例如：MER_xxx')}
              />
            </Col>
            <Col xs={24} sm={24} md={12} lg={12} xl={12}>
@@ -341,7 +172,6 @@ export default function SettingsPaymentGatewayWaffoPancake(props) {
                field='WaffoPancakeReturnURL'
                label={t('支付返回地址')}
                placeholder={t('例如：https://example.com/console/topup')}
-                extraText={t('留空则自动使用当前站点的默认充值页地址')}
              />
            </Col>
          </Row>
@@ -350,55 +180,16 @@ export default function SettingsPaymentGatewayWaffoPancake(props) {
            gutter={{ xs: 8, sm: 16, md: 24, lg: 24, xl: 24, xxl: 24 }}
            style={{ marginTop: 16 }}
          >
-            <Col xs={24} sm={24} md={12} lg={12} xl={12}>
+            <Col xs={24}>
              <Form.TextArea
-                field='WaffoPancakeWebhookPublicKey'
-                label={t('Webhook 公钥（生产环境）')}
-                placeholder={t(
-                  '填写后覆盖当前生产环境 Webhook 公钥，留空表示保持当前不变',
-                )}
-                extraText={t('用于校验生产环境的 Waffo Pancake Webhook 签名')}
+                field='WaffoPancakePrivateKey'
+                label={t('API 私钥')}
+                placeholder={t('填写后覆盖当前私钥，留空表示保持当前不变')}
+                extraText={t('⚠ 测试 / 生产环境由你粘进来的 API 私钥本身决定——集成阶段用 Test Key，正式上线时再换成 Production Key')}
                type='password'
                autosize={{ minRows: 4, maxRows: 8 }}
              />
            </Col>
-            <Col xs={24} sm={24} md={12} lg={12} xl={12}>
-              <Form.TextArea
-                field='WaffoPancakeWebhookTestKey'
-                label={t('Webhook 公钥（测试环境）')}
-                placeholder={t(
-                  '填写后覆盖当前测试环境 Webhook 公钥，留空表示保持当前不变',
-                )}
-                extraText={t('用于校验测试环境的 Waffo Pancake Webhook 签名')}
-                type='password'
-                autosize={{ minRows: 4, maxRows: 8 }}
-              />
-            </Col>
-          </Row>
-
-          <Row
-            gutter={{ xs: 8, sm: 16, md: 24, lg: 24, xl: 24, xxl: 24 }}
-            style={{ marginTop: 16 }}
-          >
-            <Col xs={24} sm={12} md={8} lg={8} xl={8}>
-              <Form.InputNumber
-                field='WaffoPancakeUnitPrice'
-                precision={2}
-                label={t('充值价格（x元/美金）')}
-                placeholder={t('例如：7，就是7元/美金')}
-                extraText={t('按 1 美元对应的站内价格填写')}
-                min={0}
-              />
-            </Col>
-            <Col xs={24} sm={12} md={8} lg={8} xl={8}>
-              <Form.InputNumber
-                field='WaffoPancakeMinTopUp'
-                label={t('最低充值美元数量')}
-                placeholder={t('例如：2，就是最低充值2$')}
-                extraText={t('用户单次最少可充值的美元数量')}
-                min={1}
-              />
-            </Col>
          </Row>

          <Button onClick={submitWaffoPancakeSetting}>
@@ -18,83 +18,97 @@
    "knip": "knip"
  },
  "dependencies": {
-    "@base-ui/react": "^1.4.1",
+    "@base-ui/react": "^1.5.0",
+    "@fontsource-variable/lora": "^5.2.8",
    "@fontsource-variable/public-sans": "^5.2.7",
-    "@hookform/resolvers": "^5.2.2",
-    "@hugeicons/core-free-icons": "^4.1.1",
+    "@hookform/resolvers": "^5.4.0",
+    "@hugeicons/core-free-icons": "^4.1.4",
    "@hugeicons/react": "^1.1.6",
-    "@lobehub/icons": "^4.0.3",
-    "@tailwindcss/postcss": "^4.2.2",
-    "@tanstack/react-query": "^5.95.2",
-    "@tanstack/react-router": "^1.168.23",
+    "@lobehub/icons": "^5.8.0",
+    "@tailwindcss/postcss": "^4.3.0",
+    "@tanstack/react-query": "^5.100.14",
+    "@tanstack/react-router": "^1.170.8",
    "@tanstack/react-table": "^8.21.3",
-    "@tanstack/react-virtual": "^3.13.18",
-    "@visactor/react-vchart": "^2.0.13",
-    "@visactor/vchart": "^2.0.13",
-    "ai": "^6.0.27",
+    "@tanstack/react-virtual": "^3.13.25",
+    "@visactor/react-vchart": "^2.0.22",
+    "@visactor/vchart": "^2.0.22",
+    "ai": "^6.0.191",
    "auto-skeleton-react": "^1.0.5",
-    "axios": "^1.13.6",
+    "axios": "^1.16.1",
    "class-variance-authority": "^0.7.1",
    "clsx": "^2.1.1",
    "cmdk": "^1.1.1",
-    "date-fns": "^4.1.0",
-    "dayjs": "^1.11.19",
-    "i18next": "^25.7.4",
-    "i18next-browser-languagedetector": "^8.2.0",
+    "date-fns": "^4.3.0",
+    "dayjs": "^1.11.20",
+    "i18next": "^26.2.0",
+    "i18next-browser-languagedetector": "^8.2.1",
    "input-otp": "^1.4.2",
-    "lucide-react": "^1.7.0",
-    "motion": "^12.38.0",
-    "nanoid": "^5.1.6",
+    "lucide-react": "^1.16.0",
+    "motion": "^12.40.0",
+    "nanoid": "^5.1.11",
    "next-themes": "^0.4.6",
    "qrcode.react": "^4.2.0",
-    "react": "^19.2.4",
-    "react-day-picker": "^9.14.0",
-    "react-dom": "^19.2.4",
-    "react-hook-form": "^7.71.0",
-    "react-i18next": "^16.5.2",
-    "react-icons": "^5.5.0",
+    "react": "^19.2.6",
+    "react-day-picker": "^10.0.1",
+    "react-dom": "^19.2.6",
+    "react-hook-form": "^7.76.1",
+    "react-i18next": "^17.0.8",
+    "react-icons": "^5.6.0",
    "react-markdown": "^10.1.0",
-    "react-resizable-panels": "^4.11.0",
+    "react-resizable-panels": "^4.11.2",
    "react-top-loading-bar": "^3.0.2",
-    "recharts": "3.8.0",
+    "recharts": "3.8.1",
    "rehype-raw": "^7.0.0",
    "remark-gfm": "^4.0.1",
-    "shiki": "^4.0.2",
+    "shiki": "^4.1.0",
    "sonner": "^2.0.7",
-    "sse.js": "^2.7.2",
-    "streamdown": "^2.0.1",
-    "tailwind-merge": "^3.5.0",
-    "tailwindcss": "^4.2.2",
+    "sse.js": "^2.8.0",
+    "streamdown": "^2.5.0",
+    "tailwind-merge": "^3.6.0",
+    "tailwindcss": "^4.3.0",
    "tokenlens": "^1.3.1",
    "tw-animate-css": "^1.4.0",
-    "use-stick-to-bottom": "^1.1.1",
+    "use-stick-to-bottom": "^1.1.4",
    "vaul": "^1.1.2",
-    "zod": "^4.3.6",
-    "zustand": "^5.0.12"
+    "zod": "^4.4.3",
+    "zustand": "^5.0.13"
  },
  "devDependencies": {
    "@eslint/js": "^10.0.1",
-    "@rsbuild/core": "^2.0.1",
+    "@rsbuild/core": "^2.0.7",
    "@rsbuild/plugin-react": "^2.0.0",
-    "@tanstack/eslint-plugin-query": "^5.95.2",
-    "@tanstack/react-query-devtools": "^5.95.2",
-    "@tanstack/react-router-devtools": "^1.166.13",
-    "@tanstack/router-plugin": "^1.167.23",
+    "@tanstack/eslint-plugin-query": "^5.100.14",
+    "@tanstack/react-query-devtools": "^5.100.14",
+    "@tanstack/react-router-devtools": "^1.167.0",
+    "@tanstack/router-plugin": "^1.168.11",
    "@trivago/prettier-plugin-sort-imports": "^6.0.2",
-    "@types/node": "^25.5.0",
-    "@types/react": "^19.2.14",
+    "@types/node": "^25.9.1",
+    "@types/react": "^19.2.15",
    "@types/react-dom": "^19.2.3",
    "@xyflow/react": "^12.10.2",
    "embla-carousel-react": "^8.6.0",
-    "eslint": "^10.1.0",
-    "eslint-plugin-react-hooks": "^7.0.1",
+    "eslint": "^10.4.0",
+    "eslint-plugin-react-hooks": "^7.1.1",
    "eslint-plugin-react-refresh": "^0.5.2",
-    "globals": "^17.4.0",
-    "knip": "^6.0.6",
-    "prettier": "^3.8.1",
-    "prettier-plugin-tailwindcss": "^0.7.2",
-    "shadcn": "^3.7.0",
-    "typescript": "~5.9.3",
-    "typescript-eslint": "^8.57.2"
+    "globals": "^17.6.0",
+    "knip": "^6.14.2",
+    "prettier": "^3.8.3",
+    "prettier-plugin-tailwindcss": "^0.8.0",
+    "shadcn": "^4.8.0",
+    "typescript": "~6.0.3",
+    "typescript-eslint": "^8.59.4"
+  },
+  "overrides": {
+    "brace-expansion": "2.1.1",
+    "dompurify": "3.4.5",
+    "fast-uri": "3.1.2",
+    "hono": "4.12.22",
+    "ip-address": "10.2.0",
+    "js-cookie": "3.0.7",
+    "mermaid": "11.15.0",
+    "minimist": "1.2.8",
+    "postcss": "8.5.15",
+    "qs": "6.15.2",
+    "uuid": "14.0.0"
  }
 }
@@ -0,0 +1,5 @@
+<svg width="27" height="27" viewBox="0 0 27 27" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M12.8965 17.8787L11.2995 12.6132L10.1344 8.7762C9.97497 8.25193 9.4909 7.89355 8.94204 7.89355H4.41838C3.89937 7.89355 3.52838 8.39249 3.67767 8.88637L6.0675 16.7643C6.37941 17.7907 7.32849 18.4928 8.40398 18.4928H12.4398C12.7599 18.4922 12.9893 18.1845 12.8965 17.8787ZM7.47396 10.6301C7.11059 10.7302 6.71038 10.4345 6.58079 9.96909C6.4512 9.50371 6.64177 9.04403 7.00514 8.94399C7.36851 8.84395 7.76745 9.13964 7.89641 9.60502C8.026 10.0717 7.83733 10.5301 7.47396 10.6301Z" fill="white"/>
+<path d="M13.0281 18.269C12.8777 18.4077 12.6794 18.4926 12.4646 18.4927H12.4382C12.7588 18.4926 12.9887 18.1847 12.8962 17.8784L11.2996 12.6128L11.3054 12.5923L13.0281 18.269ZM14.5144 13.771V13.7729L13.2615 17.9028C13.2401 17.973 13.2071 18.0369 13.1697 18.0972L11.4021 12.271L12.4626 8.77588C12.6221 8.25169 13.1063 7.89317 13.655 7.89307H16.2976L14.5144 13.771Z" fill="white"/>
+<path d="M19.5133 18.4932H16.8707C16.3221 18.493 15.8378 18.135 15.6783 17.6104L14.61 14.0859L16.3883 8.19336L17.7311 12.6133L19.1617 7.89355H22.7291L19.5133 18.4932Z" fill="white"/>
+</svg>
@@ -0,0 +1,5 @@
+<svg width="27" height="27" viewBox="0 0 27 27" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M12.8967 17.8789L11.2996 12.6135L10.1346 8.77644C9.97511 8.25218 9.49104 7.8938 8.94218 7.8938H4.4185C3.8995 7.8938 3.5285 8.39274 3.67779 8.88662L6.06763 16.7646C6.37954 17.7909 7.32862 18.4931 8.40411 18.4931H12.4399C12.7601 18.4925 12.9894 18.1848 12.8967 17.8789ZM7.47409 10.6304C7.11073 10.7304 6.71051 10.4347 6.58092 9.96934C6.45133 9.50396 6.64191 9.04428 7.00527 8.94423C7.36864 8.84419 7.76758 9.13989 7.89654 9.60527C8.02613 10.0719 7.83746 10.5303 7.47409 10.6304Z" fill="black"/>
+<path d="M13.0278 18.2703C12.8774 18.4086 12.679 18.4929 12.4643 18.4929H12.4379C12.7587 18.4929 12.9886 18.1851 12.8959 17.8787L11.2993 12.613L11.3051 12.5925L13.0278 18.2703ZM16.2973 7.89331L14.5151 13.7712V13.7732L13.2612 17.9031C13.2397 17.9736 13.207 18.0379 13.1694 18.0984L11.4018 12.2712L12.4633 8.77612C12.6228 8.25186 13.1068 7.89331 13.6557 7.89331H16.2973Z" fill="black"/>
+<path d="M22.7283 7.89478L19.5134 18.4934H16.8718C16.323 18.4934 15.8389 18.1355 15.6794 17.6106L14.6101 14.0862L16.3884 8.19458L17.7312 12.6145L19.1619 7.89478H22.7283Z" fill="black"/>
+</svg>
@@ -29,6 +29,90 @@ const OBFUSCATED_KEYS = [
  },
 ]

+const BRAND_AND_LITERAL_KEYS = new Set([
+  'AI Proxy',
+  'AIGC2D',
+  'Alipay',
+  'Anthropic',
+  'API URL',
+  'API2GPT',
+  'AccessKey / SecretAccessKey',
+  'AZURE_OPENAI_ENDPOINT *',
+  'Baidu V2',
+  'ChatGPT',
+  'Claude',
+  'Client ID',
+  'Client Secret',
+  'Cloudflare',
+  'Cohere',
+  'DeepSeek',
+  'Discord',
+  'DoubaoVideo',
+  'FastGPT',
+  'Gemini',
+  'Gemini Image 4K',
+  'GitHub',
+  'Jimeng',
+  'JustSong',
+  'LingYiWanWu',
+  'LinuxDO',
+  'Midjourney',
+  'MidjourneyPlus',
+  'Midjourney-Proxy',
+  'MiniMax',
+  'Mistral',
+  'MokaAI',
+  'Moonshot',
+  'New API',
+  'New API &lt;noreply@example.com&gt;',
+  'NewAPI',
+  'OAuth Client Secret',
+  'OhMyGPT',
+  'Ollama',
+  'One API',
+  'OpenAI',
+  'OpenAIMax',
+  'OpenRouter',
+  'Pancake',
+  'Passkey',
+  'Perplexity',
+  'QuantumNous',
+  'Quota:',
+  'Replicate',
+  'SiliconFlow',
+  'Stripe',
+  'Submodel',
+  'SunoAPI',
+  'Telegram',
+  'Tencent',
+  'TTFT P50',
+  'TTFT P95',
+  'TTFT P99',
+  'Uptime Kuma',
+  'Uptime Kuma URL',
+  'Vertex AI',
+  'VolcEngine',
+  'Waffo Pancake Dashboard',
+  'Waffo Pancake MoR',
+  'WeChat',
+  'WeChat Pay',
+  'Webhook URL',
+  'Webhook URL:',
+  'Well-Known URL',
+  'Worker URL',
+  'Xinference',
+  'Xunfei',
+  'Zhipu V4',
+  '"default": "us-central1", "claude-3-5-sonnet-20240620": "europe-west1"',
+  'edit_this',
+  'footer.columns.related.links.midjourney',
+  'footer.columns.related.links.newApiKeyTool',
+  'my-status',
+  'new-api-key-tool',
+  'price_xxx',
+  'whsec_xxx',
+])
+
 function isPlainObject(v) {
  return typeof v === 'object' && v !== null && !Array.isArray(v)
 }
@@ -97,6 +181,24 @@ function isLikelyUntranslated({ locale, baseValue, value }) {

  // Skip short tokens / acronyms / ids
  const s = baseValue.trim()
+  if (BRAND_AND_LITERAL_KEYS.has(s)) return false
+  if (
+    /^https?:\/\//.test(s) ||
+    /^\/[\w/-]+/.test(s) ||
+    /^[\w.-]+@[\w.-]+$/.test(s) ||
+    /^smtp\./i.test(s) ||
+    /^socks5:/i.test(s) ||
+    /^org-/.test(s) ||
+    /^gpt-/i.test(s) ||
+    /^checkout\./.test(s) ||
+    /^footer\./.test(s) ||
+    /^[A-Z0-9_ *./:-]+$/.test(s) ||
+    s.startsWith('{') ||
+    s.startsWith('[') ||
+    s.includes('&#10;')
+  ) {
+    return false
+  }
  if (s.length < 6) return false
  if (!/[A-Za-z]{3,}/.test(s)) return false

@@ -187,6 +289,8 @@ async function main() {

    if (Object.keys(extras).length > 0) {
      await fs.writeFile(path.join(extrasDir, `${locale}.extras.json`), stableStringify(extras), 'utf8')
+    } else {
+      await fs.rm(path.join(extrasDir, `${locale}.extras.json`), { force: true })
    }
    if (Object.keys(untranslated).length > 0) {
      await fs.writeFile(
@@ -194,6 +298,8 @@ async function main() {
        stableStringify(untranslated),
        'utf8',
      )
+    } else {
+      await fs.rm(path.join(reportsDir, `${locale}.untranslated.json`), { force: true })
    }

    // Rewrite locale file in base order (even for en to normalize formatting)
@@ -23,34 +23,66 @@ import {
  type ComponentProps,
  createContext,
  type HTMLAttributes,
+  type ReactNode,
  useContext,
  useEffect,
+  useMemo,
  useState,
 } from 'react'
 import type { Element } from 'hast'
-import { CheckIcon, CopyIcon } from 'lucide-react'
 import {
-  type BundledLanguage,
-  codeToHtml,
-  type ShikiTransformer,
-} from 'shiki/bundle/web'
+  CheckIcon,
+  ChevronDownIcon,
+  ChevronRightIcon,
+  CopyIcon,
+  DownloadIcon,
+} from 'lucide-react'
+import { useTranslation } from 'react-i18next'
+import type { BundledLanguage, ShikiTransformer } from 'shiki'
 import { cn } from '@/lib/utils'
 import { Button } from '@/components/ui/button'
+import {
+  Tooltip,
+  TooltipContent,
+  TooltipTrigger,
+} from '@/components/ui/tooltip'

 type CodeBlockProps = HTMLAttributes<HTMLDivElement> & {
  code: string
-  language: BundledLanguage
+  collapsedLines?: number
+  defaultCollapsed?: boolean
+  enableCollapse?: boolean
+  filename?: string
+  language: BundledLanguage | string
+  maxExpandedLines?: number
+  /** @deprecated use collapsedLines for collapsed preview height. */
+  maxCollapsedLines?: number
  showLineNumbers?: boolean
+  showToolbar?: boolean
+  title?: ReactNode
 }

 type CodeBlockContextType = {
  code: string
+  language: string
 }

 const CodeBlockContext = createContext<CodeBlockContextType>({
  code: '',
+  language: 'plaintext',
 })

+const highlightCache = new Map<string, string>()
+
+const LANGUAGE_ALIASES: Record<string, BundledLanguage> = {
+  csharp: 'c#',
+  golang: 'go',
+  js: 'javascript',
+  shell: 'bash',
+  shellscript: 'bash',
+  ts: 'typescript',
+}
+
 const lineNumberTransformer: ShikiTransformer = {
  name: 'line-numbers',
  line(node: Element, line: number) {
@@ -72,64 +104,251 @@ const lineNumberTransformer: ShikiTransformer = {
  },
 }

+function getRequestedCodeLanguage(language?: string) {
+  const normalized = language?.trim().toLowerCase() || 'plaintext'
+  return LANGUAGE_ALIASES[normalized] ?? normalized
+}
+
+async function normalizeCodeLanguage(language?: string) {
+  const aliased = getRequestedCodeLanguage(language)
+  const { bundledLanguages } = await import('shiki')
+  if (aliased in bundledLanguages) {
+    return aliased as BundledLanguage
+  }
+
+  return 'plaintext'
+}
+
+function escapeCodeHtml(code: string) {
+  return code
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;')
+}
+
+function renderPlainCodeHtml(code: string, showLineNumbers: boolean) {
+  const lines = code.split('\n')
+  const renderedCode = lines
+    .map((line, index) => {
+      const escapedLine = escapeCodeHtml(line) || ' '
+      if (!showLineNumbers) {
+        return escapedLine
+      }
+
+      return `<span class="inline-block min-w-10 mr-4 text-right select-none text-muted-foreground">${index + 1}</span>${escapedLine}`
+    })
+    .join('\n')
+
+  return `<pre class="shiki"><code>${renderedCode}</code></pre>`
+}
+
 export async function highlightCode(
  code: string,
-  language: BundledLanguage,
+  language: BundledLanguage | string,
  showLineNumbers = false
 ) {
+  const resolvedLanguage = await normalizeCodeLanguage(language)
+  const cacheKey = `${resolvedLanguage}:${showLineNumbers ? 'line' : 'plain'}:${code}`
+  const cachedHtml = highlightCache.get(cacheKey)
+
+  if (cachedHtml) {
+    return cachedHtml
+  }
+
  const transformers: ShikiTransformer[] = showLineNumbers
    ? [lineNumberTransformer]
    : []

-  return codeToHtml(code, {
-    lang: language,
+  if (resolvedLanguage === 'plaintext') {
+    const html = renderPlainCodeHtml(code, showLineNumbers)
+    highlightCache.set(cacheKey, html)
+    return html
+  }
+
+  const { codeToHtml } = await import('shiki')
+  const html = await codeToHtml(code, {
+    lang: resolvedLanguage,
    themes: {
      light: 'one-light',
      dark: 'one-dark-pro',
    },
+    defaultColor: false,
    transformers,
  })
+
+  highlightCache.set(cacheKey, html)
+  return html
+}
+
+function getCodeLineCount(code: string) {
+  if (!code) {
+    return 1
+  }
+
+  return code.split('\n').length
+}
+
+function getDownloadFilename(language: string, filename?: string) {
+  if (filename) {
+    return filename
+  }
+
+  const extension = language === 'plaintext' ? 'txt' : language
+  return `code.${extension}`
+}
+
+function getCodeBlockHeight(lines: number) {
+  return `${Math.max(4, lines) * 1.5 + 2}rem`
 }

 export const CodeBlock = ({
  code,
+  collapsedLines = 12,
+  defaultCollapsed,
+  enableCollapse = true,
+  filename,
  language,
+  maxExpandedLines,
+  maxCollapsedLines,
  showLineNumbers = false,
+  showToolbar = false,
+  title,
  className,
  children,
  ...props
 }: CodeBlockProps) => {
+  const { t } = useTranslation()
  const [html, setHtml] = useState<string>('')
+  const [isCollapsed, setIsCollapsed] = useState(Boolean(defaultCollapsed))
+  const displayLanguage = getRequestedCodeLanguage(language)
+  const lineCount = useMemo(() => getCodeLineCount(code), [code])
+  const previewLines = maxCollapsedLines ?? collapsedLines
+  const canCollapse = enableCollapse && lineCount > previewLines
+  const isCodeCollapsed = canCollapse && isCollapsed
+  const displayTitle = title ?? displayLanguage
+  const bodyMaxHeight = isCodeCollapsed
+    ? getCodeBlockHeight(previewLines)
+    : maxExpandedLines
+      ? getCodeBlockHeight(maxExpandedLines)
+      : undefined

  useEffect(() => {
    let cancelled = false
-    highlightCode(code, language, showLineNumbers).then((next) => {
-      if (!cancelled) {
-        setHtml(next)
-      }
-    })
+    highlightCode(code, language, showLineNumbers)
+      .then((next) => {
+        if (!cancelled) {
+          setHtml(next)
+        }
+      })
+      .catch(() => {
+        if (!cancelled) {
+          setHtml(renderPlainCodeHtml(code, showLineNumbers))
+        }
+      })
    return () => {
      cancelled = true
    }
  }, [code, language, showLineNumbers])

+  const downloadCode = () => {
+    if (typeof window === 'undefined') {
+      return
+    }
+
+    const blob = new Blob([code], { type: 'text/plain;charset=utf-8' })
+    const url = URL.createObjectURL(blob)
+    const anchor = document.createElement('a')
+    anchor.href = url
+    anchor.download = getDownloadFilename(displayLanguage, filename)
+    anchor.click()
+    URL.revokeObjectURL(url)
+  }
+
  return (
-    <CodeBlockContext.Provider value={{ code }}>
+    <CodeBlockContext.Provider value={{ code, language: displayLanguage }}>
      <div
        className={cn(
-          'group bg-background text-foreground relative w-full overflow-hidden rounded-md border',
+          'group/code-block bg-muted/20 text-foreground my-3 w-full max-w-full overflow-hidden rounded-lg border shadow-xs',
          className
        )}
        {...props}
      >
-        <div className='relative'>
+        {showToolbar && (
+          <div className='bg-muted/35 border-border/70 flex min-h-10 items-center gap-2 border-b px-2 py-1.5'>
+            <div className='min-w-0 flex-1'>
+              <div className='text-muted-foreground truncate font-mono text-[11px] font-medium tracking-wide uppercase'>
+                {displayTitle}
+              </div>
+            </div>
+            <div className='flex shrink-0 items-center gap-1'>
+              {canCollapse && (
+                <Tooltip>
+                  <TooltipTrigger
+                    render={
+                      <Button
+                        aria-label={
+                          isCodeCollapsed ? t('Expand') : t('Collapse')
+                        }
+                        className='size-8'
+                        onClick={() => setIsCollapsed((value) => !value)}
+                        size='icon-sm'
+                        type='button'
+                        variant='ghost'
+                      >
+                        {isCodeCollapsed ? (
+                          <ChevronRightIcon className='size-4' />
+                        ) : (
+                          <ChevronDownIcon className='size-4' />
+                        )}
+                      </Button>
+                    }
+                  />
+                  <TooltipContent>
+                    <p>{isCodeCollapsed ? t('Expand') : t('Collapse')}</p>
+                  </TooltipContent>
+                </Tooltip>
+              )}
+              {children}
+              <Tooltip>
+                <TooltipTrigger
+                  render={
+                    <Button
+                      aria-label={t('Download')}
+                      className='size-8'
+                      onClick={downloadCode}
+                      size='icon-sm'
+                      type='button'
+                      variant='ghost'
+                    >
+                      <DownloadIcon className='size-4' />
+                    </Button>
+                  }
+                />
+                <TooltipContent>
+                  <p>{t('Download')}</p>
+                </TooltipContent>
+              </Tooltip>
+            </div>
+          </div>
+        )}
+        <div className='relative min-w-0'>
          <div
-            className='[&>pre]:bg-background! [&>pre]:text-foreground! overflow-hidden [&_code]:font-mono [&_code]:text-sm [&>pre]:m-0 [&>pre]:p-4 [&>pre]:text-sm'
+            className={cn(
+              'code-block-scroll max-w-full overflow-auto transition-[max-height] duration-200 ease-out',
+              '[&_.shiki]:bg-transparent! [&_.shiki]:text-foreground! [&_code]:font-mono [&_code]:text-[13px] [&_code]:leading-6',
+              '[&>pre]:m-0 [&>pre]:min-w-max [&>pre]:p-4 [&>pre]:text-[13px] [&>pre]:leading-6'
+            )}
            // biome-ignore lint/security/noDangerouslySetInnerHtml: "this is needed."
            dangerouslySetInnerHTML={{ __html: html }}
+            style={{ maxHeight: bodyMaxHeight }}
          />
-          {children && (
-            <div className='absolute top-2 right-2 flex items-center gap-2'>
+          {isCodeCollapsed && (
+            <div className='from-muted/20 pointer-events-none absolute inset-x-0 bottom-0 h-16 bg-linear-to-b to-background' />
+          )}
+          {!showToolbar && children && (
+            <div className='absolute top-2 right-2 flex items-center gap-1'>
              {children}
            </div>
          )}
@@ -153,6 +372,7 @@ export const CodeBlockCopyButton = ({
  className,
  ...props
 }: CodeBlockCopyButtonProps) => {
+  const { t } = useTranslation()
  const [isCopied, setIsCopied] = useState(false)
  const { code } = useContext(CodeBlockContext)

@@ -174,15 +394,26 @@ export const CodeBlockCopyButton = ({

  const Icon = isCopied ? CheckIcon : CopyIcon

-  return (
+  const button = (
    <Button
-      className={cn('shrink-0', className)}
+      aria-label={isCopied ? t('Copied!') : t('Copy code')}
+      className={cn('size-8 shrink-0', className)}
      onClick={copyToClipboard}
-      size='icon'
+      size='icon-sm'
+      type='button'
      variant='ghost'
      {...props}
    >
      {children ?? <Icon size={14} />}
    </Button>
  )
+
+  return (
+    <Tooltip>
+      <TooltipTrigger render={button} />
+      <TooltipContent>
+        <p>{isCopied ? t('Copied!') : t('Copy code')}</p>
+      </TooltipContent>
+    </Tooltip>
+  )
 }
@@ -29,7 +29,7 @@ export type ConversationProps = ComponentProps<typeof StickToBottom>

 export const Conversation = ({ className, ...props }: ConversationProps) => (
  <StickToBottom
-    className={cn('relative flex-1 overflow-y-auto', className)}
+    className={cn('relative min-h-0 flex-1 overflow-hidden', className)}
    initial='smooth'
    resize='smooth'
    role='log'
@@ -188,7 +188,7 @@ export const ReasoningContent = memo(
  ({ className, children, ...props }: ReasoningContentProps) => (
    <CollapsibleContent
      className={cn(
-        'mt-4 text-sm',
+        'border-border/70 mt-3 ml-2 border-l pl-4 text-sm',
        'data-closed:fade-out-0 data-closed:slide-out-to-top-2 data-open:slide-in-from-top-2 text-muted-foreground data-closed:animate-out data-open:animate-in outline-none',
        className
      )}
@@ -18,14 +18,436 @@ For commercial licensing, please contact support@quantumnous.com
 */
 'use client'

-import { type ComponentProps, memo } from 'react'
-import { Streamdown } from 'streamdown'
+import {
+  Children,
+  type ComponentProps,
+  type JSX,
+  isValidElement,
+  memo,
+  type ReactNode,
+  useState,
+} from 'react'
+import { Streamdown, type Components } from 'streamdown'
 import { cn } from '@/lib/utils'
+import {
+  CodeBlock,
+  CodeBlockCopyButton,
+} from '@/components/ai-elements/code-block'

 type ResponseProps = ComponentProps<typeof Streamdown>

+type CodeComponentProps = ComponentProps<'code'> & {
+  node?: unknown
+  'data-block'?: boolean
+}
+
+type MarkdownElementProps<T extends keyof JSX.IntrinsicElements> =
+  ComponentProps<T> & {
+    node?: unknown
+  }
+
+function getCodeText(children: ReactNode) {
+  if (typeof children === 'string') {
+    return children.replace(/\n$/, '')
+  }
+
+  if (Array.isArray(children)) {
+    return children.join('').replace(/\n$/, '')
+  }
+
+  return String(children ?? '')
+}
+
+function getCodeLanguage(className?: string) {
+  return className?.match(/language-([\w#+.-]+)/)?.[1] ?? 'plaintext'
+}
+
+function isSummaryElement(child: ReactNode) {
+  return isValidElement(child) && child.type === 'summary'
+}
+
+function MarkdownImage({
+  alt,
+  className,
+  node: _node,
+  src,
+  ...props
+}: MarkdownElementProps<'img'>) {
+  const [hasError, setHasError] = useState(false)
+
+  if (!src || hasError) {
+    return (
+      <span className='border-border/70 text-muted-foreground my-4 inline-flex rounded-md border px-3 py-2 text-xs italic'>
+        {alt || 'Image not available'}
+      </span>
+    )
+  }
+
+  return (
+    <img
+      alt={alt}
+      className={cn(
+        'border-border/70 my-4 block h-auto max-h-96 max-w-full rounded-lg border object-contain',
+        className
+      )}
+      loading='lazy'
+      onError={() => setHasError(true)}
+      src={src}
+      {...props}
+    />
+  )
+}
+
+const responseComponents: Components = {
+  h1({
+    children,
+    className,
+    node: _node,
+    ...props
+  }: MarkdownElementProps<'h1'>) {
+    return (
+      <h1
+        className={cn(
+          'mt-6 mb-3 text-xl font-semibold tracking-normal',
+          className
+        )}
+        {...props}
+      >
+        {children}
+      </h1>
+    )
+  },
+  h2({
+    children,
+    className,
+    node: _node,
+    ...props
+  }: MarkdownElementProps<'h2'>) {
+    return (
+      <h2
+        className={cn(
+          'mt-6 mb-3 text-lg font-semibold tracking-normal',
+          className
+        )}
+        {...props}
+      >
+        {children}
+      </h2>
+    )
+  },
+  h3({
+    children,
+    className,
+    node: _node,
+    ...props
+  }: MarkdownElementProps<'h3'>) {
+    return (
+      <h3
+        className={cn(
+          'mt-5 mb-2 text-base font-semibold tracking-normal',
+          className
+        )}
+        {...props}
+      >
+        {children}
+      </h3>
+    )
+  },
+  h4({
+    children,
+    className,
+    node: _node,
+    ...props
+  }: MarkdownElementProps<'h4'>) {
+    return (
+      <h4
+        className={cn('mt-5 mb-2 text-sm font-semibold', className)}
+        {...props}
+      >
+        {children}
+      </h4>
+    )
+  },
+  h5({
+    children,
+    className,
+    node: _node,
+    ...props
+  }: MarkdownElementProps<'h5'>) {
+    return (
+      <h5
+        className={cn(
+          'text-muted-foreground mt-4 mb-2 text-sm font-semibold',
+          className
+        )}
+        {...props}
+      >
+        {children}
+      </h5>
+    )
+  },
+  h6({
+    children,
+    className,
+    node: _node,
+    ...props
+  }: MarkdownElementProps<'h6'>) {
+    return (
+      <h6
+        className={cn(
+          'text-muted-foreground mt-4 mb-2 text-xs font-semibold uppercase',
+          className
+        )}
+        {...props}
+      >
+        {children}
+      </h6>
+    )
+  },
+  ul({
+    children,
+    className,
+    node: _node,
+    ...props
+  }: MarkdownElementProps<'ul'>) {
+    return (
+      <ul
+        className={cn(
+          'my-3 list-outside list-disc space-y-1.5 pl-5',
+          '[&.contains-task-list]:list-none [&.contains-task-list]:pl-0',
+          className
+        )}
+        {...props}
+      >
+        {children}
+      </ul>
+    )
+  },
+  ol({
+    children,
+    className,
+    node: _node,
+    ...props
+  }: MarkdownElementProps<'ol'>) {
+    return (
+      <ol
+        className={cn(
+          'my-3 list-outside list-decimal space-y-1.5 pl-5',
+          className
+        )}
+        {...props}
+      >
+        {children}
+      </ol>
+    )
+  },
+  li({
+    children,
+    className,
+    node: _node,
+    ...props
+  }: MarkdownElementProps<'li'>) {
+    return (
+      <li
+        className={cn(
+          'marker:text-muted-foreground pl-1 leading-7',
+          '[&.task-list-item]:flex [&.task-list-item]:items-start [&.task-list-item]:gap-2 [&.task-list-item]:pl-0',
+          '[&.task-list-item>input]:accent-primary [&.task-list-item>input]:mt-1.5 [&.task-list-item>input]:size-4',
+          className
+        )}
+        {...props}
+      >
+        {children}
+      </li>
+    )
+  },
+  details({
+    children,
+    className,
+    node: _node,
+    ...props
+  }: MarkdownElementProps<'details'>) {
+    const childArray = Children.toArray(children)
+    const summaryChildren = childArray.filter(isSummaryElement)
+    const contentChildren = childArray.filter(
+      (child) => !isSummaryElement(child)
+    )
+
+    return (
+      <details className={cn('my-4', className)} {...props}>
+        {summaryChildren}
+        {contentChildren.length > 0 && (
+          <div className='border-border/70 ml-5 border-l pl-4'>
+            {contentChildren}
+          </div>
+        )}
+      </details>
+    )
+  },
+  summary({
+    children,
+    className,
+    node: _node,
+    ...props
+  }: MarkdownElementProps<'summary'>) {
+    return (
+      <summary
+        className={cn(
+          'text-foreground marker:text-muted-foreground mb-2 cursor-pointer text-sm font-semibold',
+          className
+        )}
+        {...props}
+      >
+        {children}
+      </summary>
+    )
+  },
+  blockquote({
+    children,
+    className,
+    node: _node,
+    ...props
+  }: MarkdownElementProps<'blockquote'>) {
+    return (
+      <blockquote
+        className={cn(
+          'border-border text-muted-foreground my-4 border-l-2 pl-4',
+          className
+        )}
+        {...props}
+      >
+        {children}
+      </blockquote>
+    )
+  },
+  hr({ className, node: _node, ...props }: MarkdownElementProps<'hr'>) {
+    return <hr className={cn('border-border/70 my-6', className)} {...props} />
+  },
+  img: MarkdownImage,
+  table({
+    children,
+    className,
+    node: _node,
+    ...props
+  }: MarkdownElementProps<'table'>) {
+    return (
+      <div className='border-border/70 my-4 w-full overflow-x-auto rounded-lg border'>
+        <table
+          className={cn(
+            'w-full min-w-max border-separate border-spacing-0 text-sm',
+            className
+          )}
+          {...props}
+        >
+          {children}
+        </table>
+      </div>
+    )
+  },
+  thead({
+    children,
+    className,
+    node: _node,
+    ...props
+  }: MarkdownElementProps<'thead'>) {
+    return (
+      <thead className={cn('bg-muted/60', className)} {...props}>
+        {children}
+      </thead>
+    )
+  },
+  tbody({
+    children,
+    className,
+    node: _node,
+    ...props
+  }: MarkdownElementProps<'tbody'>) {
+    return (
+      <tbody className={cn('divide-border/70 divide-y', className)} {...props}>
+        {children}
+      </tbody>
+    )
+  },
+  tr({
+    children,
+    className,
+    node: _node,
+    ...props
+  }: MarkdownElementProps<'tr'>) {
+    return (
+      <tr className={cn('border-border/70', className)} {...props}>
+        {children}
+      </tr>
+    )
+  },
+  th({
+    children,
+    className,
+    node: _node,
+    ...props
+  }: MarkdownElementProps<'th'>) {
+    return (
+      <th
+        className={cn(
+          'text-muted-foreground px-3 py-2 text-left text-xs font-semibold whitespace-nowrap',
+          className
+        )}
+        {...props}
+      >
+        {children}
+      </th>
+    )
+  },
+  td({
+    children,
+    className,
+    node: _node,
+    ...props
+  }: MarkdownElementProps<'td'>) {
+    return (
+      <td className={cn('px-3 py-2 align-top', className)} {...props}>
+        {children}
+      </td>
+    )
+  },
+  code({ children, className, ...props }: CodeComponentProps) {
+    if (!props['data-block']) {
+      return (
+        <code
+          className={cn(
+            'bg-muted/70 text-foreground rounded px-1 py-0.5 font-mono text-[0.9em]',
+            className
+          )}
+          {...props}
+        >
+          {children}
+        </code>
+      )
+    }
+
+    const code = getCodeText(children)
+    const language = getCodeLanguage(className)
+    const lineCount = code.split('\n').length
+
+    return (
+      <CodeBlock
+        collapsedLines={14}
+        code={code}
+        defaultCollapsed={lineCount > 14}
+        language={language}
+        maxExpandedLines={44}
+        showLineNumbers={true}
+        showToolbar={true}
+        title={language}
+      >
+        <CodeBlockCopyButton />
+      </CodeBlock>
+    )
+  },
+}
+
 export const Response = memo(
-  ({ className, children, ...props }: ResponseProps) => {
+  ({ className, children, components, ...props }: ResponseProps) => {
    const stripCustomTags = (input: unknown): unknown => {
      if (typeof input !== 'string') return input
      return (
@@ -45,9 +467,19 @@ export const Response = memo(
    return (
      <Streamdown
        className={cn(
-          'size-full [&>*:first-child]:mt-0 [&>*:last-child]:mb-0',
+          'size-full min-w-0 text-pretty',
+          '[&>*:first-child]:mt-0 [&>*:last-child]:mb-0',
+          '[&_p]:my-3 [&_p]:leading-7',
+          '[&_strong]:text-foreground [&_strong]:font-semibold',
+          '[&_a]:text-primary [&_a]:underline-offset-4 hover:[&_a]:underline',
+          '[&_details>summary~*]:border-border/70 [&_details]:my-4 [&_details>summary~*]:ml-5 [&_details>summary~*]:border-l [&_details>summary~*]:pl-4',
+          '[&_summary]:text-foreground [&_summary::marker]:text-muted-foreground [&_summary]:mb-2 [&_summary]:cursor-pointer [&_summary]:text-sm [&_summary]:font-semibold',
+          '[&_[data-streamdown=table-wrapper]]:border-0 [&_[data-streamdown=table-wrapper]]:bg-transparent [&_[data-streamdown=table-wrapper]]:p-0 [&_[data-streamdown=table-wrapper]]:shadow-none',
+          '[&_[data-streamdown=table-wrapper]>div:first-child]:hidden',
+          '[&_[data-streamdown=table-wrapper]>div:last-child]:border-border/70 [&_[data-streamdown=table-wrapper]>div:last-child]:rounded-lg',
          className
        )}
+        components={{ ...responseComponents, ...components }}
        {...props}
      >
        {safeChildren}
@@ -73,7 +73,7 @@ export const SourcesContent = ({
 }: SourcesContentProps) => (
  <CollapsibleContent
    className={cn(
-      'mt-3 flex w-fit flex-col gap-2',
+      'border-border/70 mt-3 ml-2 flex w-fit flex-col gap-2 border-l pl-4',
      'data-closed:fade-out-0 data-closed:slide-out-to-top-2 data-open:slide-in-from-top-2 data-closed:animate-out data-open:animate-in outline-none',
      className
    )}
@@ -33,7 +33,7 @@ import {
  CommandList,
  CommandSeparator,
 } from '@/components/ui/command'
-import { getNavGroupsForPath } from './layout/lib/workspace-registry'
+import { getNavGroupsForPath } from './layout/lib/sidebar-view-registry'
 import { ScrollArea } from './ui/scroll-area'

 export function CommandMenu() {
@@ -44,8 +44,9 @@ export function CommandMenu() {
  const { pathname } = useLocation()
  const sidebarData = useSidebarData()

-  // 根据当前路径从工作区注册表获取对应的侧边栏配置
-  const navGroups = getNavGroupsForPath(pathname, t) || sidebarData.navGroups
+  // Use the active nested sidebar view's nav groups when one matches
+  // the current URL; otherwise fall back to the root navigation.
+  const navGroups = getNavGroupsForPath(pathname, t) ?? sidebarData.navGroups

  const runCommand = React.useCallback(
    (command: () => unknown) => {
@@ -34,6 +34,7 @@ import { IconThemeSystem } from '@/assets/custom/icon-theme-system'
 import {
  type ContentLayout,
  THEME_PRESETS,
+  type ThemeFont,
  type ThemePreset,
  type ThemeRadius,
  type ThemeScale,
@@ -53,6 +54,12 @@ import {
  SheetTitle,
  SheetTrigger,
 } from '@/components/ui/sheet'
+import {
+  sideDrawerContentClassName,
+  sideDrawerFooterClassName,
+  sideDrawerFormClassName,
+  sideDrawerHeaderClassName,
+} from '@/components/drawer-layout'
 import { useSidebar } from './ui/sidebar'

 const Item = RadioPrimitive.Root
@@ -88,16 +95,17 @@ export function ConfigDrawer() {
      >
        <Palette className='size-[1.2rem]' aria-hidden='true' />
      </SheetTrigger>
-      <SheetContent className='flex w-full flex-col sm:max-w-md'>
-        <SheetHeader className='pb-0 text-start'>
+      <SheetContent className={sideDrawerContentClassName('sm:max-w-md')}>
+        <SheetHeader className={sideDrawerHeaderClassName()}>
          <SheetTitle>{t('Theme Settings')}</SheetTitle>
          <SheetDescription id='config-drawer-description'>
            {t('Adjust the appearance and layout to suit your preferences.')}
          </SheetDescription>
        </SheetHeader>
-        <div className='space-y-6 overflow-y-auto px-4'>
+        <div className={sideDrawerFormClassName()}>
          <ThemeConfig />
          <PresetConfig />
+          <FontConfig />
          <RadiusConfig />
          <ScaleConfig />
          <SidebarConfig />
@@ -105,7 +113,7 @@ export function ConfigDrawer() {
          <ContentLayoutConfig />
          <DirConfig />
        </div>
-        <SheetFooter className='gap-2'>
+        <SheetFooter className={sideDrawerFooterClassName('grid-cols-1')}>
          <Button
            variant='destructive'
            onClick={handleReset}
@@ -296,13 +304,97 @@ function PresetConfig() {
  )
 }

+/**
+ * Font options shown in the theme drawer.
+ *
+ * Each option renders a live "Aa" preview in the font it represents.
+ * `Auto` deliberately leaves `fontFamily` undefined so the preview inherits
+ * the currently active body font — that way the user sees what `Auto` will
+ * actually look like for the active preset (Anthropic → serif glyphs,
+ * everything else → sans glyphs) without us having to duplicate the
+ * preset-default mapping in the UI.
+ */
+const FONT_OPTIONS: {
+  value: ThemeFont
+  label: string
+  // CSS font-family applied to the "Aa" preview. `undefined` = inherit
+  // from the current theme (used by the `default` option).
+  preview?: string
+}[] = [
+  { value: 'default', label: 'Auto', preview: undefined },
+  { value: 'sans', label: 'Sans', preview: 'var(--font-sans)' },
+  { value: 'serif', label: 'Serif', preview: 'var(--font-serif)' },
+]
+
+function FontConfig() {
+  const { t } = useTranslation()
+  const { defaults, customization, setFont } = useThemeCustomization()
+  return (
+    <div>
+      <SectionTitle
+        title={t('Font')}
+        showReset={customization.font !== defaults.font}
+        onReset={() => setFont(defaults.font)}
+      />
+      <Radio
+        value={customization.font}
+        onValueChange={(v) => setFont(v as ThemeFont)}
+        className='grid w-full grid-cols-3 gap-4'
+        aria-label={t('Select body font')}
+      >
+        {FONT_OPTIONS.map((option) => (
+          <Item
+            key={option.value}
+            value={option.value}
+            className='group flex flex-col items-stretch outline-none'
+            aria-label={
+              option.value === 'default' ? t('System default') : option.label
+            }
+          >
+            <div
+              className={cn(
+                'ring-border relative h-12 rounded-md ring-[1px] transition',
+                'group-data-checked:ring-primary group-data-checked:shadow-md',
+                'group-focus-visible:ring-2',
+                'group-hover:ring-primary/60'
+              )}
+            >
+              <CircleCheck
+                className={cn(
+                  'fill-primary absolute top-0 right-0 z-10 size-5 translate-x-1/2 -translate-y-1/2 stroke-white',
+                  'group-data-unchecked:hidden'
+                )}
+                aria-hidden='true'
+              />
+              <span
+                aria-hidden='true'
+                className='text-foreground absolute inset-0 flex items-center justify-center text-lg leading-none font-medium'
+                style={
+                  option.preview
+                    ? { fontFamily: option.preview }
+                    : // `font: inherit` defers to the active theme so the
+                      // "Auto" tile previews what the resolved font will be.
+                      { font: 'inherit', fontSize: '1.125rem' }
+                }
+              >
+                Aa
+              </span>
+            </div>
+            <div className='mt-1.5 text-center text-xs'>{option.label}</div>
+          </Item>
+        ))}
+      </Radio>
+    </div>
+  )
+}
+
 const RADIUS_OPTIONS: {
  value: ThemeRadius
  label: string
  // CSS border-radius value used to render the visual preview corner.
  preview: string
 }[] = [
-  { value: 'default', label: 'Auto', preview: '999px' },
+  { value: 'default', label: 'Auto', preview: '1rem' },
  { value: 'none', label: '0', preview: '0' },
  { value: 'sm', label: '0.3', preview: '0.3rem' },
  { value: 'md', label: '0.5', preview: '0.5rem' },
@@ -398,6 +490,7 @@ function ScaleConfig() {
    { value: 'sm', label: t('Compact'), rows: 4, rowGap: '3px' },
    { value: 'default', label: t('Default'), rows: 3, rowGap: '6px' },
    { value: 'lg', label: t('Comfortable'), rows: 2, rowGap: '10px' },
+    { value: 'xl', label: t('Super Large'), rows: 1, rowGap: '14px' },
  ]
  return (
    <div>
@@ -409,7 +502,7 @@ function ScaleConfig() {
      <Radio
        value={customization.scale}
        onValueChange={(v) => setScale(v as ThemeScale)}
-        className='grid w-full grid-cols-3 gap-4'
+        className='grid w-full grid-cols-4 gap-3'
        aria-label={t('Select interface density')}
      >
        {scaleOptions.map((option) => (
@@ -107,10 +107,7 @@ export function DataTableFacetedFilter<TData, TValue>({
          </>
        )}
      </PopoverTrigger>
-      <PopoverContent
-        className='min-w-[200px] max-w-[360px] p-0'
-        align='start'
-      >
+      <PopoverContent className='max-w-[360px] min-w-[200px] p-0' align='start'>
        <Command>
          <CommandInput placeholder={title} />
          <CommandList>
@@ -0,0 +1,105 @@
+/*
+Copyright (C) 2023-2026 QuantumNous
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+For commercial licensing, please contact support@quantumnous.com
+*/
+import { createElement, type ReactNode } from 'react'
+import { cn } from '@/lib/utils'
+
+export const sideDrawerContentClassName = (className?: string) =>
+  cn(
+    'bg-background text-foreground flex h-dvh w-full flex-col gap-0 overflow-hidden p-0 shadow-none',
+    className
+  )
+
+export const sideDrawerHeaderClassName = (className?: string) =>
+  cn(
+    'border-border/70 bg-background/95 border-b px-4 py-3 text-start backdrop-blur supports-[backdrop-filter]:bg-background/80 sm:px-6 sm:py-4',
+    className
+  )
+
+export const sideDrawerFormClassName = (className?: string) =>
+  cn(
+    'flex min-h-0 flex-1 flex-col gap-6 overflow-y-auto overscroll-contain px-4 py-4 sm:px-6 sm:py-5',
+    className
+  )
+
+export const sideDrawerFooterClassName = (className?: string) =>
+  cn(
+    'border-border/70 bg-background/95 grid grid-cols-2 gap-2 border-t px-4 py-3 backdrop-blur supports-[backdrop-filter]:bg-background/80 sm:flex sm:flex-row sm:justify-end sm:px-6 sm:py-4',
+    className
+  )
+
+export const sideDrawerSectionClassName = (className?: string) =>
+  cn(
+    'border-border/60 flex flex-col gap-4 border-b pb-6 last:border-b-0 last:pb-0',
+    className
+  )
+
+export const sideDrawerSwitchItemClassName = (className?: string) =>
+  cn(
+    'border-border/60 flex min-h-16 flex-row items-center justify-between gap-3 border-y py-3',
+    className
+  )
+
+export function SideDrawerSection(props: {
+  children: ReactNode
+  className?: string
+}) {
+  return createElement(
+    'section',
+    { className: sideDrawerSectionClassName(props.className) },
+    props.children
+  )
+}
+
+export function SideDrawerSectionHeader(props: {
+  title: ReactNode
+  description?: ReactNode
+  icon?: ReactNode
+  className?: string
+}) {
+  return createElement(
+    'div',
+    { className: cn('flex items-start gap-3', props.className) },
+    props.icon
+      ? createElement(
+          'span',
+          {
+            className:
+              'bg-muted text-muted-foreground flex size-8 shrink-0 items-center justify-center rounded-md',
+          },
+          props.icon
+        )
+      : null,
+    createElement(
+      'div',
+      { className: 'min-w-0 flex-1' },
+      createElement(
+        'h3',
+        { className: 'text-sm leading-none font-semibold tracking-tight' },
+        props.title
+      ),
+      props.description
+        ? createElement(
+            'p',
+            { className: 'text-muted-foreground mt-1 text-xs leading-5' },
+            props.description
+          )
+        : null
+    )
+  )
+}
@@ -31,12 +31,12 @@ type GroupBadgeProps = Omit<

 function getGroupRatioClassName(ratio: number): string {
  if (ratio > 1) {
-    return 'border-warning/25 bg-warning/10 text-warning'
+    return 'bg-warning/10 text-warning'
  }
  if (ratio < 1) {
-    return 'border-info/25 bg-info/10 text-info'
+    return 'bg-info/10 text-info'
  }
-  return 'border-border bg-muted text-muted-foreground'
+  return 'bg-muted text-muted-foreground'
 }

 function getGroupLabel(params: {
@@ -94,11 +94,10 @@ export function GroupBadge(props: GroupBadgeProps) {
      {badge}
      <span
        className={cn(
-          'inline-flex items-center gap-1 rounded-md border px-1.5 py-0.5 font-mono text-[11px] leading-none tabular-nums',
+          'inline-flex h-5 items-center rounded-full px-1.5 font-mono text-xs leading-none font-medium tabular-nums',
          getGroupRatioClassName(ratio)
        )}
      >
-        <span className='size-1 rounded-full bg-current opacity-60' />
        <span>{ratio}x</span>
      </span>
    </span>
@@ -20,8 +20,7 @@ import { useNotifications } from '@/hooks/use-notifications'
 import { useTopNavLinks } from '@/hooks/use-top-nav-links'
 import { ConfigDrawer } from '@/components/config-drawer'
 import { LanguageSwitcher } from '@/components/language-switcher'
-import { NotificationButton } from '@/components/notification-button'
-import { NotificationDialog } from '@/components/notification-dialog'
+import { NotificationPopover } from '@/components/notification-popover'
 import { ProfileDropdown } from '@/components/profile-dropdown'
 import { Search } from '@/components/search'
 import { defaultTopNavLinks } from '../config/top-nav.config'
@@ -128,9 +127,15 @@ export function AppHeader({
            )}
            {showSearch && <Search />}
            {showNotifications && (
-              <NotificationButton
+              <NotificationPopover
+                open={notifications.popoverOpen}
+                onOpenChange={notifications.setPopoverOpen}
                unreadCount={notifications.unreadCount}
-                onClick={() => notifications.openDialog()}
+                activeTab={notifications.activeTab}
+                onTabChange={notifications.setActiveTab}
+                notice={notifications.notice}
+                announcements={notifications.announcements}
+                loading={notifications.loading}
              />
            )}
            <LanguageSwitcher />
@@ -139,20 +144,6 @@ export function AppHeader({
          </div>
        )}
      </Header>
-
-      {/* Notification Dialog */}
-      {showNotifications && (
-        <NotificationDialog
-          open={notifications.dialogOpen}
-          onOpenChange={notifications.setDialogOpen}
-          activeTab={notifications.activeTab}
-          onTabChange={notifications.setActiveTab}
-          notice={notifications.notice}
-          announcements={notifications.announcements}
-          loading={notifications.loading}
-          onCloseToday={notifications.closeToday}
-        />
-      )}
    </>
  )
 }
@@ -16,59 +16,59 @@ along with this program. If not, see <https://www.gnu.org/licenses/>.

 For commercial licensing, please contact support@quantumnous.com
 */
-import { useMemo } from 'react'
-import { useLocation } from '@tanstack/react-router'
-import { useTranslation } from 'react-i18next'
-import { useAuthStore } from '@/stores/auth-store'
-import { ROLE } from '@/lib/roles'
+import { AnimatePresence, motion, useReducedMotion } from 'motion/react'
+import { MOTION_TRANSITION, MOTION_VARIANTS } from '@/lib/motion'
 import { useLayout } from '@/context/layout-provider'
-import { useSidebarConfig } from '@/hooks/use-sidebar-config'
-import { useSidebarData } from '@/hooks/use-sidebar-data'
+import { useSidebarView } from '@/hooks/use-sidebar-view'
 import { Sidebar, SidebarContent, SidebarRail } from '@/components/ui/sidebar'
-import { getNavGroupsForPath } from '../lib/workspace-registry'
 import { NavGroup } from './nav-group'
+import { SidebarViewHeader } from './sidebar-view-header'

 /**
- * Application sidebar component
- * Fetches corresponding navigation menu from workspace registry based on current path
- * Dynamically filters navigation items based on backend SidebarModulesAdmin configuration
+ * Application sidebar.
 *
- * Automatically matches workspace configuration for current path through workspace registry system
- * Adding new workspaces only requires registration in workspace-registry.ts
+ * Adopts the Vercel / Cloudflare "drill-in" pattern: the URL drives
+ * which sidebar *view* is rendered. Clicking a top-level entry like
+ * `System Settings` swaps the sidebar to a contextual workspace —
+ * with a `← Back to Dashboard` affordance — instead of stacking the
+ * sub-navigation inside the root tree.
+ *
+ * Architecture:
+ *   - View resolution + filtering: {@link useSidebarView}
+ *   - View registry: `layout/lib/sidebar-view-registry.ts`
+ *   - Per-view header: {@link SidebarViewHeader}
+ *
+ * Adding a new nested view only requires registering a {@link SidebarView}
+ * in the registry; this component requires no changes.
 */
 export function AppSidebar() {
-  const { t } = useTranslation()
  const { collapsible, variant } = useLayout()
-  const { pathname } = useLocation()
-  const userRole = useAuthStore((state) => state.auth.user?.role)
-  const sidebarData = useSidebarData()
-
-  // Get navigation group configuration corresponding to current path from workspace registry
-  const allNavGroups = getNavGroupsForPath(pathname, t) || sidebarData.navGroups
-
-  // Filter sidebar navigation items based on backend configuration
-  const configFilteredNavGroups = useSidebarConfig(allNavGroups)
-
-  // Filter navigation groups based on user role
-  // Non-Admin users cannot see Admin navigation group
-  const currentNavGroups = useMemo(() => {
-    const isAdmin = userRole && userRole >= ROLE.ADMIN
-    return configFilteredNavGroups.filter((group) => {
-      if (group.id === 'admin') {
-        return isAdmin
-      }
-      return true
-    })
-  }, [configFilteredNavGroups, userRole])
+  const { key, view, navGroups } = useSidebarView()
+  const shouldReduce = useReducedMotion()

  return (
    <Sidebar collapsible={collapsible} variant={variant}>
+      {view && <SidebarViewHeader view={view} />}
+
      <SidebarContent className='py-2'>
-        {currentNavGroups.map((props) => {
-          const key = props.id || props.title
-          return <NavGroup key={key} {...props} />
-        })}
+        <AnimatePresence mode='wait' initial={false}>
+          <motion.div
+            key={key}
+            initial={
+              shouldReduce ? false : MOTION_VARIANTS.sidebarSlide.initial
+            }
+            animate={MOTION_VARIANTS.sidebarSlide.animate}
+            exit={shouldReduce ? undefined : MOTION_VARIANTS.sidebarSlide.exit}
+            transition={MOTION_TRANSITION.fast}
+            className='flex flex-col'
+          >
+            {navGroups.map((props) => (
+              <NavGroup key={props.id || props.title} {...props} />
+            ))}
+          </motion.div>
+        </AnimatePresence>
      </SidebarContent>
+
      <SidebarRail />
    </Sidebar>
  )
@@ -23,7 +23,6 @@ import { SearchProvider } from '@/context/search-provider'
 import { SidebarInset, SidebarProvider } from '@/components/ui/sidebar'
 import { AnimatedOutlet } from '@/components/page-transition'
 import { SkipToMain } from '@/components/skip-to-main'
-import { WorkspaceProvider } from '../context/workspace-context'
 import { AppHeader } from './app-header'
 import { AppSidebar } from './app-sidebar'

@@ -37,24 +36,23 @@ export function AuthenticatedLayout(props: AuthenticatedLayoutProps) {
  return (
    <LayoutProvider>
      <SearchProvider>
-        <WorkspaceProvider>
-          <SidebarProvider defaultOpen={defaultOpen} className='flex-col'>
-            <SkipToMain />
-            <AppHeader />
-            <div className='flex min-h-0 w-full flex-1'>
-              <AppSidebar />
-              <SidebarInset
-                className={cn(
-                  '@container/content',
-                  'h-[calc(100svh-var(--app-header-height,0px))]',
-                  'peer-data-[variant=inset]:h-[calc(100svh-var(--app-header-height,0px)-(var(--spacing)*4))]'
-                )}
-              >
-                {props.children ?? <AnimatedOutlet />}
-              </SidebarInset>
-            </div>
-          </SidebarProvider>
-        </WorkspaceProvider>
+        <SidebarProvider defaultOpen={defaultOpen} className='flex-col'>
+          <SkipToMain />
+          <AppHeader />
+          <div className='flex min-h-0 w-full flex-1'>
+            <AppSidebar />
+            <SidebarInset
+              className={cn(
+                '@container/content',
+                'h-[calc(100svh-var(--app-header-height,0px))]',
+                'min-h-0 overflow-hidden',
+                'peer-data-[variant=inset]:h-[calc(100svh-var(--app-header-height,0px)-(var(--spacing)*4))]'
+              )}
+            >
+              {props.children ?? <AnimatedOutlet />}
+            </SidebarInset>
+          </div>
+        </SidebarProvider>
      </SearchProvider>
    </LayoutProvider>
  )
@@ -231,9 +231,9 @@ export function ChatPresetsItem({ item }: { item: NavChatPresets }) {
          <DropdownMenuTrigger
            render={<SidebarMenuButton tooltip={item.title} />}
          >
-            {item.icon && <item.icon className='h-4 w-4' />}
-            <span>{item.title}</span>
-            <ChevronRight className='ms-auto h-4 w-4 opacity-70' />
+            {item.icon && <item.icon className='h-4 w-4 shrink-0' />}
+            <span className='min-w-0 flex-1 truncate'>{item.title}</span>
+            <ChevronRight className='ms-auto h-4 w-4 shrink-0 opacity-70' />
          </DropdownMenuTrigger>
          <DropdownMenuContent align='start'>
            {visiblePresets.map((preset) => (
@@ -261,9 +261,9 @@ export function ChatPresetsItem({ item }: { item: NavChatPresets }) {
        className='group/collapsible-trigger'
        render={<SidebarMenuButton />}
      >
-        {item.icon && <item.icon />}
-        <span>{item.title}</span>
-        <ChevronRight className='ms-auto transition-transform duration-200 group-data-[panel-open]/collapsible-trigger:rotate-90' />
+        {item.icon && <item.icon className='shrink-0' />}
+        <span className='min-w-0 flex-1 truncate'>{item.title}</span>
+        <ChevronRight className='ms-auto size-4 shrink-0 transition-transform duration-200 group-data-[panel-open]/collapsible-trigger:rotate-90' />
      </CollapsibleTrigger>
      <CollapsibleContent className='CollapsibleContent'>
        <SidebarMenuSub>
@@ -16,10 +16,11 @@ along with this program. If not, see <https://www.gnu.org/licenses/>.

 For commercial licensing, please contact support@quantumnous.com
 */
-import { useMemo } from 'react'
+import { Fragment, useMemo } from 'react'
 import { Link } from '@tanstack/react-router'
 import { useTranslation } from 'react-i18next'
 import { cn } from '@/lib/utils'
+import { useStatus } from '@/hooks/use-status'
 import { useSystemConfig } from '@/hooks/use-system-config'

 interface FooterLink {
@@ -74,23 +75,75 @@ function FooterLinkItem(props: { link: FooterLink }) {
  )
 }

-function ProjectAttribution(props: { currentYear: number }) {
+// Renders User Agreement / Privacy Policy links inline with the parent's
+// copyright row when either is configured in System Settings → Site. Emits
+// fragmented siblings so the parent flex container's gap controls spacing.
+function LegalLinks(props: { leadingSeparator?: boolean }) {
  const { t } = useTranslation()
+  const { status } = useStatus()
+  const items: { key: string; label: string; href: string }[] = []
+  if (status?.user_agreement_enabled) {
+    items.push({
+      key: 'user-agreement',
+      label: t('User Agreement'),
+      href: '/user-agreement',
+    })
+  }
+  if (status?.privacy_policy_enabled) {
+    items.push({
+      key: 'privacy-policy',
+      label: t('Privacy Policy'),
+      href: '/privacy-policy',
+    })
+  }
+  if (items.length === 0) {
+    return null
+  }
+  return (
+    <>
+      {items.map((item, index) => (
+        <Fragment key={item.key}>
+          {(props.leadingSeparator || index > 0) && (
+            <span aria-hidden='true' className='text-muted-foreground/30'>
+              ·
+            </span>
+          )}
+          <Link
+            to={item.href}
+            className='hover:text-foreground transition-colors duration-200'
+          >
+            {item.label}
+          </Link>
+        </Fragment>
+      ))}
+    </>
+  )
+}

+// inline=true returns just the inner span for composition in a parent flex
+// row. inline=false wraps in a centered/right-aligned div (default).
+function ProjectAttribution(props: { currentYear: number; inline?: boolean }) {
+  const { t } = useTranslation()
+  const content = (
+    <span className='text-muted-foreground/45'>
+      &copy; {props.currentYear}{' '}
+      <a
+        href='https://github.com/QuantumNous/new-api'
+        target='_blank'
+        rel='noopener noreferrer'
+        className='text-foreground/70 hover:text-foreground font-medium transition-colors'
+      >
+        {t('New API')}
+      </a>
+      . {t(NEW_API_FOOTER_ATTRIBUTION_KEY)}
+    </span>
+  )
+  if (props.inline) {
+    return content
+  }
  return (
    <div className='text-muted-foreground/45 text-center text-xs sm:text-right'>
-      <span className='text-muted-foreground/45'>
-        &copy; {props.currentYear}{' '}
-        <a
-          href='https://github.com/QuantumNous/new-api'
-          target='_blank'
-          rel='noopener noreferrer'
-          className='text-foreground/70 hover:text-foreground font-medium transition-colors'
-        >
-          {t('New API')}
-        </a>
-        . {t(NEW_API_FOOTER_ATTRIBUTION_KEY)}
-      </span>
+      {content}
    </div>
  )
 }
@@ -182,8 +235,9 @@ export function Footer(props: FooterProps) {
              className='custom-footer text-muted-foreground min-w-0 text-center text-sm sm:text-left'
              dangerouslySetInnerHTML={{ __html: footerHtml }}
            />
-            <div className='border-border/60 w-full border-t pt-4 sm:w-auto sm:border-t-0 sm:border-l sm:pt-0 sm:pl-5'>
-              <ProjectAttribution currentYear={currentYear} />
+            <div className='border-border/60 text-muted-foreground/45 flex w-full flex-wrap items-center justify-center gap-x-3 gap-y-1 border-t pt-4 text-xs sm:w-auto sm:justify-end sm:border-t-0 sm:border-l sm:pt-0 sm:pl-5'>
+              <LegalLinks />
+              <ProjectAttribution currentYear={currentYear} inline />
            </div>
          </div>
        </div>
@@ -235,12 +289,16 @@ export function Footer(props: FooterProps) {
          )}
        </div>

-        {/* Bottom section */}
-        <div className='border-border/30 mt-12 flex flex-col items-center justify-between gap-3 border-t pt-6 sm:flex-row'>
-          <p className='text-muted-foreground/40 text-xs'>
-            &copy; {currentYear} {displayName}.{' '}
-            {props.copyright ?? t('footer.defaultCopyright')}
-          </p>
+        {/* Copyright + optional legal links inline on the left, project
+            attribution on the right; wraps on narrow screens. */}
+        <div className='border-border/30 mt-12 flex flex-col items-center justify-between gap-x-3 gap-y-2 border-t pt-6 sm:flex-row'>
+          <div className='text-muted-foreground/40 flex flex-wrap items-center justify-center gap-x-2 gap-y-1 text-xs sm:justify-start'>
+            <span>
+              &copy; {currentYear} {displayName}.{' '}
+              {props.copyright ?? t('footer.defaultCopyright')}
+            </span>
+            <LegalLinks leadingSeparator />
+          </div>
          <ProjectAttribution currentYear={currentYear} />
        </div>
      </div>
@@ -112,7 +112,7 @@ export function NavGroup({ title, items }: NavGroupProps) {
 * Navigation badge component
 */
 function NavBadge({ children }: { children: ReactNode }) {
-  return <Badge className='px-1 py-0 text-xs'>{children}</Badge>
+  return <Badge className='shrink-0 px-1 py-0 text-xs'>{children}</Badge>
 }

 /**
@@ -127,8 +127,8 @@ function SidebarMenuLink({ item, href }: { item: NavLink; href: string }) {
        tooltip={item.title}
        render={<Link to={item.url} onClick={() => setOpenMobile(false)} />}
      >
-        {item.icon && <item.icon />}
-        <span>{item.title}</span>
+        {item.icon && <item.icon className='shrink-0' />}
+        <span className='min-w-0 flex-1 truncate'>{item.title}</span>
        {item.badge && <NavBadge>{item.badge}</NavBadge>}
      </SidebarMenuButton>
    </SidebarMenuItem>
@@ -170,10 +170,10 @@ function SidebarMenuCollapsible({
        className='group/collapsible-trigger'
        render={<SidebarMenuButton tooltip={item.title} />}
      >
-        {item.icon && <item.icon />}
-        <span>{item.title}</span>
+        {item.icon && <item.icon className='shrink-0' />}
+        <span className='min-w-0 flex-1 truncate'>{item.title}</span>
        {item.badge && <NavBadge>{item.badge}</NavBadge>}
-        <ChevronRight className='ms-auto transition-transform duration-200 group-data-[panel-open]/collapsible-trigger:rotate-90' />
+        <ChevronRight className='ms-auto size-4 shrink-0 transition-transform duration-200 group-data-[panel-open]/collapsible-trigger:rotate-90' />
      </CollapsibleTrigger>
      <CollapsibleContent className='CollapsibleContent'>
        <SidebarMenuSub>
@@ -185,8 +185,8 @@ function SidebarMenuCollapsible({
                  <Link to={subItem.url} onClick={() => setOpenMobile(false)} />
                }
              >
-                {subItem.icon && <subItem.icon />}
-                <span>{subItem.title}</span>
+                {subItem.icon && <subItem.icon className='shrink-0' />}
+                <span className='min-w-0 flex-1 truncate'>{subItem.title}</span>
                {subItem.badge && <NavBadge>{subItem.badge}</NavBadge>}
              </SidebarMenuSubButton>
            </SidebarMenuSubItem>
@@ -219,10 +219,10 @@ function SidebarMenuCollapsedDropdown({
            />
          }
        >
-          {item.icon && <item.icon />}
-          <span>{item.title}</span>
+          {item.icon && <item.icon className='shrink-0' />}
+          <span className='min-w-0 flex-1 truncate'>{item.title}</span>
          {item.badge && <NavBadge>{item.badge}</NavBadge>}
-          <ChevronRight className='ms-auto transition-transform duration-200 group-data-[popup-open]/dropdown-trigger:rotate-90' />
+          <ChevronRight className='ms-auto size-4 shrink-0 transition-transform duration-200 group-data-[popup-open]/dropdown-trigger:rotate-90' />
        </DropdownMenuTrigger>
        <DropdownMenuContent side='right' align='start' sideOffset={4}>
          <DropdownMenuGroup>
@@ -35,8 +35,7 @@ import {
 } from '@/components/ui/dialog'
 import { Skeleton } from '@/components/ui/skeleton'
 import { LanguageSwitcher } from '@/components/language-switcher'
-import { NotificationButton } from '@/components/notification-button'
-import { NotificationDialog } from '@/components/notification-dialog'
+import { NotificationPopover } from '@/components/notification-popover'
 import { ProfileDropdown } from '@/components/profile-dropdown'
 import { ThemeSwitch } from '@/components/theme-switch'
 import { defaultTopNavLinks } from '../config/top-nav.config'
@@ -271,9 +270,15 @@ export function PublicHeader(props: PublicHeaderProps) {
              {showLanguageSwitcher && <LanguageSwitcher />}
              {showThemeSwitch && <ThemeSwitch />}
              {showNotifications && (
-                <NotificationButton
+                <NotificationPopover
+                  open={notifications.popoverOpen}
+                  onOpenChange={notifications.setPopoverOpen}
                  unreadCount={notifications.unreadCount}
-                  onClick={() => notifications.openDialog()}
+                  activeTab={notifications.activeTab}
+                  onTabChange={notifications.setActiveTab}
+                  notice={notifications.notice}
+                  announcements={notifications.announcements}
+                  loading={notifications.loading}
                />
              )}

@@ -445,20 +450,6 @@ export function PublicHeader(props: PublicHeaderProps) {
          </DialogFooter>
        </DialogContent>
      </Dialog>
-
-      {/* Notification Dialog */}
-      {showNotifications && (
-        <NotificationDialog
-          open={notifications.dialogOpen}
-          onOpenChange={notifications.setDialogOpen}
-          activeTab={notifications.activeTab}
-          onTabChange={notifications.setActiveTab}
-          notice={notifications.notice}
-          announcements={notifications.announcements}
-          loading={notifications.loading}
-          onCloseToday={notifications.closeToday}
-        />
-      )}
    </>
  )
 }
@@ -33,11 +33,6 @@ function SectionPageLayoutTitle(_props: SlotProps) {
 }
 SectionPageLayoutTitle.displayName = 'SectionPageLayout.Title'

-function SectionPageLayoutDescription(_props: SlotProps) {
-  return null
-}
-SectionPageLayoutDescription.displayName = 'SectionPageLayout.Description'
-
 function SectionPageLayoutActions(_props: SlotProps) {
  return null
 }
@@ -87,13 +82,13 @@ export function SectionPageLayout(props: SectionPageLayoutProps) {
            <div className='mb-2 sm:mb-3'>{breadcrumb}</div>
          )}
          <div className='flex flex-wrap items-center justify-between gap-x-3 gap-y-2 sm:gap-x-4'>
-            <div className='min-w-0'>
+            <div className='min-w-0 flex-1'>
              <h2 className='truncate text-base font-bold tracking-tight sm:text-lg'>
                {title}
              </h2>
            </div>
            {actions != null && (
-              <div className='flex shrink-0 flex-wrap items-center gap-2 sm:gap-x-4'>
+              <div className='flex shrink-0 flex-wrap items-center justify-end gap-2 sm:gap-x-4'>
                {actions}
              </div>
            )}
@@ -114,7 +109,6 @@ export function SectionPageLayout(props: SectionPageLayoutProps) {
 }

 SectionPageLayout.Title = SectionPageLayoutTitle
-SectionPageLayout.Description = SectionPageLayoutDescription
 SectionPageLayout.Actions = SectionPageLayoutActions
 SectionPageLayout.Content = SectionPageLayoutContent
 SectionPageLayout.Breadcrumb = SectionPageLayoutBreadcrumb
@@ -0,0 +1,70 @@
+/*
+Copyright (C) 2023-2026 QuantumNous
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+For commercial licensing, please contact support@quantumnous.com
+*/
+import { Link } from '@tanstack/react-router'
+import { ChevronLeft } from 'lucide-react'
+import { useTranslation } from 'react-i18next'
+import { cn } from '@/lib/utils'
+import {
+  SidebarHeader,
+  SidebarMenu,
+  SidebarMenuButton,
+  SidebarMenuItem,
+  useSidebar,
+} from '@/components/ui/sidebar'
+import type { SidebarView } from '../types'
+
+type SidebarViewHeaderProps = {
+  view: SidebarView
+}
+
+/**
+ * Header for a nested sidebar view (Vercel / Cloudflare drill-in pattern).
+ *
+ * Renders only the back affordance — workspace context is conveyed by
+ * the nav groups below, not a redundant title row.
+ */
+export function SidebarViewHeader(props: SidebarViewHeaderProps) {
+  const { t } = useTranslation()
+  const { setOpenMobile } = useSidebar()
+
+  return (
+    <SidebarHeader className='border-sidebar-border border-b px-2 py-2'>
+      <SidebarMenu>
+        <SidebarMenuItem>
+          <SidebarMenuButton
+            tooltip={t(props.view.parent.label)}
+            className={cn(
+              'text-muted-foreground hover:text-foreground',
+              'gap-1.5 font-medium'
+            )}
+            render={
+              <Link
+                to={props.view.parent.to}
+                onClick={() => setOpenMobile(false)}
+              />
+            }
+          >
+            <ChevronLeft className='size-4 shrink-0' />
+            <span className='truncate'>{t(props.view.parent.label)}</span>
+          </SidebarMenuButton>
+        </SidebarMenuItem>
+      </SidebarMenu>
+    </SidebarHeader>
+  )
+}
@@ -33,15 +33,16 @@ import { getModelsSectionNavItems } from '@/features/system-settings/models/sect
 import { getOperationsSectionNavItems } from '@/features/system-settings/operations/section-registry.tsx'
 import { getSecuritySectionNavItems } from '@/features/system-settings/security/section-registry.tsx'
 import { getSiteSectionNavItems } from '@/features/system-settings/site/section-registry.tsx'
-import { type NavGroup } from '../types'
+import type { NavGroup, SidebarView } from '../types'

 /**
- * System settings sidebar configuration
- * Displayed when switching to "System Settings" workspace
+ * Sidebar nav groups for the System Settings nested view.
+ *
+ * Kept as a single group because the workspace title in the sidebar
+ * header already provides top-level context — the inner group label
+ * scopes the items as "administration" actions.
 */
-export const WORKSPACE_SYSTEM_SETTINGS_ID = 'system-settings'
-
-export function getSystemSettingsNavGroups(t: TFunction): NavGroup[] {
+function getSystemSettingsNavGroups(t: TFunction): NavGroup[] {
  return [
    {
      id: 'system-administration',
@@ -86,3 +87,20 @@ export function getSystemSettingsNavGroups(t: TFunction): NavGroup[] {
    },
  ]
 }
+
+/**
+ * Nested sidebar view for `/system-settings/*`.
+ *
+ * Activates the Vercel / Cloudflare-style drill-in sidebar:
+ * the root navigation is replaced by the system administration
+ * groups, with a "Back to Dashboard" affordance in the header.
+ */
+export const SYSTEM_SETTINGS_VIEW: SidebarView = {
+  id: 'system-settings',
+  pathPattern: /^\/system-settings(\/|$)/,
+  parent: {
+    to: '/dashboard/overview',
+    label: 'Back to Dashboard',
+  },
+  getNavGroups: getSystemSettingsNavGroups,
+}
@@ -1,62 +0,0 @@
-/*
-Copyright (C) 2023-2026 QuantumNous
-
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program. If not, see <https://www.gnu.org/licenses/>.
-
-For commercial licensing, please contact support@quantumnous.com
-*/
-/* eslint-disable react-refresh/only-export-components */
-import * as React from 'react'
-import { type Workspace } from '../types'
-
-type WorkspaceContextType = {
-  activeWorkspace: Workspace | null
-  setActiveWorkspace: (workspace: Workspace) => void
-}
-
-const WorkspaceContext = React.createContext<WorkspaceContextType | undefined>(
-  undefined
-)
-
-/**
- * 工作区上下文 Provider
- * 管理当前激活的工作区状态，用于切换不同的侧边栏视图
- */
-export function WorkspaceProvider({ children }: { children: React.ReactNode }) {
-  const [activeWorkspace, setActiveWorkspace] =
-    React.useState<Workspace | null>(null)
-
-  const value = React.useMemo(
-    () => ({ activeWorkspace, setActiveWorkspace }),
-    [activeWorkspace]
-  )
-
-  return (
-    <WorkspaceContext.Provider value={value}>
-      {children}
-    </WorkspaceContext.Provider>
-  )
-}
-
-/**
- * 使用工作区上下文的 Hook
- * @throws 如果在 WorkspaceProvider 外部使用会抛出错误
- */
-export function useWorkspace() {
-  const context = React.useContext(WorkspaceContext)
-  if (!context) {
-    throw new Error('useWorkspace must be used within WorkspaceProvider')
-  }
-  return context
-}
@@ -17,10 +17,10 @@ along with this program. If not, see <https://www.gnu.org/licenses/>.
 For commercial licensing, please contact support@quantumnous.com
 */
 /**
- * Layout 组件统一导出
+ * Public surface of the Layout module.
 */

-// 核心组件
+// Core components
 export { AppHeader } from './components/app-header'
 export { AppSidebar } from './components/app-sidebar'
 export { AuthenticatedLayout } from './components/authenticated-layout'
@@ -34,41 +34,34 @@ export { Main } from './components/main'
 export { PageFooterPortal } from './components/page-footer'
 export { NavGroup } from './components/nav-group'
 export { SectionPageLayout } from './components/section-page-layout'
+export { SidebarViewHeader } from './components/sidebar-view-header'
 export { SystemBrand } from './components/system-brand'
 export { TopNav } from './components/top-nav'
 export { MobileDrawer } from './components/mobile-drawer'

-// 上下文
-export { WorkspaceProvider, useWorkspace } from './context/workspace-context'
-
-// 配置
-export {
-  getSystemSettingsNavGroups,
-  WORKSPACE_SYSTEM_SETTINGS_ID,
-} from './config/system-settings.config'
+// Configuration
+export { SYSTEM_SETTINGS_VIEW } from './config/system-settings.config'
 export { defaultTopNavLinks } from './config/top-nav.config'

-// 常量
+// Constants
 export { MOBILE_DRAWER_ANIMATION, MOBILE_DRAWER_CONFIG } from './constants'

-// 工具函数 - 工作区注册表
+// Sidebar view registry
 export {
-  getWorkspaceByPath,
  getNavGroupsForPath,
-  isInWorkspace,
-  getAllWorkspaces,
-  WORKSPACE_IDS,
-} from './lib/workspace-registry'
+  resolveSidebarView,
+} from './lib/sidebar-view-registry'

-// 类型导出（使用 type-only 导出避免与组件冲突）
+// Type exports (type-only to avoid conflicts with components above)
 export type {
-  Workspace,
-  NavLink,
  NavCollapsible,
-  NavItem,
  NavGroup as NavGroupType,
+  NavItem,
+  NavLink,
+  ResolvedSidebarView,
  SidebarData,
+  SidebarView,
+  SidebarViewParent,
  TopNavLink,
 } from './types'
-export type { WorkspaceConfig, WorkspaceId } from './lib/workspace-registry'
 export type { SectionPageLayoutProps } from './components/section-page-layout'
@@ -0,0 +1,58 @@
+/*
+Copyright (C) 2023-2026 QuantumNous
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+For commercial licensing, please contact support@quantumnous.com
+*/
+import { type TFunction } from 'i18next'
+import { SYSTEM_SETTINGS_VIEW } from '../config/system-settings.config'
+import type { NavGroup, SidebarView } from '../types'
+
+/**
+ * Registered nested sidebar views.
+ *
+ * Each entry describes a contextual sidebar that replaces the root
+ * navigation when the user enters that workspace (Vercel-style
+ * "drill-in" pattern). Add new entries here to register a new view.
+ *
+ * Match priority is array order; the first matching `pathPattern` wins.
+ */
+const SIDEBAR_VIEWS: readonly SidebarView[] = [SYSTEM_SETTINGS_VIEW]
+
+/**
+ * Resolve the active nested view for the given path.
+ *
+ * @returns Matching {@link SidebarView}, or `null` when the root
+ *          navigation should be displayed.
+ */
+export function resolveSidebarView(pathname: string): SidebarView | null {
+  return SIDEBAR_VIEWS.find((view) => view.pathPattern.test(pathname)) ?? null
+}
+
+/**
+ * Backwards-compatible helper for consumers (e.g. command palette) that
+ * just need the navigation groups for the current path, without caring
+ * about the view metadata.
+ *
+ * @returns Nav groups for the matched view, or `null` if no nested view
+ *          matches (callers should then fall back to root nav groups).
+ */
+export function getNavGroupsForPath(
+  pathname: string,
+  t: TFunction
+): NavGroup[] | null {
+  const view = resolveSidebarView(pathname)
+  return view ? view.getNavGroups(t) : null
+}
@@ -1,119 +0,0 @@
-/*
-Copyright (C) 2023-2026 QuantumNous
-
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program. If not, see <https://www.gnu.org/licenses/>.
-
-For commercial licensing, please contact support@quantumnous.com
-*/
-/**
- * 工作区注册表使用示例
- *
- * 本文件展示如何添加新工作区，仅作示例参考，不会被编译
- */
-
-/**
- * 步骤1: 创建工作区的侧边栏配置文件
- * 例如：web/src/components/layout/config/user-management.config.ts
- */
-/*
-import { Users, UserPlus, Shield } from 'lucide-react'
-import { type NavGroup } from '../types'
-
-export const userManagementConfig: NavGroup[] = [
-  {
-    title: 'User Management',
-    items: [
-      {
-        title: 'All Users',
-        url: '/user-management/list',
-        icon: Users,
-      },
-      {
-        title: 'Create User',
-        url: '/user-management/create',
-        icon: UserPlus,
-      },
-      {
-        title: 'Permissions',
-        url: '/user-management/permissions',
-        icon: Shield,
-      },
-    ],
-  },
-]
-*/
-
-/**
- * 步骤2: 在 workspace-registry.ts 中注册新工作区
- * 在 workspaceRegistry 数组中添加配置（在默认工作区之前）
- */
-/*
-import { userManagementConfig } from '../config/user-management.config'
-
-const workspaceRegistry: WorkspaceConfig[] = [
-  // System Settings 工作区
-  {
-    name: 'System Settings',
-    pathPattern: /^\/system-settings/,
-    navGroups: systemSettingsConfig,
-  },
-  // 新增的 User Management 工作区
-  {
-    name: 'User Management',
-    pathPattern: /^\/user-management/,  // 或使用字符串: '/user-management'
-    navGroups: userManagementConfig,
-  },
-  // 默认工作区（必须放在最后）
-  {
-    name: 'Default',
-    pathPattern: /.* /,
-    navGroups: sidebarConfig.navGroups,
-  },
-]
-*/
-
-/**
- * 步骤3: （可选）在 sidebar.config.ts 中添加工作区到切换器
- */
-/*
-export const sidebarConfig: SidebarData = {
-  workspaces: [
-    {
-      name: '',
-      logo: Command,
-      plan: '',
-    },
-    {
-      name: 'User Management',
-      logo: Users,
-      plan: 'Manage users',
-    },
-    {
-      name: 'System Settings',
-      logo: Settings,
-      plan: 'Manage and configure',
-    },
-  ],
-  navGroups: [...],
-}
-*/
-
-/**
- * 同语注：这里就完成了，现在：
- * - 侧边栏会根据当前路径自动切换显示对应的工作区菜单
- * - 搜索功能会自动显示当前工作区的菜单项
- * - 工作区切换器会显示新的工作区选项
- *
- * 无需修改任何其他文件！
- */
@@ -1,128 +0,0 @@
-/*
-Copyright (C) 2023-2026 QuantumNous
-
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program. If not, see <https://www.gnu.org/licenses/>.
-
-For commercial licensing, please contact support@quantumnous.com
-*/
-import { type TFunction } from 'i18next'
-import {
-  getSystemSettingsNavGroups,
-  WORKSPACE_SYSTEM_SETTINGS_ID,
-} from '../config/system-settings.config'
-import type { NavGroup } from '../types'
-
-export const WORKSPACE_IDS = {
-  SYSTEM_SETTINGS: WORKSPACE_SYSTEM_SETTINGS_ID,
-  DEFAULT: 'default',
-} as const
-
-export type WorkspaceId = (typeof WORKSPACE_IDS)[keyof typeof WORKSPACE_IDS]
-
-/**
- * Workspace configuration type
- * Each workspace contains name, path matching rules, and corresponding navigation group configuration
- */
-export type WorkspaceConfig = {
-  /** Workspace identifier (for logic) */
-  id: WorkspaceId
-  /** Workspace name */
-  name: string
-  /** Path matching rule, supports string (contains match) or regular expression */
-  pathPattern: string | RegExp
-  /** Sidebar navigation group configuration for this workspace */
-  getNavGroups?: (t: TFunction) => NavGroup[]
-}
-
-/**
- * Workspace registry
- *
- * Sorted by priority, first matched workspace will be used
- * Last one should be default workspace (matches all paths)
- *
- * @example
- * // Add new workspace
- * {
- *   name: 'User Management',
- *   pathPattern: /^\/user-management/,
- *   navGroups: userManagementConfig
- * }
- */
-const workspaceRegistry: WorkspaceConfig[] = [
-  // System Settings workspace
-  {
-    id: WORKSPACE_IDS.SYSTEM_SETTINGS,
-    name: 'System Settings',
-    pathPattern: /^\/system-settings/,
-    getNavGroups: getSystemSettingsNavGroups,
-  },
-  // Default workspace (must be last)
-  {
-    id: WORKSPACE_IDS.DEFAULT,
-    name: 'Default',
-    pathPattern: /.*/,
-    // getNavGroups is undefined, will be handled by consumers (e.g. useSidebarData)
-  },
-]
-
-/**
- * Get matched workspace configuration based on path
- * @param pathname - Current route path
- * @returns Matched workspace configuration
- */
-export function getWorkspaceByPath(pathname: string): WorkspaceConfig {
-  const workspace = workspaceRegistry.find((ws) => {
-    if (typeof ws.pathPattern === 'string') {
-      return pathname.includes(ws.pathPattern)
-    }
-    return ws.pathPattern.test(pathname)
-  })
-
-  // If no match, return default workspace (last one)
-  return workspace || workspaceRegistry[workspaceRegistry.length - 1]
-}
-
-/**
- * Get corresponding sidebar navigation group configuration based on path
- * @param pathname - Current route path
- * @returns Navigation group configuration for corresponding workspace
- */
-export function getNavGroupsForPath(
-  pathname: string,
-  t: TFunction
-): NavGroup[] | undefined {
-  const workspace = getWorkspaceByPath(pathname)
-  return workspace.getNavGroups?.(t)
-}
-
-/**
- * Determine if in specified workspace
- * @param pathname - Current route path
- * @param workspaceId - Workspace identifier
- * @returns Whether in specified workspace
- */
-export function isInWorkspace(
-  pathname: string,
-  workspaceId: WorkspaceId
-): boolean {
-  return getWorkspaceByPath(pathname).id === workspaceId
-}
-
-/**
- * Get all registered workspace configurations
- * @returns Array of workspace configurations
- */
-export function getAllWorkspaces(): WorkspaceConfig[] {
-  return workspaceRegistry
-}
@@ -17,17 +17,7 @@ along with this program. If not, see <https://www.gnu.org/licenses/>.
 For commercial licensing, please contact support@quantumnous.com
 */
 import { type LinkProps } from '@tanstack/react-router'
-
-/**
- * Workspace type
- * Used for top switcher to display different workspaces
- */
-export type Workspace = {
-  id: string
-  name: string
-  logo: React.ElementType
-  plan: string
-}
+import { type TFunction } from 'i18next'

 /**
 * Base navigation item type
@@ -82,10 +72,12 @@ export type NavGroup = {
 }

 /**
- * Sidebar data type
+ * Root sidebar data type
+ *
+ * Used by the default (top-level) sidebar view that lists primary
+ * application navigation (chat, dashboard, admin, etc).
 */
 export type SidebarData = {
-  workspaces: Workspace[]
  navGroups: NavGroup[]
 }

@@ -100,3 +92,45 @@ export type TopNavLink = {
  requiresAuth?: boolean
  external?: boolean
 }
+
+/**
+ * Back-navigation descriptor for a nested sidebar view
+ */
+export type SidebarViewParent = {
+  /** Destination URL for the back button */
+  to: LinkProps['to'] | (string & {})
+  /** Visible label, e.g. "Back to Dashboard" — already localized */
+  label: string
+}
+
+/**
+ * Nested sidebar view configuration
+ *
+ * A nested view replaces the root navigation when the user enters a
+ * dedicated workspace (e.g. System Settings). It models the modern
+ * Vercel / Cloudflare "drill-in" sidebar UX: clicking a top-level entry
+ * swaps the sidebar to a contextual view with a "Back" affordance.
+ */
+export type SidebarView = {
+  /** Stable identifier (also drives transition animation keys) */
+  id: string
+  /** Path matcher that activates this view */
+  pathPattern: RegExp
+  /** Back-navigation descriptor; required for nested views */
+  parent: SidebarViewParent
+  /** Nav group builder, called per render with the active translator */
+  getNavGroups: (t: TFunction) => NavGroup[]
+}
+
+/**
+ * Resolved sidebar view returned by `useSidebarView()`
+ *
+ * - `view === null`: root navigation (default sidebar)
+ * - `view !== null`: nested workspace view (renders header + back button)
+ */
+export type ResolvedSidebarView = {
+  /** Animation/identity key — falls back to a sentinel for the root view */
+  key: string
+  view: SidebarView | null
+  navGroups: NavGroup[]
+}
@@ -8,21 +8,32 @@ License, or (at your option) any later version.

 This program is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU Affero General Public License for more details.

 You should have received a copy of the GNU Affero General Public License
-along with this program. If not, see <https://www.gnu.org/licenses/>.
+along with this program.  If not, see <https://www.gnu.org/licenses/>.

 For commercial licensing, please contact support@quantumnous.com
 */
 import * as React from 'react'
-import { Command as CommandPrimitive } from 'cmdk'
-import { X } from 'lucide-react'
+import { Add01Icon } from '@hugeicons/core-free-icons'
+import { HugeiconsIcon } from '@hugeicons/react'
 import { useTranslation } from 'react-i18next'
-import { Badge } from '@/components/ui/badge'
-import { Button } from '@/components/ui/button'
-import { Command, CommandGroup, CommandItem } from '@/components/ui/command'
+import { cn } from '@/lib/utils'
+import {
+  Combobox,
+  ComboboxChip,
+  ComboboxChips,
+  ComboboxChipsInput,
+  ComboboxCollection,
+  ComboboxContent,
+  ComboboxEmpty,
+  ComboboxItem,
+  ComboboxList,
+  ComboboxValue,
+  useComboboxAnchor,
+} from '@/components/ui/combobox'

 export type Option = {
  label: string
@@ -35,116 +46,261 @@ interface MultiSelectProps {
  onChange: (values: string[]) => void
  placeholder?: string
  className?: string
+  allowCreate?: boolean
+  /**
+   * Label shown for the "create" item in the dropdown.
+   * Supports the `{{value}}` placeholder which is replaced with the typed input.
+   * Falls back to `Add "{{value}}"` when omitted.
+   */
+  createLabel?: string
+  /** Empty state text. Defaults to "No matching items". */
+  emptyText?: string
+  /** Optional `id` to wire labels/aria-describedby to the input. */
+  id?: string
+  /** Disable the entire control. */
+  disabled?: boolean
+  /**
+   * Limits rendered chips while keeping all values selected.
+   * Hidden values remain searchable/removable from the dropdown.
+   */
+  maxVisibleChips?: number
 }

-export function MultiSelect({
-  options,
-  selected,
-  onChange,
-  placeholder,
-  className,
-}: MultiSelectProps) {
-  const { t } = useTranslation()
-  const resolvedPlaceholder = placeholder ?? t('Select items...')
-  const inputRef = React.useRef<HTMLInputElement>(null)
-  const [open, setOpen] = React.useState(false)
-  const [inputValue, setInputValue] = React.useState('')
+const COMMA_REGEX = /[,，\n]/

-  const handleUnselect = (value: string) => {
-    onChange(selected.filter((s) => s !== value))
+function splitDraft(value: string): { completed: string[]; draft: string } {
+  if (!COMMA_REGEX.test(value)) {
+    return { completed: [], draft: value }
+  }
+  const normalized = value.replaceAll('，', ',').replaceAll('\n', ',')
+  const parts = normalized.split(',')
+  const draft = parts.at(-1) ?? ''
+  const completed = parts
+    .slice(0, -1)
+    .map((part) => part.trim())
+    .filter(Boolean)
+  return { completed, draft }
+}
+
+/**
+ * MultiSelect — tags/chips style multi-select built on Base UI Combobox.
+ *
+ * Behaviour:
+ * - Search filters built-in options (Base UI handles fuzzy filtering).
+ * - When `allowCreate` is true, custom values can be added inline:
+ *   - Type and press Enter / "," to add a single value.
+ *   - Paste a comma- (or newline-) separated list to add many at once.
+ *   - A "Add \"<value>\"" item appears at the top of the dropdown when the
+ *     typed text doesn't match any option.
+ * - Backspace on an empty input removes the last selected chip (Base UI default).
+ * - `maxVisibleChips` can cap large selections and show a compact "+N more"
+ *   summary so forms do not grow vertically without bound.
+ *
+ * Focus/border styling is inherited from `ComboboxChips`, which uses the same
+ * tokens as `Input` so it stays visually consistent with other form fields.
+ */
+export function MultiSelect(props: MultiSelectProps) {
+  const { t } = useTranslation()
+  const placeholder = props.placeholder ?? t('Select items...')
+
+  // Anchor the popup to the chips container so its width tracks the entire
+  // input row, not just the leftover space at the end of wrapped chips.
+  const chipsAnchorRef = useComboboxAnchor()
+
+  const [inputValue, setInputValue] = React.useState('')
+  const [open, setOpen] = React.useState(false)
+
+  const selectedSet = React.useMemo(
+    () => new Set(props.selected),
+    [props.selected]
+  )
+
+  // Lookup of value -> display label so chips and items can show friendly names
+  // even when the underlying option list changes (e.g. custom-added values).
+  const labelMap = React.useMemo(() => {
+    const map = new Map<string, string>()
+    for (const option of props.options) {
+      map.set(option.value, option.label)
+    }
+    return map
+  }, [props.options])
+
+  const trimmedInput = inputValue.trim()
+  const inputMatchesExisting =
+    trimmedInput.length > 0 &&
+    (selectedSet.has(trimmedInput) ||
+      props.options.some(
+        (option) =>
+          option.value.toLowerCase() === trimmedInput.toLowerCase() ||
+          option.label.toLowerCase() === trimmedInput.toLowerCase()
+      ))
+
+  const canCreate =
+    props.allowCreate === true &&
+    trimmedInput.length > 0 &&
+    !inputMatchesExisting
+
+  // We expose all known option values + every currently selected value to Base
+  // UI's items list. This way Base UI filters them by the search query and the
+  // user can still see the chip labels mapped correctly.
+  const items = React.useMemo(() => {
+    const set = new Set<string>(props.options.map((option) => option.value))
+    for (const value of props.selected) {
+      set.add(value)
+    }
+    if (canCreate) {
+      set.add(trimmedInput)
+    }
+    return Array.from(set)
+  }, [props.options, props.selected, canCreate, trimmedInput])
+
+  const addValues = React.useCallback(
+    (values: string[]) => {
+      const next: string[] = []
+      const seen = new Set<string>(props.selected)
+      for (const raw of values) {
+        const value = raw.trim()
+        if (!value) continue
+        if (seen.has(value)) continue
+        seen.add(value)
+        next.push(value)
+      }
+      if (next.length === 0) return
+      props.onChange([...props.selected, ...next])
+    },
+    [props]
+  )
+
+  const handleInputValueChange = (value: string) => {
+    if (!props.allowCreate) {
+      setInputValue(value)
+      return
+    }
+    const parsed = splitDraft(value)
+    if (parsed.completed.length > 0) {
+      addValues(parsed.completed)
+      setInputValue(parsed.draft)
+      return
+    }
+    setInputValue(value)
  }

-  const handleKeyDown = (e: React.KeyboardEvent<HTMLDivElement>) => {
-    const input = inputRef.current
-    if (input) {
-      if (e.key === 'Delete' || e.key === 'Backspace') {
-        if (input.value === '' && selected.length > 0) {
-          onChange(selected.slice(0, -1))
-        }
-      }
-      if (e.key === 'Escape') {
-        input.blur()
+  const handleValueChange = (next: string[]) => {
+    props.onChange(next)
+    // When an item is picked (multiple mode), Base UI keeps the input but most
+    // UX patterns clear it. Clearing once a value is added makes batch picking
+    // feel snappier and matches popular chip-style multiselects.
+    if (next.length > props.selected.length) {
+      setInputValue('')
+    }
+  }
+
+  const handleKeyDown = (event: React.KeyboardEvent<HTMLInputElement>) => {
+    // Enter without a highlighted option commits the typed value.
+    if (event.key === 'Enter' && props.allowCreate && canCreate) {
+      // Only fire when Base UI has no highlighted item to select. We rely on
+      // the highlighted item's data attribute on the popup. If the popup is
+      // closed or empty, manually commit the typed value.
+      const popup = document.querySelector<HTMLElement>(
+        '[data-slot="combobox-content"][data-open]'
+      )
+      const hasHighlight = popup?.querySelector('[data-highlighted]') != null
+      if (!hasHighlight) {
+        event.preventDefault()
+        addValues([trimmedInput])
+        setInputValue('')
      }
    }
  }

-  const selectables = options.filter(
-    (option) => !selected.includes(option.value)
-  )
-
  return (
-    <Command
-      onKeyDown={handleKeyDown}
-      className={`overflow-visible bg-transparent ${className || ''}`}
+    <Combobox
+      multiple
+      items={items}
+      value={props.selected}
+      onValueChange={handleValueChange}
+      inputValue={inputValue}
+      onInputValueChange={handleInputValueChange}
+      open={open}
+      onOpenChange={setOpen}
+      disabled={props.disabled}
    >
-      <div className='group border-input ring-offset-background focus-within:ring-ring rounded-md border px-3 py-2 text-sm focus-within:ring-2 focus-within:ring-offset-2'>
-        <div className='flex flex-wrap gap-1'>
-          {selected.map((value) => {
-            const option = options.find((o) => o.value === value)
+      <ComboboxChips
+        ref={chipsAnchorRef}
+        className={cn('w-full', props.className)}
+      >
+        <ComboboxValue>
+          {(values: string[]) => {
+            const visibleValues =
+              typeof props.maxVisibleChips === 'number'
+                ? values.slice(0, props.maxVisibleChips)
+                : values
+            const hiddenCount = values.length - visibleValues.length
+
            return (
-              <Badge key={value} variant='secondary'>
-                {option?.label || value}
-                <Button
-                  variant='ghost'
-                  size='icon-sm'
-                  aria-label='Remove'
-                  className='ml-1 size-auto p-0'
-                  onKeyDown={(e) => {
-                    if (e.key === 'Enter') {
-                      handleUnselect(value)
-                    }
-                  }}
-                  onMouseDown={(e) => {
-                    e.preventDefault()
-                    e.stopPropagation()
-                  }}
-                  onClick={() => handleUnselect(value)}
-                >
-                  <X
-                    className='text-muted-foreground hover:text-foreground h-3 w-3'
-                    aria-hidden='true'
-                  />
-                </Button>
-              </Badge>
+              <>
+                {visibleValues.map((value) => (
+                  <ComboboxChip key={value}>
+                    <span className='max-w-[16rem] truncate'>
+                      {labelMap.get(value) ?? value}
+                    </span>
+                  </ComboboxChip>
+                ))}
+                {hiddenCount > 0 && (
+                  <span className='bg-muted text-muted-foreground flex h-[calc(--spacing(5.25))] w-fit items-center justify-center rounded-sm px-1.5 text-xs font-medium whitespace-nowrap'>
+                    {t('+{{count}} more', { count: hiddenCount })}
+                  </span>
+                )}
+              </>
            )
-          })}
-          <CommandPrimitive.Input
-            ref={inputRef}
-            value={inputValue}
-            onValueChange={setInputValue}
-            onBlur={() => setOpen(false)}
-            onFocus={() => setOpen(true)}
-            placeholder={selected.length === 0 ? resolvedPlaceholder : ''}
-            className='placeholder:text-muted-foreground flex-1 bg-transparent outline-none'
-          />
-        </div>
-      </div>
-      <div className='relative'>
-        {open && selectables.length > 0 ? (
-          <div className='bg-popover text-popover-foreground animate-in absolute top-0 z-10 w-full rounded-md border shadow-md outline-none'>
-            <CommandGroup className='h-full max-h-60 overflow-auto'>
-              {selectables.map((option) => {
-                return (
-                  <CommandItem
-                    key={option.value}
-                    onMouseDown={(e) => {
-                      e.preventDefault()
-                      e.stopPropagation()
-                    }}
-                    onSelect={() => {
-                      setInputValue('')
-                      onChange([...selected, option.value])
-                    }}
-                    className='cursor-pointer'
-                  >
-                    {option.label}
-                  </CommandItem>
-                )
-              })}
-            </CommandGroup>
-          </div>
-        ) : null}
-      </div>
-    </Command>
+          }}
+        </ComboboxValue>
+        <ComboboxChipsInput
+          id={props.id}
+          placeholder={props.selected.length === 0 ? placeholder : undefined}
+          onKeyDown={handleKeyDown}
+          aria-label={placeholder}
+        />
+      </ComboboxChips>
+
+      <ComboboxContent anchor={chipsAnchorRef}>
+        <ComboboxList>
+          <ComboboxCollection>
+            {(item: string) => {
+              const isCreate = canCreate && item === trimmedInput
+              const label = labelMap.get(item) ?? item
+              return (
+                <ComboboxItem
+                  key={item}
+                  value={item}
+                  className={isCreate ? 'text-foreground' : undefined}
+                >
+                  {isCreate ? (
+                    <>
+                      <HugeiconsIcon
+                        icon={Add01Icon}
+                        strokeWidth={2}
+                        className='text-muted-foreground'
+                        aria-hidden='true'
+                      />
+                      <span className='truncate'>
+                        {props.createLabel
+                          ? t(props.createLabel, { value: item })
+                          : t('Add "{{value}}"', { value: item })}
+                      </span>
+                    </>
+                  ) : (
+                    <span className='truncate'>{label}</span>
+                  )}
+                </ComboboxItem>
+              )
+            }}
+          </ComboboxCollection>
+        </ComboboxList>
+        <ComboboxEmpty>
+          {props.emptyText ?? t('No matching items')}
+        </ComboboxEmpty>
+      </ComboboxContent>
+    </Combobox>
  )
 }
--- a/Show More
+++ b/Show More